AntiOnline Security Spotlight: Social Engineering
Intrusion attempts can take many forms, including phone calls and e-mails that appear to come from your sysadmins or other trusted personnel. Don't let your network fall victim to lapses in judgement or quirks in human behavior.
In the spirit of our recent password primer article, we spotlight an AO tutorial on social engineering. "What does social engineering have to do with password protection?" you may ask.
It turns out that instead of pouring processing power into cracking a password, an intruder is just as likely to phone an employee, pose as an IT staffer and glean a user/pass combo without breaking a sweat.
Do you want an outsider to muck around your payroll records or client accounts?
As intrusion prevention systems proliferate and grow in sophistication, attackers will resort to more creative ways of getting their foot in the virtual door. Increasingly, this means exploiting the quirks in human behavior. Accordingly, a comprehensive security policy should encompass a wide range of factors, both online and off.
Learn some of the tricks attackers (corporate spies?) use to gain a foothold onto your network. Also learn how to combat these crooks and turn your entire staff into fearless protectors of your company's data!
Direct link to this week's spotlight thread:
Sales Call or Social Engineering?
AntiOnline member jdenny provides a compelling look at how intruders are letting their fingers do the walking, but not across a keyboard...
social engineering /n./
Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem.
Why is social engineering so effective?
In his presentation titled "Human Security Issues: Managing People and Defending Against Social Engineering," Gartner analyst Rich Mogull said that people are, by nature, unpredictable and susceptible to persuasion and manipulation. Social engineering is the most difficult security issue to manage and he said that most IT departments do a poor job of combating the threat.jdenny even references another AO thread that doubles as a great case study.
Sales Call or Social Engineering: Recent post from an AO Member. http://www.antionline.com/showthrea...threadid=231663Of course, there are several more helpful links, among those an the official word from CERT. Read the rest of this thread here.
Palemoon was noticing red alert lines on his Firewall GUI indicating attempts to access a port scan from a company, when a very nice sounding woman called him and told him that she's from the very company he was watching. Read what he has done in responding such a bogus "sales call".
What is AntiOnline?
AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.
We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the eye-opening discussions and expert participants that have helped make AO the "go to" online resource for network security.