Redefining computer literacy in the age of ubiquitous computing
Proceedings of the 6th conference on Information technology education
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Proceedings of the 4th annual conference on Information security curriculum development
InfoSec technology management of user space and services through security threat gateways
Proceedings of the 4th annual conference on Information security curriculum development
Whispers in the hyper-space: high-speed covert channel attacks in the cloud
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Secure and usable authentication on mobile devices
Proceedings of the 10th International Conference on Advances in Mobile Computing & Multimedia
Information and Software Technology
Hi-index | 0.00 |
Trusted people can fail to be trustworthy when it comes to protecting their aperture of access to secure computer systems due to inadequate education, negligence, and various social pressures. People are often the weakest link in an otherwise secure computer system and, consequently, are targeted for social engineering attacks. Social Engineering is a technique used by hackers or other attackers to gain access to information technology systems by getting the needed information (for example, a username and password) from a person rather than breaking into the system through electronic or algorithmic hacking methods. Such attacks can occur on both a physical and psychological level. The physical setting for these attacks occurs where a victim feels secure: often the workplace, the phone, the trash, and even on-line. Psychology is often used to create a rushed or officious ambiance that helps the social engineer to cajole information about accessing the system from an employee. Data privacy legislation in the United States and international countries that imposes privacy standards and fines for negligent or willful non-compliance increases the urgency to measure the trustworthiness of people and systems. One metric for determining compliance is to simulate, by audit, a social engineering attack upon an organization required to follow data privacy standards. Such an organization commits to protect the confidentiality of personal data with which it is entrusted. This paper presents the results of an approved social engineering audit made without notice within an organization where data security is a concern. Areas emphasized include experiences between the Social Engineer and the audited users, techniques used by the Social Engineer, and other findings from the audit. Possible steps to mitigate exposure to the dangers of Social Engineering through improved user education are reviewed.