Social engineering

[Adam Shostack <adam () homeport org>]

        This may be off topic for the list, but since I brought it up
in my last post, I'd like to talk about Social Engineering (the art of
convincing people to tell you everything you want to know), and ways
to defend against it.

        I've seen people get training to resist; don't hand out your
password, find out who's caling, call them back at a number inside the
company, etc.  However, basic human nature is to be helpful when
approached the right way (I'm new here, the guy who knows this has the
flu, my boss is screaming at me, do we really have to go through this
security rigamarole?).  I've called people a day out of training, and
gotten their passwords.  So, the training I've seen was not effective.
The company that paid for this training was shocked; it had not
occured to them to test it.

        So, , has anyone done any testing of their training regimen?
Have you found anything useful?

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume