Home page logo

basics logo Security Basics mailing list archives

RE: Social Engineering
From: m_r_welch () tiscali co uk
Date: Sat, 7 Jan 2006 14:58:25 +0000

-- Original Message --
From: "coder" <elite.coder () ntlworld com>
To: <security-basics () securityfocus com>
Subject: RE: Social Engineering
Date: Fri, 6 Jan 2006 17:26:27 -0000

OK, Maybe Social Engineering cannot be *solved* with software engineering...
but maybe (as some of you have suggested) it can be minimized.

In a manner of speaking. The time honoured principle of least priviledge
can use technology to limit the damage from social engineering, but not prevent
it from happening. That which a person does not know and cannot access cannot
be charmed out of them, no matter how good the attacker is. The password
to a limited, locked down account is less use to an attacker than a more
open one, without preventing the innocent party from doing their job.

It's a basic concept for information security, but easy to forget in a rush
to discover a new and exciting 'great new thing'. The more you make an attacker
work for every inch of access, the more chance you have to spot them before
they get too deep, and the more opportunities you give them to make a mistake.
Unfortunately, you can't expect everyone to have the awareness of IT/IS issues
that we have. The average person looks to us to make their problems go away,
and if we impose too much on them, we can become a bigger irritation than
the problems we are trying to prevent. KISS must be applied to any security
solution that requires end-user involvement, and least priviledge applied
properly is an unobrusive way for technology to assist against social engineering.

Mark Welch


Tiscali Broadband from 14.99 with free setup!

The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]