ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems
Full text PdfPdf (156 KB)
Source Conference On Information Technology Education (formerly CITC) archive
Proceedings of the 5th conference on Information technology education table of contents
Salt Lake City, UT, USA
SESSION: Security III table of contents
Pages: 177 - 181  
Year of Publication: 2004
ISBN:1-58113-936-5
Authors
Gregory L. Orgill  Brigham Young University, Provo, UT
Gordon W. Romney  Brigham Young University, Provo, UT
Michael G. Bailey  Brigham Young University, Provo, UT
Paul M. Orgill  Brigham Young University, Provo, UT
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 40,   Downloads (12 Months): 284,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1029533.1029577
What is a DOI?

ABSTRACT

Trusted people can fail to be trustworthy when it comes to protecting their aperture of access to secure computer systems due to inadequate education, negligence, and various social pressures. People are often the weakest link in an otherwise secure computer system and, consequently, are targeted for social engineering attacks. Social Engineering is a technique used by hackers or other attackers to gain access to information technology systems by getting the needed information (for example, a username and password) from a person rather than breaking into the system through electronic or algorithmic hacking methods. Such attacks can occur on both a physical and psychological level. The physical setting for these attacks occurs where a victim feels secure: often the workplace, the phone, the trash, and even on-line. Psychology is often used to create a rushed or officious ambiance that helps the social engineer to cajole information about accessing the system from an employee.

Data privacy legislation in the United States and international countries that imposes privacy standards and fines for negligent or willful non-compliance increases the urgency to measure the trustworthiness of people and systems. One metric for determining compliance is to simulate, by audit, a social engineering attack upon an organization required to follow data privacy standards. Such an organization commits to protect the confidentiality of personal data with which it is entrusted.

This paper presents the results of an approved social engineering audit made without notice within an organization where data security is a concern. Areas emphasized include experiences between the Social Engineer and the audited users, techniques used by the Social Engineer, and other findings from the audit. Possible steps to mitigate exposure to the dangers of Social Engineering through improved user education are reviewed.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Jones, C. (2003). Social Engineering: Understanding and Auditing. Retrieved on July 22, 2004 from http://www.giac.org/practical/GSEC/Chris_Jones_GSEC.pdf
 
2
Gragg, D. A Multi-Level Defense Against Social Engineering. (2002). Retrieved on July 22, 2004 from http://www.sans.org/rr/papers/51/920.pdf.
 
3
Littman, J. (1998). Inside jobs: Is there a hacker in the next cubicle? Retrieved on July 22, 2004 from http://www.cnn.com/TECH/computing/9808/13/hacker.idg/.
 
4
Lively Jr., C. (2003) Psychological Based Social Engineering. Retrieved on July 22, 2004 from http://www.giac.org/practical/GSEC/Charles_Lively_GSEC.pdf.
 
5
Mitnick, K. My First RSA Conference. Retrieved on July 22, 2004 from http://www.securityfocus.com/news/199.
 
6
Mitnick, K. and Smith, W. The Art of Deception. Indianapolis, IN: Wiley Publishing Inc, 2002, 245.

CITED BY  4
Laurie Werner, Redefining computer literacy in the age of ubiquitous computing, Proceedings of the 6th conference on Information technology education, October 20-22, 2005, Newark, NJ, USA
Furkan Tari , A. Ant Ozok , Stephen H. Holden, A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
Erwin Louis Carrow, InfoSec technology management of user space and services through security threat gateways, Proceedings of the 4th annual conference on Information security curriculum development, September 28-28, 2007, Kennesaw, Georgia
Erwin Louis Carrow, Puppetnets and botnets: information technology vulnerability exploits that threaten basic internet use, Proceedings of the 4th annual conference on Information security curriculum development, September 28-28, 2007, Kennesaw, Georgia

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


General Terms:
Experimentation, Human Factors, Management, Security, Verification


Keywords:
access control, physical security, social engineering, user education

Collaborative Colleagues:
Gregory L. Orgill: colleagues
Gordon W. Romney: colleagues
Michael G. Bailey: colleagues
Paul M. Orgill: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player