Social engineering 101
Online encyclopedia Webopedia defines social engineering as "the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information."
Sophisticated social engineers take advantage of security vulnerabilities in human nature, and not software, in order to penetrate otherwise well-protected networks.
Social engineers use a variety of methods to achieve their goals. Many use flattery; a common line being "you're the only one smart enough to do this for me, please run the attachment I'm about to send you".
There are also some easy rules and policies that can help. Almost all the time a social engineer will refuse to give a call-back number. "They'll come up with an excuse ... like 'my mobile phone battery is dying'," says security consultant Kevin Mitnick.
By putting in a policy that states if "someone is making a request of a sensitive nature -- and you don't personally know this person -- then you have to call them back", around seven out of 10 social engineering attacks will be foiled.
"The key is to train staff to determine what is a legitimate and what is an illegitimate request," says Mitnick.
In this special round-up, ZDNet Australia presents essential reading for any security and/or IT professional, providing comprehensive information on social engineers, the way they work and tips to guard against them.
Social engineering: Don't be fooled
Ever been conned? Would you know if you had been? Social engineers practice a subtle art. Their techniques, when applied properly, leave victims none the wiser as to how they may have let an attacker in. It is a hard one to protect against, as attackers prey on the kindness of strangers, but there are some tips in this seven-part special to prevent your company being a victim to social engineering ploys.
Gartner: Social engineering 'greatest security risk'
The greatest security risk facing large companies and individual Internet users over the next ten years will be the increasingly sophisticated use of social engineering to bypass IT security defences, according to analyst firm Gartner. Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking.
">Security: Fighting the enemy within
How do you protect your network against a threat you can't see? New security automation can establish policies, and consistently audit and monitor them for compliance.
What hackers can teach you about security
Can you trust a hacker? What if that hacker was convicted, and served time, for his offenses? Two years ago, computer security companies bragged about hiring former hackers -- who better to plug security holes, the thinking went, than the folks who were so good at finding and exploiting them? But is this kind of thinking still in fashion?
| "Many of the most damaging security penetrations are -- and will continue to be -- due to social engineering, not electronic hacking or cracking." -- Rich Mogull, Gartner |
World-renowned security consultant Kevin Mitnick is expected to visit Australia for the first time in April 2005 to conduct a two-day social engineering workshop.
Hackers: Under the hood
Adrenalin pumping through their veins as lines of code are crunched to perfection. Well, that's how it is in the movies anyway. Welcome to the real world of hackers. ZDNet Australia went on the hunt to track down some of the world's most prominent (and notorious) hackers. In this five-part series, we delve into the lives of five prominent hackers who reveal issues close to their heart.