Security Basics mailing list archives

RE: Social Engineering

From: m_r_welch () tiscali co uk
Date: Sat, 7 Jan 2006 14:58:25 +0000

-- Original Message --
From: "coder" <elite.coder () ntlworld com>
To: <security-basics () securityfocus com>
Subject: RE: Social Engineering
Date: Fri, 6 Jan 2006 17:26:27 -0000

OK, Maybe Social Engineering cannot be *solved* with software engineering...
but maybe (as some of you have suggested) it can be minimized.


In a manner of speaking. The time honoured principle of least priviledge
can use technology to limit the damage from social engineering, but not prevent
it from happening. That which a person does not know and cannot access cannot
be charmed out of them, no matter how good the attacker is. The password
to a limited, locked down account is less use to an attacker than a more
open one, without preventing the innocent party from doing their job.

It's a basic concept for information security, but easy to forget in a rush
to discover a new and exciting 'great new thing'. The more you make an attacker
work for every inch of access, the more chance you have to spot them before
they get too deep, and the more opportunities you give them to make a mistake.
Unfortunately, you can't expect everyone to have the awareness of IT/IS issues
that we have. The average person looks to us to make their problems go away,
and if we impose too much on them, we can become a bigger irritation than
the problems we are trying to prevent. KISS must be applied to any security
solution that requires end-user involvement, and least priviledge applied
properly is an unobrusive way for technology to assist against social engineering.

regards,
Mark Welch


___________________________________________________________

Tiscali Broadband from 14.99 with free setup!
http://www.tiscali.co.uk/products/broadband/



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

Re: Social Engineering, (continued)
- - Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
    - RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
  - Re: Social Engineering Gregory Boyce (Jan 06)
  - RE: Social Engineering Burton Strauss (Jan 06)
    - RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
  - Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
  - RE: Social Engineering Murad Talukdar (Jan 10)