Security Basics mailing list archives
RE: Social Engineering
From: "coder" <elite.coder () ntlworld com>
Date: Fri, 6 Jan 2006 17:26:27 -0000
OK, Maybe Social Engineering cannot be *solved* with software engineering... but maybe (as some of you have suggested) it can be minimized. I only have about 25 - 30 pages to explain what SE is, what impact it has on businesses and the what limitations there are with current solutions... So I will not be able to cover everything, but if I cover a good portion on ideas to prevent certain Social Engineering attacks I should get a good mark for the thesis. Also, about the website idea I posted last time, someone said "what if someone finds the name of someone in company X and calls up company Y and blags about needing some information", the idea behind the website was that if Mr. X calls up company Y and says "hi I'm Mr. X from company Z", then Mr. A at company Y can say, "OK, give me two seconds, and I will *call you back*"... so Mr A looks up the person on the site, calls the number that was registered and asks if they called... if not, you know it was an attempted SE attack.... and it can be logged. If an attack was successful, the company that was attacked can ask for logs on the site about who looked up their info and when. Lastly, it doesn't matter if the site gets hacked or whatever... I can just put in my BCS issues document that the website covers legal, ethical and professional issues and write about them e.g. if the site gets hacked due to sloppy code, that's a professional issue... if the site gets hacked and a company is successfully attacked, that's a legal issue e.t.c.. As my project supervisor stated, "this thesis is like a science project, you spot something wrong and try to 'fix' it... if it works, great, if not, oh well". The 2nd idea is really just an implementation of Mitnick's "keep employees aware" statement... he suggested that admins could install an SE aware screen saver which gives random tips... the 2nd idea will show the user what security level the info within in a folder has and tells them what they can and cant do with it (its easier than them looking up some hefty manual about security information). And the OS specific issue.. no worries, again its an experiment if it works for windows... great, someone can find a way of porting it. Anyways, I appreciate all of the information I have gotten back... maybe I'm just being naive in thinking that SE can be solve with Soft. Eng., but hey, its worth a try. Cheers, ~Davie Elliott. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Re: Social Engineering, (continued)
- Re: Social Engineering Mario Platt (Jan 05)
- Re: Social Engineering Joshua Shaffer (Jan 05)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- Re: Social Engineering Gregory Boyce (Jan 06)
- RE: Social Engineering Burton Strauss (Jan 06)
- RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
- Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
- RE: Social Engineering Murad Talukdar (Jan 10)