Wednesday, April 8, 2009

The virtue of security education is more important than vulnerability

Using Facebook to Social Engineer Your Way Around Security

The most important part of an attack isn't always a vulnerability; sometimes it's the end user's trust.

This was certainly the case during an authorized penetration test at an energy company conducted by security vendor Netragard. Looking for a way inside the customer's defenses, the vendor turned to Facebook. They built a profile, bolstered it with information on work experiences taken from actual employees and began 'friending.'

What the Facebook 'friends' did not know was that this was all part of a long con - a bit of social engineering to lull the employees into giving up their credentials more easily. The simulated attack underscores both the importance of enterprises having sound policies when it comes to employees using sites like Facebook, LinkedIn and MySpace and the challenges of authenticating users on the Web.

A penetration test by Netragard at an energy company highlights how hackers can use Facebook, LinkedIn and other social networking sites as part of phishing schemes. In the test, Netragard used social engineering to get its hands on information that could have been used to compromise critical systems at the company. Addressing this security issue means having smart policies about what employees can and cannot do on the Web.

Please click here to read full article. Worth and interesting read.

No comments: