Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Nov 4, 2008

Social engineering - exploiting the weakest links

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA:
  • outlines social engineering methods such as pretexting, phishing, spear phishing and vishing;
  • presents an interview with acknowledged social engineer Kevin Mitnick;
  • discusses three studies portraying how easily naive/untrained users are manipulated;
  • identifies five defence measures; and
  • offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing).
While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.