1

Social Engineering

By Dan LoPresto

2

An ounce of data on Dan… Dan LoPresto owns/operates

PitViper Industries - Technology Solutions. CISSP Certification in June 2003. NSTISSI 4011 & 4013 NSA Certification for

Information Assurance in January 2006. Bachelors = Management Information Systems Masters = Computer Resources & Info. Mgmt. Completing a Ph.D. in Information Systems with

a concentration in Information Security. Enjoys Shooting Pool & Targets along with

Cooking, Dining, and Eating. Owns a cat and a cockatiel.

3

Social Engineering Defined The ‘hacking’ of people. Obtaining, collecting, and using

unauthorized information garnered via technical and non-technical means while interacting with others.

Involves persuasion, lies, manipulation, and many other crafty methods while relying on a person’s natural sense to be helpful and their lack of understanding that the information being released is sensitive and/or confidential.

4

Identity-Related Misuse Social, as well as technological, risks to

one’s personal information exist just as they do in the corporate world.

Social Engineering involves the manipulation, or ‘hacking’, of people using partial knowledge and clever ruses.

Many people are oblivious to these types of risks.

“Greater awareness as well as technological, social, and legal approaches are needed to minimize the risks.” [1]

5

How to Repair Compromised Information

Systems Quickly? “Social engineering is one class of techniques that

exploit human weaknesses to gain unauthorized accesses to technically secure systems.” [2]

“…shift at least some of the research focus to the development of system design techniques that can minimize the cost of computer security breach by facilitating post-intrusion system clean-up and restoration.” [2]

It is impossible for any system to be completely secure, yet by knowing this, systems can be designed in a manner that raises awareness of when breaches occur and allows for fast, accurate repair and recovery of afflicted data.

6

Users Are Not The Enemy “…hackers pay more attention to the human link in the

security chain than security designers do, for example, by using social engineering techniques to obtain passwords.” [3]

Human factors must be considered in the design of security mechanisms.

“Insufficient communication with users produces a lack of user-centered design in security mechanisms.” [3]

“Social engineers rely on password disclosure, low security awareness and motivation to breach security mechanisms.” [3]

Users must be informed about and involved with the design, implementation, and policies surrounding information security.

7

Significance & Conclusion The articles referenced provided insight into methods

deployed by Social Engineers, how the user community is affected by these methods, along with ways to help combat social engineering attacks through awareness and involvement of the user base.

Additionally, a change in the method of how systems are designed was suggested in an effort to involve users more directly and create more effective recovery of damaged and/or stolen data.

This information will aid those seeking to minimize successful Social Engineering attacks. It should help them develop new ways to thwart efforts to garner sensitive and confidential information from users. Lastly, it should get us all thinking about devising stronger methods to repair our data as well as recover it post-intrusion.

8

Articles Reviewed[1] Neumann, Peter G. (1997). Identity-Related Misuse.

Inside Risks, 40-7.

[2] Chiueh, Tzi-cker, Zhu, Ningning, & Pilania, Dhruv.

(2002). How to Repair Compromised Information

Systems Quickly? Computer Science Department.

State University of New York at Stony Brook.

[3] Adams, Anne & Sasse, Martina Angela. (1999). Users

Are Not The Enemy. Department of Computer

Science at the University College of London. 42-12.

9