Social engineering

Social engineering is the practice of deceiving legitimate users of a system into disclosing information that will aid the attacker in compromising system security. A simple example is calling a user and pretending to be someone from the service desk working on a network issue; the attacker then proceeds to ask questions about what the user is working on, what file shares she uses, what her password is.

A successful social engineering act requires the trust of the victim, so user awareness training about the problem is an effective countermeasure. Strict policies about service desk staff never asking for personally identifying information or passwords over the phone or in person can also help potential victims recognize a social engineering attempt.

How to Assess and Mitigate Information Security Threats
  Introduction
  Malware: The ever-evolving threat
  Network-based attacks
  Information theft and cryptographic attacks
  Attacks targeted to specific applications
  Social engineering
  Threats to physical security
  Balancing the cost and benefits of countermeasures

This chapter excerpt from the free eBook The Shortcut Guide to Protecting Business Internet Usage, by Dan Sullivan, is printed with permission from Realtimepublishers, Copyright 2006.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Social Engineering Countermeasures against targeted attacks in the enterprise Quiz: Anatomy of an attack Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? How Russia became a malware hornet's nest Are senior level executives a target for social engineering attacks? How does a mail server respond to fake email addresses? RSA Conference: Children must learn about cyber risks Viruses, Worms and Other Malware New defenses for automated SQL injection attacks Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Interview: Jim Kirkhope of NCR Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware Researchers uncover tool used to infect websites, spread malware RSA 2008: Defeating botnets Malware found on HP ProLiant server USB keys Information Security Awareness Training Security Awareness Training Essential Part of Infosec Program Societe Generale bolsters internal controls, discovers second insider Companies still monitoring email manually, survey finds Trading firms rethink risk strategy Security pros focused on internal threat, training Is it a violation of HIPAA to collect consumer Social Security numbers? Windows Update attacks: Ensuring malware-free downloads Are senior level executives a target for social engineering attacks? Is the Storm worm virus still a serious threat? What are the benefits of employee security awareness training?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) social engineering  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary