Social engineering in penetration testing: Overload and fascination

The long view of security strategies for your network.

Distinguished correspondent Paul Schumacher continues with contributions of his perspectives on additional social-engineering techniques. We finish with comments on training employees to resist such techniques. What follows is Schumacher’s comments with minor edits.

* * *

I have thought of two other methods of social engineering you may want to consider.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Distinguished correspondent Paul Schumacher continues with contributions of his perspectives on additional social-engineering techniques. We finish with comments on training employees to resist such techniques. What follows is Schumacher’s comments with minor edits.

* * *

I have thought of two other methods of social engineering you may want to consider.

One is overload: Present the individual with so many decisions to make that they start to default to simple responses on those that seem innocuous. This is well presented by the movie "Sneakers" when Robert Redford's character had to get into a building, and his team overloads the guard, who in desperation just buzzes Redford into the building.

The second is fascination. A staged 'play' that is interesting to the target will at worst totally engross the target individual, and at best, distract them from their job. In fact, the methods and techniques are as varied as there are individuals on the planet. What they have in common is the desire to have someone behave in a manner that is counter to security. Those who have the responsibility to protect security should be taught that it is far safer to maintain the safety of the security than to please or give in to someone who wants us to compromise it.

It could be an excellent teaching tool to have a class think up new methods of social engineering, particularly those that exploit the unexpected. The idea is to get them to think not just outside the box, but beyond the walls of the building the box is in. This is what those attacking security are doing more and more these days.

* * *

[MK adds:] In many of my articles, I have emphasized the power of play-acting or role-playing exercises in security awareness and training. In my experience, students and employees who act out a situation are far more likely to remember the lesson than if they simply hear about it or see a simulation.

Rebecca Teed of the Science Education Resource Center at Carleton College has put together an introductory overview of role-playing in teaching (including a pointer to readings) and also a detailed tutorial on “How to Teach Using Role-Playing” that can help readers who want to apply this powerful tool to information assurance.

* * *

Paul Schumacher welcomes correspondence. He is particularly happy to work on interesting research projects with anyone who can benefit from his expertise.

Editor's note: Starting Tuesday, Nov, 20, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.