Social engineering in penetration testing: Overload and fascination

Security Strategies This newsletter is sponsored by Workshare STOP Data Leak Compliance Violations Webcast Is your organization at risk of data leaks and intellectual property theft? Learn how today's organizations are reducing risk! Eliminate compliance violations by blocking visible data, strengthen compliance control by monitoring and enforcing policies, and control policies enterprise-wide using a single, centralized management console. Click here to view now! Network World's Security Strategies Newsletter, 11/13/07 Social engineering in penetration testing: Overload and fascination By M. E. Kabay Distinguished correspondent Paul Schumacher continues with contributions of his perspectives on additional social-engineering techniques. We finish with comments on training employees to resist such techniques. What follows is Schumacher’s comments with minor edits. * * * I have thought of two other methods of social engineering you may want to consider. Executive Guide The Security Treadmill This Executive Guide offers interviews with leading, real-world security experts who tell you how to get inside users' heads, fight for a bigger security budget, and whether VoIP security issues are overstated or underrated, and much more. Review this informative guide today. Click Here for More Information One is overload: Present the individual with so many decisions to make that they start to default to simple responses on those that seem innocuous. This is well presented by the movie "Sneakers" when Robert Redford's character had to get into a building, and his team overloads the guard, who in desperation just buzzes Redford into the building. The second is fascination. A staged 'play' that is interesting to the target will at worst totally engross the target individual, and at best, distract them from their job. In fact, the methods and techniques are as varied as there are individuals on the planet. What they have in common is the desire to have someone behave in a manner that is counter to security. Those who have the responsibility to protect security should be taught that it is far safer to maintain the safety of the security than to please or give in to someone who wants us to compromise it. It could be an excellent teaching tool to have a class think up new methods of social engineering, particularly those that exploit the unexpected. The idea is to get them to think not just outside the box, but beyond the walls of the building the box is in. This is what those attacking security are doing more and more these days. * * * [MK adds:] In many of my articles, I have emphasized the power of play-acting or role-playing exercises in security awareness and training. In my experience, students and employees who act out a situation are far more likely to remember the lesson than if they simply hear about it or see a simulation. Rebecca Teed of the Science Education Resource Center at Carleton College has put together an introductory overview of role-playing in teaching (including a pointer to readings) and also a detailed tutorial on “How to Teach Using Role-Playing” that can help readers who want to apply this powerful tool to information assurance. * * * Paul Schumacher welcomes correspondence. He is particularly happy to work on interesting research projects with anyone who can benefit from his expertise. Editor's note: Starting Tuesday, Nov, 20, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. 5 cool wireless research projects 2. MIT's amazing, foldable, stackable car 3. IBM agrees to buy Cognos for $5B 4. Networking's 50 greatest arguments 5. IPv6: Will matter to enterprises in five years 6. When the patient is a Googler 7. 10 career killers to avoid 8. Testing All-in-one Firewalls 9. Verizon defends redirecting typo traffic 10. Google sued over distributed search patent MOST-READ REVIEW: Testing All-in-one Firewalls

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Workshare STOP Data Leak Compliance Violations Webcast Is your organization at risk of data leaks and intellectual property theft? Learn how today's organizations are reducing risk! Eliminate compliance violations by blocking visible data, strengthen compliance control by monitoring and enforcing policies, and control policies enterprise-wide using a single, centralized management console. Click here to view now! ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007