Re: Social Engineering

[List Spam <listspam () gmail com>]

On 1/4/06, coder <elite.coder () ntlworld com> wrote:

> Idea 1: A Directory site.
<snip>
> Well, first an admin is nominated from the company (pref. someone who is
> "up" on security i.e. a sys admin)
> This admin will register the company with the site,
> Then he will register everyone in the company with the site

To the no-doubt eager to please and/or ego-inflated admin:  "Thats a
pretty cool system you have setup.  Can you show me how it works?"
(record authentication mechanism - something as simple as video-taping
the keystrokes while looking over his shoulder should suffice)

> If you want to view info in the site, you will have to use the un/pass sent
> when the admin registered you,

"Hi, I'm the new directory maintainer for the company.  The previous
guy left a little to be desired in his documentation process and I'm
following up and making sure that everyone has a valid account.  Can
you forward what was originally sent so that I can make sure it's in
the list?"

> to prevent terminated users staying on the server, en email is sent from the
> site every X days with a link
> (like the one securityfocus sends for you to finish your registration)
> if you do not reply to the email after X days, you are put into an MIA list

Subject: Directory Maintenance
Body: In order to maintain an active listing in the company directory,
please follow the link below and login to renew your entry:
http://urlobfuscationdejour/loginbox.html

(Chances are, you just gained valid credentials for other services)

> (if someone searches for you, you will not be found...
> but you are not deleted either)
> when this happens the admin will receive an email asking why you haven't
> replied and if you should be deleted.
<snip>

> Idea 2. Folder security information.
<snip>
> So I want to write a program then, when you open a folder on the file
> server, a message will pop-up saying:
>
> The info. in this folder is Priority X,
> this means you... blahablahblah..

You are already socially engineering them with this approach, thereby
providing an environment where it is expected that the user do what
they're told simply because they're told.

<snip>
> So, let me know what you think, it would be interesting to hear if this
> ideas are silly.
>
> Regards,
>
> Davie Elliott

Thinking about ways to minimize the impact of social engineering is
never silly, nor is soliciting input on those ideas.  Whether the "bad
guy" socially engineers a user, an admin, an exec, a vendor, a
partner, a supplier, etc. is really out of your control.

What you need, IMHO, is to determine a worst-case scenario resulting
from someone that can adverselly affect you suceeding with their
efforts.  Build in policies, processes, and technology (preferabiy in
that order) to reduce exposure and/or liability.  Social engineering
is not new, existed before the "Information Age", and seldom employs
technology in it's execution.  As such, relying exclusively on
technology to combat it will ultimately fail as it is not a technology
problem.

My two cents.  Take them for what they are - the ramblings of a list poster.

Keep plugging along though, because by at lease thinking about it, you
are already ahead of many of your peers in protecting your company's
assets - be they physical or perceptual.

RE

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------