LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000
Windows XP
BackOffice
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Networking
Service Packs
Scripting
Security
  Anti-Virus
  Articles & Whitepapers
  Books on Security
  Cryptography
  Disaster Recovery
  FAQ's & Tutorials
  Firewalls
  Forensics
  Hacking
  Honeypots
  Incident Response
  Intrusion Detection
  Kerberos
  Legal Resources
  Online Seminars
  Password Security
  Penetration Testing
  Security Links
  Securing Networks
  Social Engineering
  Vulnerabilities
Utilities
Cybercheese

 


 

 

 

 

 

 

 

 

 

Social Engineering

Social Engineering is a hacker term for deceiving people into revealing confidential information. It is a tactic that is often used by hackers to gain information about a network or simply to bypass a complex security system altogether. (Why bother brute force cracking a password is you can con an employee into revealing it to you.) In most cases hackers pose as company employees (typically over the phone), and try to gain the confidence of an employee who has access to the required information. If done correctly, the "mark" doesn't even know they've been conned, and the hacker can travel across your network undetected using "legitimate' credentials. Combating this threat requires 2 things: Awareness of social engineering techniques and education of your user community. 
Recommended Books

 

The Art of Deception: Controlling the Human Element of Security
By Kevin D. Mitnick and William L. Simon. Published by John Wiley, October 2002. Hardcover, 352 pages. ISBN 0471237124 "
Social engineering", or the art of deceiving and manipulating people in order to gain information, is an underestimated security risk that is rarely addressed in employee training programs or corporate security policies. For the hacker, it's an essential skill that can be used to bypass even the most sophisticated security measures without even being detected. Sound far fetched? Social engineering was the one the preferred tools used by the most notorious hacker in the world, Kevin Mitnick - the author of this book. The goal of "The Art of Deception" is to raise awareness of the tools and techniques of social engineers, and not to teach the art to a new generation of hackers. Mitnick spends 13 of the 16 chapters relating "fictional" accounts of social engineering techniques, provides analyses of these accounts from both the attackers and victims perspective, and then offers advice on preventing or defeating these attacks. The accounts are brief, entertaining, and eye opening to those uninitiated to con games. The analysis and advice section are written in layman's terms with a minimum of technical jargon, making this an ideal book for management as well as administrators. For the security administrator, the last 2 chapters are the real jewel of the book. Here, Mitnick provides a number of sample security policies and procedures, including data classification categories, verification and authentication procedures, guidelines for awareness training, methods of identifying a social engineering attacks, warning signs, and flowcharts for responding to requests for information or action. Included with every security policy suggestion is a follow up paragraph of explanations and notes that outline the potential vulnerabilities in the policy. Definitely a must read for the security conscious! Read our full review here.
Where to Start,,,
Social Engineering: What is it, why is so little said about it and what can be done?
A quick introduction to the threat of social engineering. Source: Sans.org (July 26, 2000)

Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering is a hacker©s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Source: SecurityFocus.com (Dec 18, 2001)

Social Engineering Fundamentals, Part II: Combat Strategies
This article will examine some ways that individuals and organizations can protect themselves against potentially costly social engineering attacks.
Source: SecurityFocus.com (January 9, 2002)

The Complete Social Engineering FAQ.

Articles
A Proactive Defence to Social Engineering
Intruders or hackers are continually trying to gain illicit access to computer systems and there are many different types of attack. Companies spend a lot of time and money trying to protect their networks. Most of their attention focuses on technology such as upgrades, security kits and high-end encryption but a popular means of gaining access bypasses the technical systems completely. It©s based on the long-time con or confidence game but has a new name and new face © social engineering. A company needs good policies in place to defend against this type of attack, but even more, they need an effective, on-going security awareness program. The best means of defence, in this case, is education.
Source: Sans.org (August 2, 2001)

Enhancing Defenses Against Social Engineering
This paper focuses on some of the underlying reasons people are vulnerable to social engineering exploits, and how security professionals can use this knowledge to best minimize these vulnerabilities. Source: Sans.org (March 26, 2001)

The Cyber Con Game © Social Engineering
A look at various methods of social engineering and ways to combat it. Source: Sans.org (February 18, 2001)

Social engineering: examples and countermeasures from the real-world
An eye opening narrative of social engineering tactics and recommended countermeasures. Source: Computer Security Institute

Social Engineering: Policies and Education a Must
People are usually the weakest link in the security chain, and Social Engineering is still the most effective method of circumventing obstacles. A skilled Social Engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords. Why try to hack through someone©s security system when you can get a user to open the door for you? Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone. A successful defense depends on having good policies in place and educating employees to follow the policies. Source: Sans.org (February 16, 2001)

The human firewall
Giving out sensitive data to people without first authenticating their identity and access privileges is one of the most common and worst mistakes employees can make. Allowing a stranger inside an organization without authorization is yet another example of a broken link in the human firewall chain. Source: NetworkWorldFusion (May 2003)

The Use of Social Engineering as a Means of Violating Computer Systems
'Social Engineering' is an practice that can be used to exploit what has long been considered the 'weakest link' in the security chain of an organisation - the 'human factor'. As a security professional, it is important to be familiar with this threat, the techniques that could be used and the countermeasures that can be implemented to protect against it. By having this understanding, a security professional can ensure that appropriate protective measures are undertaken.
Source: Sans.org  (October 12, 2001)

Entire contents
© 1999-2003 LabMice.net and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.