Deploying Disney: How Social Engineers Take Advantage of Childhood Lessons

[InfoSec News <alerts () infosecnews org>]

http://www.informit.com/articles/article.aspx?p=1341012

By Chris Nickerson
InformIT
May 20, 2009

Security consultant Chris Nickerson points out that social engineers 
(the kind you hire as consultants) aren't evil; in fact, they want to 
help you prevent people from stealing your secrets. But longtime 
teaching from "Uncle Walt" and his many animated characters may make it 
easier for attackers to get at your mind.

People tend to believe that social engineering (SE) is an exercise in 
"BS-ing," or a way to trick users, but it's actually a distinct science. 
The founders of this science developed social engineering techniques in 
order to help people through difficult situations and change their 
world. The responsibility of the professional social engineer is to 
expose the weaknesses inherent in current corporate cultures—not to show 
off by proving that we can break through a company's security. The 
purpose of social engineering is to connect companies to the reality 
that risk lies everywhere, and that the company must protect its 
business and users from the harms that we all face.

Think of social engineering as being like healthcare coverage. Everyone 
is susceptible to disease and sickness, so companies provide healthcare 
benefits to keep employees and the business safe from the risks of 
illness. (For the business, those risks include loss of productivity, 
profit, and personnel.) Likewise, companies need to conduct social 
engineering tests and gain an understanding of how susceptible their 
information assets are to ever-growing threats.


The Level of Risk Is Rising

During the hard economic times that the U.S. has experienced in 2008 
(and the likelihood of rougher times ahead), newer and more creative 
threats have bombarded business. The security market as a whole is 
undergoing a huge uptick in risk due to current socioeconomic 
conditions. More people are "turning to the dark side" and finding 
profit in ways that they might once have considered taboo. It reminds me 
of what Les Stroud from the TV show Survivorman says: "Normally, I would 
never do this, but when it's your only chance for survival, you do 
whatever it takes." Much of the American public is in survival mode, as 
highlighted by the recent news of attacks, exposure of massive-scale 
information-theft networks (Ghostnet), and even the ever-present 
Conficker worm. All of these events are indicators that more and more 
people are looking to information theft as a source of income.

[...]

--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information