Angels of security » issa http://angelsofsecurity.com/blog Musings of an infosec renegade Tue, 02 Aug 2011 19:01:53 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Secure wireless http://angelsofsecurity.com/blog/2009/12/03/secure-wireless/ http://angelsofsecurity.com/blog/2009/12/03/secure-wireless/#comments Thu, 03 Dec 2009 18:52:50 +0000 admin http://angelsofsecurity.com/blog/2009/12/03/secure-wireless/


Secure wireless

Originally uploaded by bachrach44

I noticed this on the wall at a recent ISSA meeting. In addition to the obvious security issue I’m trying to bring attention to, there is a bonus security issue being illustrated here – you can see my reflection!

]]> http://angelsofsecurity.com/blog/2009/12/03/secure-wireless/feed/ 0 Social Engineering is not for engineers http://angelsofsecurity.com/blog/2008/04/02/social-engineering-is-not-for-engineers/ http://angelsofsecurity.com/blog/2008/04/02/social-engineering-is-not-for-engineers/#comments Thu, 03 Apr 2008 02:45:16 +0000 admin http://angelsofsecurity.com/blog/2008/04/02/social-engineering-is-not-for-engineers/ I’m a little behind on my reading, so I only just got to the January issue of the ISSA journal. In it was one of the best articles I’ve read on social engineering. The problem with most articles (or at least the ones I read), is that they approach social engineering from a technical perspective. However, far from what the name implies, social engineering is not in any way related to any of the engineering disciplines. SE is nothing more than a fancy name for a scam that happens to involve a computer. Rather than treat the SE threat as a technological threat, we should be treating it the same way we treat all scams – as a purely human threat and not a technological one. We should be turning to psychologists for help in tackling the problem, not networking experts.

In this article Dan Timko reports on research done by Robert Cialdini on the psychology of influence. Cialdini enumerates 6 basic methods people use to influence others. They are:

  • Reciprocation
  • Commitment and Consistency
  • Social Proof
  • Authority
  • Liking
  • Scarcity

I’m not going to go in depth into each of these, but if you’re interested, here is a good summary of each. Suffice it to say that these methods are by no means limited to marketers – scam artists (sorry,”social engineers”) use all 6 without even necessarily knowing it.

The solution to scam of all sorts, just like the threat, should be based on social science and human behavior, not technical countermeasures (although they do certainly have their place). While Dan recognizes and says this, he does not stick true to those principles, concluding only that the best defense against social engineering is a strong security policy, user education, and the rest of the things ISSA members have been preaching for ages. If you ask me the solution (if there really is one) to social engineering will not come from someone with a CISSP, CISM, or CISA, but from someone with a PhD in psychology. The quicker we realize that, the quicker we can come to a real solution.

]]> http://angelsofsecurity.com/blog/2008/04/02/social-engineering-is-not-for-engineers/feed/ 0