Page 1 of 4 123 ... LastLast
Results 1 to 10 of 38

Thread: social engineering

  1. #1

    social engineering

    hi
    say a scenario like this. Staff A poses as the helpdesk and calls up Staff B. Staff A asked for Staff B's password to do some administration stuff..Thinking that Staff A is helpdesk , Staff B gives the password to him. How can we prevent such things from happening.? Security awareness is one way. How about preventing this from a technical perspective. ?
    thanks

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I'm sorry but I am not very tolerant about any one giving out passwords for any reason. Staff B should be fired or at the very least denied access to restricted (passworded) areas.

    Your company SOP's should have policy laid out so that giving a password to anyone on the phone would be a firing offense. If staff A was legitimate they would either already know the password, or have a more secure venue of getting it.

    There is not any good technical fix for user stupidity.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    Training is going to be the best answer for this. There are some technical controls that may help but the human is the weakest link in any network. Social Engineering is the most effective type of attack out there because people have weaknesses, kindness, greed and stupidity are a few of them.

    On way we can prevent the problem would to be implementation of some controls that would require several passwords. One-time passwords may also be effective to a degree.
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    There is no technical means to prevent this. I know my password. I can speak, too. So unless my computer is equipped with a psychic communications array to hear my thoughts with, and a flyswatter to slap me upside the head with before I give out my password, it can't stop me.

    You can limit the impact by enforcing password changes regularly, watching for multiple logins, and limiting physically where passwords can be used.

    Another possibility is the use of smart cards, of which employees are issued only one. I have also seen keyfobs with a serial number that changes every 30 seconds or so, which is linked to a password database. That serial number is the user's passwor dfor those 30 seconds. But neither will prevent employees from lending them. The only other solution would be the use of biometrics.

    But a technological measure against password sluts would be as impossible as a car that won't let stupid drivers inside it.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  5. #5
    The device that's being accessed needs the finger print from Staff B

    edit:sorry just saw Strieks part about biometrics.
    O.G at A.O

  6. #6
    Have all your workes read the Art of descption by kevin mitnick
    Every thing that has a begining has an end.

  7. #7
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    kruptos has the answer 'training'.

    Staff need to be made aware of the value of their username/passwords and also made aware of the consequences if they hand them out.

    If your company doesn't have a password policy and if you do hasn't made an efforet to make staff understand a password policy then you probably won't be able to discipline the staff never mind sack them.

    This sort of thing has to be started from the top with policy driven by senior management.

  8. #8
    Junior Member
    Join Date
    Sep 2005
    Posts
    19
    My answer would be to have help desk verify that they are who they say they are and/or not give him the time of day if he doesent show up on Caller ID. Generally you call help desk they dont call you!

  9. #9
    thanks for all your input.
    The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
    So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
    secondly, users should just say no, no and no when being asked for password (enforced by policy )
    lastly, as a identifying mechanism, use caller ID...

    thanks

  10. #10
    You could have a system where no member of staff is allowed to tell anybody their password (as you currently do) and your help desk call around during quiet times and attempt to obtain a password from users. Those who hand over a password could then be sent on a training course to show them the error of their ways. If the staff know about this process then they will be very suspicioius of anybody who asks for their password.
    If everything looks perfect, then there is something you don\'t know

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •