Everything You Wanted to Know about
Social Engineering -- But Were Afraid to Ask...
Social Engineering Critical Corporate Information
Yes, that person claiming to be a Cisco engineer might know
an awful lot about who works for whom and what equipment your
company has. If you think that means he or she must be authorized
to be given the executive password or allowed to enter the room
where you keep your routers - think twice.
Ira Winkler, in his book "Corporate Espionage" tells
how he has vacuumed up an amazing amount of information during
his penetration tests. He would "pretend to be the assistant
to a high level executive who personally wanted to welcome new
employees to the company. My boss was extremely upset , I would
claim, because the list of new hires was overdue."
With the new hires list in hand, he would contact people who
were so new that they were unlikely to be able to detect an impostor.
"I used the security briefing ruse, because people are usually
intimidated by any contact dealing with security and they usually
provide all requested information without challenge."
Some computer criminals are even more blatant than Winkler.
In one case, a cracker simply walked into a building and posted
a note on a bulletin board advising people to call his home phone
number for technical support.
More on social engineering --->
Back to the index of "Everything You
Wanted to Know About Social Engineering -- But Were Afraid to
Ask --->
