Social Engineering 1

[ST0RMCHASER]

Is this taught to everyone that is working for a specified company? Or do you pick and choose whom to teach these skills too? Say you have a janitor that cleans offices in your building. Does the janitor also need social engineering skills so they also don't fall for the trap? Is this also taught by knowledge of what the employee could give out? Or is this a skill that all employees need regardless of what level they work at, or how much info they could possibly know? I hope I am making sense.

Thanks

 

[sleipnir214]

To work against social engineering attacks, everyone has to be a part of the protection -- it's the only way to provide security-in-depth.

But everyone will participate to the limits of his skills and position. It's not necessary, for example, that your custodial staff know how to read a balance sheet, but it is important that they know what financial statements look like, so that if they find such a document in the CFO's trash can, they know to handle that document differently from general trash to to raise an alarm. If you haven't included the custodial staff in training against social engineering, then a dumpster-diver just gained access to financial information your company didn't want published.

One book to read on the subject: The Art of Deception, Controlling the Human Element of Security, by Kevin Mitnick and William Simon.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[ST0RMCHASER]

I never thought of that. Thanks for pointing that out. I do have one more question though. How come forums don't have a subject related to this type topic? In my few years of learning the computer, and being at the end of my first quarter of School. This subject has not been brought up. I never knew what it was till it was pointed out to me by someone I know. Will I be learning this in my second quarter of school? Or is this a subject that schools ignore? I hope not. I don't see anything that resembles this in my subjects list. I guess some of this could be called common sense, but still having the means of teaching a business the skills they need to protect themselves... to me that is a "must have" topic.

 

[sleipnir214]

I don't know what kind of school you're going to, so I can't comment on its curriculum.

There's no forum here devoted to preventing social engineering because it's not a separate subject from other security measures. Training and procedures can only work if they are part of an integrated bulwark against attack.

And preventing social engineering is a lot harder than other kinds of security. You're depending on the behavior of human beings to enhance security, which is a lot less deterministic than the behavior of software. Social engineering attacks use intuitive knowledge of the anthropological, socialogical, and primatological foibles of our species, and the ways in which human beings interact are vastly more complex than the ways in which computers interact.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[ST0RMCHASER]

Thanks for your input sleipnir214 this was very helpful. I guess if computer users, and businesses alike used a common sense approach to Social Engineering, it would help a great deal. The words "Social Engineering" are not used enough I don't believe. It took me almost four years to come across these words. Makes me feel I have been incompetent all this time security wise. BTW I am getting the book.