Home page logo
/

basics logo Security Basics mailing list archives

RE: Social Engineering
From: "coder" <elite.coder () ntlworld com>
Date: Fri, 6 Jan 2006 17:26:27 -0000

OK, Maybe Social Engineering cannot be *solved* with software engineering...
but maybe (as some of you have suggested) it can be minimized.
I only have about 25 - 30 pages to explain what SE is, what impact it has on
businesses and the what limitations there are with current solutions...
So I will not be able to cover everything, but if I cover a good portion on
ideas to prevent certain Social Engineering attacks I should get a good mark
for the thesis.

Also, about the website idea I posted last time, someone said "what if
someone finds the name of someone in company X and calls up company Y and
blags about needing some information", the idea behind the website was that
if Mr. X calls up company Y and says "hi I'm Mr. X from company Z", then Mr.
A at company Y can say, "OK, give me two seconds, and I will *call you
back*"... so Mr A looks up the person on the site, calls the number that was
registered and asks if they called... if not, you know it was an attempted
SE attack.... and it can be logged.

If an attack was successful, the company that was attacked can ask for logs
on the site about who looked up their info and when.

Lastly, it doesn't matter if the site gets hacked or whatever... I can just
put in my BCS issues document that the website covers
legal, ethical and professional issues and write about them e.g. if the site
gets hacked due to sloppy code, that's a professional issue... if
the site gets hacked and a company is successfully attacked, that's a legal
issue e.t.c..

As my project supervisor stated, "this thesis is like a science project, you
spot something wrong and try to 'fix' it... if it works, great, if not, oh
well".

The 2nd idea is really just an implementation of Mitnick's "keep employees
aware" statement... he suggested that admins could install an SE aware
screen saver which gives random tips... the 2nd idea will show the user what
security level the info within in a folder has and tells them what they can
and cant do with it (its easier than them looking up some hefty manual about
security information).

And the OS specific issue.. no worries, again its an experiment if it works
for windows... great, someone can find a way of porting it.

Anyways, I appreciate all of the information I have gotten back... maybe I'm
just being naive in thinking that SE can be solve with Soft. Eng., but hey,
its worth a try.

Cheers,

~Davie Elliott.



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]