You are here: Home Contents V6 N4 V6N4_Cazier.html
Personal tools

Password Collection through Social Engineering: An Analysis of a Simulated Attack

 

 

Full text
View
Purchase

Source
Journal of Information Systems Security
Volume 6, Number 4 (2010)
Pages 5370
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Authors
Joseph A. Cazier — Appalachian State University, USA
Christopher M. Botelho — Baylor Health, USA
Publisher
Information Institute Publishing, Washington DC, USA

 

 

Abstract

This study demonstrates that consumers, healthcare workers and corporate America are still very much vulnerable to simple social engineering attacks, even with current levels of security training. Through a simulation of what a real social engineer might try to do (with a few safeguards to protect participants) security levels were tested in the business district of a large downtown financial center, a hospital, and a university campus. Through the simulation attack, researchers were able to get useful demographic and tactical information from the majority of the 'victims'. In addition, 73% of respondents shared a password with the researchers. Those with recent security awareness training were just as likely as those without to share their passwords with strangers. Results, implications and future directions are discussed.

 

 

Keywords

Social Engineering, Security, Passwords, Security Awareness, Privacy, Hacking

 

 

References

Allen, M. (2006). Social Engineering: A Means to Violate a Computer System. SANS Reading Room. Retrieved November3, 2006 from http://www.sans.org/reading_room/whitepapers/engineering/529.php?portal=64b276600d7cb57e57a94e2cf911f2b6

Ciampa, M. (2005). Security+ Guide to Network Security Fundamentals (2nd ed.). Boston: Course Technology.

Damie, P. (2002). Social Engineering: A Tip of the Iceberg. Information Systems Control Journal. Retrieved October 21, 2006 from http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=17032&TEMPLATE=/ContentManagement/ContentDisplay.cfm

Dolan, A. (2004). Social Engineering. SANS Reading Room. Retrieved November 3, 2006 from http://www.sans.org/reading_room/whitepapers/engineering/1365.php?portal=64b276600d7cb57e57a94e2cf911f2b6

FBI, (2006) 2005 Computer Crime Survey, Retrieved October 30, 2006 from http://mitnicksecurity.com/media/2005%20FBI%20Computer%20Crime%20Survey%20Report. pdf

Granger, S. (2001). Social Engineering Fundamentals, Part I: Hacker Tactics. Security Focus. Retrieved October 12, 2006 from http://www.securityfocus.com/infocus/1527

Javelin Strategy & Research (2006) 2006 Identity Fraud Survey. Javelin Strategy & Research, retrieved November 3, 2006 from http://www.javelinstrategy.com.

Medlin, B. D., Cazier, J. A., Dave, D. S. (2006). Password Security Issues on an E-Commerce Site. In M. Khosrow-Pour (Ed.), Encyclopedia of E-Commerce, E-Government, and Mobile Commerce. Hershey, PA: Idea Group Reference.

Mitnick, K. (2002). The Art of Deception: Controlling the Human Element of Society. Indianapolis, In: Wiley Publishing

Weil, S. (2004). HIPAA Security Rule. Security Focus. Retrieved January 3, 2007 from http://www.securityfocus.com/print/infocus/1764