Social engineering

Social engineering is the practice of deceiving legitimate users of a system into disclosing information that will aid the attacker in compromising system security. A simple example is calling a user and pretending to be someone from the service desk working on a network issue; the attacker then proceeds to ask questions about what the user is working on, what file shares she uses, what her password is.

A successful social engineering act requires the trust of the victim, so user awareness training about the problem is an effective countermeasure. Strict policies about service desk staff never asking for personally identifying information or passwords over the phone or in person can also help potential victims recognize a social engineering attempt.

How to Assess and Mitigate Information Security Threats
  Introduction
  Malware: The ever-evolving threat
  Network-based attacks
  Information theft and cryptographic attacks
  Attacks targeted to specific applications
  Social engineering
  Threats to physical security
  Balancing the cost and benefits of countermeasures

This chapter excerpt from the free eBook The Shortcut Guide to Protecting Business Internet Usage, by Dan Sullivan, is printed with permission from Realtimepublishers, Copyright 2006.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat Management Network security basics: How to prevent common attacks Future security threats: Enterprise attacks of 2009 Cybercrime reports: Security not broken, but breaking at the seams Data losses set to soar, KPMG predicts Screencast: How to gather host-level data with Network Miner Appliance provides network access protection on school campus Market Harborough Building Society finds way to monitor users' network traffic 'Phlashing' attacks How to identify network attacks proactively Stopping spam brings additional security benefits for cable company Security Policies and Awareness Security is a people business, don't forget it Appliance provides network access protection on school campus How to prevent clickjacking attacks with security policy, not technology Privacy, data protection must be built into system design, says ICO Can policy thwart disgruntled employee data leaks? Setting up a remote access security policy Security policies often ignored, non-existent, survey finds Information Commissioner turns up the heat on data breach culprits DLP useless when companies fail to classify data Finance sector poor at achieving outsourcing success

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary