Information Security Technology?...Don't Rely on It
A Case Study in Social Engineering
Ira S. Winkler, <winkler@c3i.saic.com>
Brian Dealy, <bdealy@c3i.saic.com>
Science Applications International Corporation
200 Harry S. Truman Parkway
Annapolis, Maryland 21401
Abstract
Many companies spend hundreds of thousands of dollars to ensure
corporate computer security. The security protects company secrets,
assists in compliance with federal laws, and enforces privacy of
company clients. Unfortunately, even the best security mechanisms
can be bypassed through Social Engineering. Social Engineering uses
very low cost and low technology means to overcome impediments posed
by information security measures. This paper details a Social
Engineering attack performed against a company with their permission.
The attack yielded sensitive company information and numerous user
passwords, from many areas within the company, giving the attackers
the ability to cripple the company despite extremely good technical
information security measures. The results would have been similar
with almost any other company. The paper concludes with recommendations
for minimizing the Social Engineering threat.
Download the full text of this paper in
POSTSCRIPT (87,905 bytes) and PDF (141,038 bytes) form.
To Become a USENIX Member, please see our
Membership Information.