Firewall Wizards mailing list archives
Social engineering
From: Adam Shostack <adam () homeport org>
Date: Thu, 2 Oct 1997 09:09:06 -0400 (EDT)
This may be off topic for the list, but since I brought it up in my last post, I'd like to talk about Social Engineering (the art of convincing people to tell you everything you want to know), and ways to defend against it. I've seen people get training to resist; don't hand out your password, find out who's caling, call them back at a number inside the company, etc. However, basic human nature is to be helpful when approached the right way (I'm new here, the guy who knows this has the flu, my boss is screaming at me, do we really have to go through this security rigamarole?). I've called people a day out of training, and gotten their passwords. So, the training I've seen was not effective. The company that paid for this training was shocked; it had not occured to them to test it. So, , has anyone done any testing of their training regimen? Have you found anything useful? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Social engineering Adam Shostack (Oct 02)