Social Engineering has been around for a long time and predates the Internet. The method of the Nigerian scams today dates back to the 16th century. It is much more widespread today. Social networking sites supply attackers with a rich source of information. They may even get hold of confidential information without any effort (as the Robin Sage experiment has shown). Directed attacks such as spear-phishing can have a high impact. The use of deception or impersonation to gain unauthorised access to sensitive information or facilities is a persistent threat to your company or organisation, provided you communicate with the outside world. Since computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation.
Social engineering attacks can have disastrous consequences, both financially and reputationally. You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometrics, but they will not protect you from a social engineering attack. In any security programme people are the weakest link. Social engineering tests can be used to evaluate and strengthen this link. So how do you approach testing your defences? How to you prepare to ward attackers off? There is no off-the-shelf solution. Countermeasures must include multiple levels. Furthermore you have to understand how social engineering attacks work and what they exploit. After you have done that you can apply this knowledge to your own organisation. There is no short-cut. You need to find where attackers can strike and have to harden your processes in the same way as your servers and networks.
Sharon Conheady and Martin Law of First Defence Information Security will conduct the workshop Social Engineering for IT Security Professionals at DeepSec 2011. You will learn the theory behind social engineering attacks, what they look like in practice, how to analyse attacks, how to use social engineering in penetration testing, and how to counter these attacks by combining security controls, physical security, security policies, education and awareness.