Technical measures against social engineering

Re: Technical measures against social engineering

I think what you'll end up doing is having a list of x technical measures and how they might put a dent into SE. Analyze each of them for strengths and weaknesses, and then inevitably conclude that technical measures by their nature are meant to be bypassed by SE and thus do not work (much?).

Re: Technical measures against social engineering

Agreed. Definitely agreed.

But like I said, these ideas don't have to be very... I don't want to say good but let's say that they don't have to be something very realistic. OK, basically I'm doing my thesis (I've made another SE thread in here a while ago) and one of the questions I have in it is technical measures against SE. Naturally I argue, as well as anyone else would, that this is a social problem. What you can do is have good policies, security awareness, educate and training of the staff, well thought out access control and a combination of all these things is what should be done.

But it's more... it's just an interesting question and it doesn't really matter if nothing good comes up. What I would do is go over these measures and evaluate them. I mean if there were some magic trick, I guess that person would be very very rich, so I guess there just are none. So the idea is just to go over them, even if it's an idea that wouldn't work, it's still worth mentioning. If nothing really comes up, then I can basically come to the conclusion that there are no technical measures that we can come up with.

And the ideas can be pretty wild, it doesn't really matter if they can be implemented, this is academia after all :)

Re: Technical measures against social engineering

A good idea, but that doesn't prevent someone from pretexting as IT and asking.
I teach this all the time as one of the simple rules of passwords, yet it is easily and quickly forgotten.

Re: Technical measures against social engineering

I was just about to add this. You're reading my mind again.
Considering the accuracy problems of polygraphs in even the most scientific of settings, it seems to me that Voice Polygraph over POTS (vPOP, I just coined a new term) would have a long way to go to pass any sort of reasonableness test. And not to mention, having employees sign a user agreement that tells them their voice is being monitored for truthfulness! 1984, here we come.
Quid pro quo, a favorite ingredient of SE.

Re: Technical measures against social engineering

Well, on the password example there's a simple solution.

1) Don't give any IT people direct access to any passwords. They have the ability to set a password or to do an automatic reset where they never see the new one.
2) Make sure all employees know that NO ONE will *EVER* ask for their password. And make sure IT doesn't ever actually do it.

Kallahar

Re: Technical measures against social engineering

I agree with theprez98, for the simple reason that most SE attempts are an end-run around technical blocks in the first place.

Here's the classic example:
Technical block: Username & Password.
SE: Obtain username and password from one who can supply it. "Hi the is John in IT. Your account seems to be causing some problems with other people's data. What username did you log in under? Uh ha, that's good. And what password? Yup, that's right. OK, look, I'll check some more on this end and get back to you."

As to the one possible solution you mention, I understand that many of those "voice polygraph" devices fail with phone systems due to audio compression & distortion that is a natural consequence of the telephone system.

The biggest failure in an SE attempt is the social aspect. People tend to be trusting in nature and are usually trying to help. Mix that with a certain apathy about security, and SE works.

SE doesn't work where people are conditioned and rewarded not to be helpful, to be suspicious of all persons, and to be aggressive about their responses. But that rarely works in most applications.

Re: Technical measures against social engineering

I have a difficult time believing that any technical measures will ever make a significant dent in SE.

Re: Technical measures against social engineering

Don't let anyone with the IQ of a cabbage have any outside contact with the world. That'll solve most problems