2. What is social engineering?
● “gaining of information from legitimate users
for illegitimate access (Dhillon, 2013).”
● generally involves manipulating someone to
take action or give information that may or
may not be in the target’s best interests
(Hadnagy, 2010).
4. Case Study: Wayland Fruit Company
http://world-beautifulwallpapers.blogspot.com/2013/02/beautiful-fruits-wallpapers.html
5. Case Study: Holes in Security
● company policy violations
○ vulnerable to blackmail, coercion
● hacker use of pretexting to get information
○ pretended to be EW IT Technician
○ knew information about the company & Mr. Farmer
● Lack of awareness/education
● use of same login ID and password for multiple
accounts
6. Social & Technical Vulnerabilities
● Walmart: good customer service vs. giving
out business information (Cowley, 2012).
● Human tendencies = vulnerabilities:
○ want to be helpful
○ make assumptions
○ reluctance to question authorities
○ people take shortcuts, security vs. usabilitiy
(Hadnagy, 2010).
○ overconfidence
7. Implications for attacks
● can have high costs
○ financial costs $25,000-$100,000/incident
○ loss of trust in employees
○ loss of business
● difficult to prevent because of natural
human tendencies
8. Preventing social engineering
attacks
● include 4th generation security measures
(Dhillon, 2013).
● education and awareness about social
engineering for all employees
● use a combination of informal, formal, and
technical controls/security measures
● make use of penetration testing
● don’t make it easy!
○ ex: proper disposal of trash/important documents
(Brody, Brizzee, & Cano, 2012)
9. Class Question
What other security measures can
businesses use to prevent social
engineering attacks? How are these
security measures different from
those instituted to protect from other
types of attacks?
10. References
● Brody, R.G., Brizzee, W.B., and Cano, L. (2012). Flying under the radar: Social
engineering. International Journal of Accounting and Information Management,
20(4). Retrieved from http://www.emeraldinsight.com.proxy.library.vcu.edu/
journals.htm?articleid=17058136&show=abstract.
● Cowley, S. (2012). How a lying 'social engineer' hacked Wal-Mart. CNN. Retrieved
from http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/index.htm.
● Dhillon, G. (2013). Enterprise Cyber Security: Principles and Practice. Washington,
DC: Paradigm Books.
● Hadnagy, C. (2010). Social Engineering: The Art of Human Hacking. Indianapolis,
IN: John Wiley & Sons. Retrieved from
http://proquest.safaribooksonline.com.proxy.library.vcu.edu/9780470639535
● Orlando, J. (2007). Social engineering in penetration testing: Cases. Security
Strategies Alert. Retrieved from
http://www.networkworld.com/newsletters/2007/1022sec2.html?page=1