RE: Social Engineering

[Murad Talukdar <talukdar_m () subway com>]

We used to get phreakers ringing up to try and get pins etc for our phone
system and also trying to route calls through the same. What stopped it?
Educating people not to give out things like that to ANYONE over the phone.
The education needs reiterating on a regular basis, and not just because new
people start. 


Regards
Murad Talukdar

-----Original Message-----
From: m_r_welch () tiscali co uk [mailto:m_r_welch () tiscali co uk] 
Sent: Sunday, January 08, 2006 12:58 AM
To: coder
Cc: security-basics () securityfocus com
Subject: RE: Social Engineering

> -- Original Message --
> From: "coder" <elite.coder () ntlworld com>
> To: <security-basics () securityfocus com>
> Subject: RE: Social Engineering
> Date: Fri, 6 Jan 2006 17:26:27 -0000
>
>
> OK, Maybe Social Engineering cannot be *solved* with software
engineering...
> but maybe (as some of you have suggested) it can be minimized.

In a manner of speaking. The time honoured principle of least priviledge
can use technology to limit the damage from social engineering, but not
prevent
it from happening. That which a person does not know and cannot access
cannot
be charmed out of them, no matter how good the attacker is. The password
to a limited, locked down account is less use to an attacker than a more
open one, without preventing the innocent party from doing their job.

It's a basic concept for information security, but easy to forget in a rush
to discover a new and exciting 'great new thing'. The more you make an
attacker
work for every inch of access, the more chance you have to spot them before
they get too deep, and the more opportunities you give them to make a
mistake.
Unfortunately, you can't expect everyone to have the awareness of IT/IS
issues
that we have. The average person looks to us to make their problems go away,
and if we impose too much on them, we can become a bigger irritation than
the problems we are trying to prevent. KISS must be applied to any security
solution that requires end-user involvement, and least priviledge applied
properly is an unobrusive way for technology to assist against social
engineering.

regards,
Mark Welch


___________________________________________________________

Tiscali Broadband from 14.99 with free setup!
http://www.tiscali.co.uk/products/broadband/



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------