Orange County Computer Lawyer Blog

Social Engineering

Social engineering is a term popularized by security consultant Kevin Mitnick.  Mitnick was once considered a world-famous computer hacker, with several books describing his exploits.  Mitnick is now reformed and runs his own security company and points out the dangers of social engineering.  Social engineering is a series of techniques used by the bad guys to manipulate people into performing actions or divulging confidential information.  As Mitnick would point out, it is much eaiser to trick someone into divulging their password than to spend the time trying to hack into a computer system.  My recent articles on phishing and vishing fall into the catagory of social engineering.

In a recent blog posting on the Computerworld site, Michael R. Farnum argued that when doing a security assessment for a company, examining social engineering is often not necessary.  His point seems to be that most companies will fail in this part of an assessment, so why bother?  The same could be said of the entire security assessment.  If there are areas you know a company is going to fail, why examine them?  The point of a security assessment is to have an outside third party examine security with an objective point of view.  The assessment then gives objective evidence which can then be used to justify the budget to fix these problems.  If company management is already on board with tightening security, start with fixing the problems you know about – including training employees on social engineering.  When you think you have everything fixed and airtight – then have a security assessment to find the areas you overlooked or to test employee training.