Hey all. I'm doing a presentation for an InfoSec course on SEing and I need some help.
I wanted to focus on the fundamentals of how to SE, however my group partners have downplayed that idea...
So I need to present topics of preventing SE. If you could provide some creative ideas on this topic or any other ideas on the presentation on SE, I would be very appreciative.
Here is what I have so far (just a rip from ucla's site).
How to Prevent Social Engineering
What is Social Engineering?
Instead of attacking a computer, Social Engineering is the act of interacting and manipulating people to obtain important/sensitive information or perform an act that is latently harmful. To be blunt, it is hacking a person instead of a computer. A social engineer can the use the phone, the internet, or even show up in person to perform the malicious act. They can be after data such as ID number, username, password, server names, machine names, remote connection settings, schedules, credit card numbers, etc. They may also try to get someone to install some malicious software, visit an unscrupulous website, or even access unauthorized locations.
What can I do?
Be educated, aware, and a little bit paranoid.
Never give out
* usernames; Administrators should know it or can find out themselves
* passwords; Administrators can ask your to enter it into the computer, but don't tell anyone
* ID numbers
* PIN numbers
* server names
* system information
* credit card numbers
* schedules
* sensitive data
* etc.
Be aware of what is being asked
* via the phone ask for a full and correct spelling of their name, a call back number, and why they need the information
* have them contact the correct information source directly if asked for information managed by someone else
* when in doubt, put the caller on hold or tell them you will call them back. This gives you time to log any strange calls and verify if it is ok to give out information.
* via the internet watch for any attachments that someone wants you to run in an e-mail
* avoid any requests to enter account information for verification by following a link in the e-mail (this is known as phishing)
* administrators will never tell you passwords over e-mail
* e-mails from SEASnet will be in plain text without attachments unless you asked for the attachment
* SEASnet may give you password guidelines, but never tell you to change it to something specific like "abcde"
* when in doubt, you can also contact the e-mail sender in a phone call or new e-mail and ask if their e-mail with the subject of <copy the subject> was valid
* in person never be pressured to comply when someone says "Do you know who I am?"
* ask for a contact to verify the person's need for information
* have someone asking for configuration/access questions to contact the source directly
* someone from SEASnet should only need you to enter your username/password on the computer; not write it down or verbally say it
* always be aware of people around you when entering your username/password
* when in doubt, contact SEASnet or your supervisor
* other shred and secure any documents that someone can obtain by looking through your trash
Always: when in doubt, ask the person to wait while you verify (a) identity, (b) need to know, and (c) if you are the rightful/authorized source of the information.
FROM: //www.seas.ucla.edu/security/social_eng.html
I know there are many other things to focus on such as shoulder surfing and eavesdropping and the different attitudes an SE may take to get information, but I just want everyone's thought on what makes a great SE and then what to look for to detect a SE.
