Ethical Hacking
The importance of assessing an organization’s vulnerability to attack from the inside is virtually self-evident. With the exception of the very small company, hired employees are essentially strangers a company pays to perform a task. Even when background checks are performed and references are checked, there is simply no guarantee that the people tasked with … Read more
You might assume that protecting a company’s informational assets from a physical intrusion is covered under its existing security measures, but often that’s simply not the case. Understandably, these same assets must be available to the employees so that they can perform their work. All an attacker has to do to obtain physical access to … Read more
Anyone who has taken an information security class in the past ten years has probably heard the “crunchy on the outside, soft on the inside” candy bar analogy of a data net- work security model. This means that all the “hard” security controls are around the outside of the network, and the inside of the … Read more
Hardening your environment to withstand SEAs, especially targeted ones, is more a matter of training than a traditional security control. An SEA goes right to the most vulnerable point in a company’s defenses: its employees. For the reasons discussed in the preceding sections, people make decisions daily that impact or even compromise implemented security measures. … Read more
It’s one thing to send an e-mail to or chat with someone online during a SEA, but it’s quite another to meet face to face with them, or even speak to them on the phone for that matter. When working online, you can make your attempt and then sit back and see if you get … Read more
It is important to discuss with your client your intention to conduct social engineering attacks, whether internal or external, before you include them in a penetration test’s project scope. A planned SEA could be traumatic to employees of the target company if they are made aware of the findings in an uncontrolled way, because they … Read more
Social engineering attacks cover a wide range of activities. Phishing, for instance, is a social engineering attack (SEA). The victim receives a legitimate-looking e-mail, follows a link to a legitimate-looking website they’re familiar with, and often divulges sensitive information to a malicious third party. As end users are made aware of such activities, the attacks … Read more
There are three basic types of vulnerability disclosures: full disclosure, partial disclosure, and nondisclosure. Each type has its advocates, and long lists of pros and cons can be debated regarding each type. CERT and RFP take a rigid approach to disclosure practices; they created strict guidelines that were not always perceived as fair and flexible … Read more
The Securely Protect Yourself Against Cyber Trespass (SPY Act) was passed by the House of Representatives, but never voted on by the Senate. Several versions have existed since 2004, but the bill has not become law as of this writing. The SPY Act would provide many specifics on what would be prohibited and punishable by … Read more
Several years ago, Congress determined that the legal system still allowed for too much leeway for certain types of computer crimes and that some activities not labeled “illegal” needed to be. In July 2002, the House of Representatives voted to put stricter laws in place, and to dub this new collection of laws the Cyber … Read more