Security Basics mailing list archives
Re: Free Security Awareness Resources
From: Jimi Thompson <jimit () myrealbox com>
Date: Thu, 27 Nov 2003 22:36:28 -0600
As someone who does pen-testing, I can personally vouch that it's a _LOT_ easier to dial up to the receptionist and say something like "Hi, I'm Jane from IT and we're having a problem with your account. Can you give me your user name and password?" than it is to brute force an account on a box somewhere. Your odds of having it work the first time undetected go up astronomically. For those of you unfamilar with the process, just to have a valid account, even an unprivledged one, shaves hours off the process. Once I'm in, even as the lowly "Guest", I can always raise my level of privledge to something useful. Go Google on "getadmin.exe".
On the flip side of this, we've also been able to mitigate two attacks because our phone staff have been trained and are aware of this type of technique. They know when to alert us and we can either assume control of the call or offer real-time guidance on how to respond to the caller.
That allows us to offer up mis-information. 2 cents Jimi Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA wrote:
About a year ago I came to the conclusion that the threat of social engineering has increased due to a recent focus on systems security (e.g. firewalls, OS hardening, IDS, etc.). In other words, hackers may consider it easier to gather information through a few phone calls and complain to the help desk that they can't get in through VPN. The best way to defend against social engineering is a solid security awareness program (http://www.cyberguard.com/news_room/news_newsletter_030926threatwithin.cfm).As you probably know, security tips are a key component to an awareness program. I have authored 19 security awareness tips written with the average person as the intended audience (http://www.gideonrasmussen.com/sectips). The current topics are listed below. The site is free to download. I periodically update the content with new tips.I have also established the security-awareness group (http://groups.yahoo.com/group/security-awareness). You may find it of interest. Membership has grown to over 500 members and posts are regularly flowing in.If you have any questions or comments, please let me know. Thank you. Kind Regards, Gideon Gideon T. Rasmussen CISSP, CFSO, CFSA, SCSA Boca Raton, FL gideon () infostruct net Viruses Passwords Workstation security Clean desk policy Continuity Destruction of sensitive materials Photography Systematic removal of accesses Laptops Home computers Don't be afraid to say no Electronic devices Piggybacking and tailgating Operations security Backup your data Security incidents Business continuity Rogue wireless networks Visitor Escort--------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Free Security Awareness Resources Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA (Nov 26)
- Re: Free Security Awareness Resources Jimi Thompson (Nov 28)