January 24, 2008
Social Engineering: Threats and Countermeasures
Author: JT Smith
I've worked on many projects over the years where we've attempted to gain access to a network and the data on it using social engineering techniques. One of the more common tactics used involves calling end-users and impersonating IT staff and other, usually non-existent, companies. The % of username and passwords given away by staff always astonishes me, typically we have a 75% plus success rate. This carries across private and non-private companies, medium to large organizations and works equally well against high-end business managers who are likely to have remote access. When this is combined with scanning for publicly accessible services, it can prove a highly effective way to gain remote access to a system or network.