Security Basics mailing list archives
RE: Social Engineering
From: Mike Fetherston <mike_sha () shaw ca>
Date: Thu, 05 Jan 2006 13:34:13 -0500
I think that for any solution to work (read: be *used* by the users) it has to be simple and non-intrusive. As a user, I would not like to have to do a lookup on an external website to see if a caller is legitimate when asking for information. What if the internet connection is down? What if the server is cooked? What would be the payment system? How would that site guarantee 100% security to it's (already paranoid) customers? Is *that* site "immune" to social engineering attacks? For Idea #2, do you use Outlook reminders? I have co-workers here with 130 reminders in their list. The pop-up is simply ignored. For this to work it would better to enforce the policies instead of putting the data and user in an honour system. The use of ACLs and RBAC would fit well here. I'm sorry to be negative about your ideas, but I share the sentiment that social engineering can be overcome with proper training and education. Software can be an element of that, but you need to train your users to recognize potential social engineering attacks and to know when/how to use your software. To borrow the oft used quote, "You cannot fix a social problem through technology." Mike Fetherston
OK, Everyone seems to think that Social Engineering cant be solved with software, so I shall show you some of the ideas I have to defeat SE with software. Idea 1: A Directory site. The site will be used by companies to find out if Person X works at company Y. how will this work? Well, first an admin is nominated from the company (pref. someone who is "up" on security i.e. a sys admin) This admin will register the company with the site, Then he will register everyone in the company with the site If you want to view info in the site, you will have to use the un/pass sent when the admin registered you, to prevent terminated users staying on the server, en email is sent from the site every X days with a link (like the one securityfocus sends for you to finish your registration) if you do not reply to the email after X days, you are put into an MIA list (if someone searches for you, you will not be found... but you are not deleted either) when this happens the admin will receive an email asking why you haven't replied and if you should be deleted. if someone tries clicking on the link after the expiration time for a new link to be sent (or if you are deleted), nothing will happen.. just incase the person who got canned tired to reactivate his/herself. I don't think I have covered all the bases here, but I will do more thinking later. =------------------------------------------------= Idea 2. Folder security information. In Mitnicks book he says it is a good idea to rate information by security priority. e.g. If its Priority 1, then you cant send it tom anyone... even if they work in the same company P2, you can send it to a verified person in the company etc... So I want to write a program then, when you open a folder on the file server, a message will pop-up saying: The info. in this folder is Priority X, this means you... blahablahblah.. Again, I will work more on this idea... and I have the added bonus of testing it out where I work. =----------------------------------------------= So, let me know what you think, it would be interesting to hear if this ideas are silly. Regards, Davie Elliott -------------------------------------------------------------------------- - EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------------------- --
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Re: Social Engineering, (continued)
- Re: Social Engineering List Spam (Jan 05)
- Re: Social Engineering Mario Platt (Jan 05)
- Re: Social Engineering Joshua Shaffer (Jan 05)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- Re: Social Engineering Gregory Boyce (Jan 06)
- RE: Social Engineering Burton Strauss (Jan 06)
- RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
- Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
- RE: Social Engineering Murad Talukdar (Jan 10)