Problem solve Get help with specific problems with your technologies, process and projects.

Week 13: Social engineering --The low-tech side of high-tech

Shelley Bard offers tips on how to thwart social engineering attempts and uses Kevin Mitnick for examples on what to look out for.

In an effort to help busy security managers, CISSP Shelley Bard's weekly column will build upon the concept of the perpetual calendar, offering a schedule of reminders for a proactive, strategic security plan. Visit here for an archive of previous columns.

Can be an occasional security awareness point in your organizational education, training and awareness program, done as necessary when incidents occur in current events.

If anyone unknown to you asks for key security information, your first thought should be Just Say No.

Common practices that fall under social engineering include spoofed e-mails that ask you to verify your name and password in an e-mail or to open an attachment containing a virus, worm or Trojan horse. Social engineering doesn't have to involve a person directly; it makes use of people's trusting nature to steal key information via multiple methods. The term, in fact, originally was coined by hackers to describe socializing techniques they developed for obtaining vital information from system and phone operators.

It's your job to be paranoid. But most people who aren't paid to be paranoid aren't; they are trusting people who use their systems as a tool to get their job done. Tell everyone in your organization the ways, and ONLY those ways, that you will need to give or get key security information. Several other layers should be in place and practiced to make sure that information like passwords are handled correctly.

More information
Any search engine will help you find articles by Ira Winkler and Winn Schwartau, who have written copiously on the subject. If you want more in-depth information, many good but hard-to-find books are still in circulation. Also, books about intelligence-gathering, cyber or otherwise, often have chapters and excerpts about this specific aspect.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Dan LoPresto, CISSP, an access management and information security specialist with a national brokerage firm, contributed to this article.

Last week: Your Web site -- Quality of your copyright, privacy policy and links
Next week: When viruses and worms run amok

This was last published in March 2004

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.