Home page logo

basics logo Security Basics mailing list archives

Re: Free Security Awareness Resources
From: Jimi Thompson <jimit () myrealbox com>
Date: Thu, 27 Nov 2003 22:36:28 -0600

As someone who does pen-testing, I can personally vouch that it's a _LOT_ easier to dial up to the receptionist and say something like "Hi, I'm Jane from IT and we're having a problem with your account. Can you give me your user name and password?" than it is to brute force an account on a box somewhere. Your odds of having it work the first time undetected go up astronomically. For those of you unfamilar with the process, just to have a valid account, even an unprivledged one, shaves hours off the process. Once I'm in, even as the lowly "Guest", I can always raise my level of privledge to something useful. Go Google on "getadmin.exe".

On the flip side of this, we've also been able to mitigate two attacks because our phone staff have been trained and are aware of this type of technique. They know when to alert us and we can either assume control of the call or offer real-time guidance on how to respond to the caller.
That allows us to offer up mis-information.

2 cents


Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA wrote:

About a year ago I came to the conclusion that the threat of social engineering has increased due to a recent focus on systems security (e.g. firewalls, OS hardening, IDS, etc.). In other words, hackers may consider it easier to gather information through a few phone calls and complain to the help desk that they can't get in through VPN. The best way to defend against social engineering is a solid security awareness program (http://www.cyberguard.com/news_room/news_newsletter_030926threatwithin.cfm).

As you probably know, security tips are a key component to an awareness program. I have authored 19 security awareness tips written with the average person as the intended audience (http://www.gideonrasmussen.com/sectips). The current topics are listed below. The site is free to download. I periodically update the content with new tips.

I have also established the security-awareness group (http://groups.yahoo.com/group/security-awareness). You may find it of interest. Membership has grown to over 500 members and posts are regularly flowing in.

If you have any questions or comments, please let me know. Thank you.

Kind Regards,


Gideon T. Rasmussen
Boca Raton, FL
gideon () infostruct net

Workstation security
Clean desk policy
Destruction of sensitive materials
Systematic removal of accesses
Home computers
Don't be afraid to say no
Electronic devices
Piggybacking and tailgating
Operations security
Backup your data
Security incidents
Business continuity
Rogue wireless networks
Visitor Escort

--------------------------------------------------------------------------- ----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]