Sammendrag
Many organizations spend considerable sums on technical infrastructure to ensure information security, while still lacking any systematic approach to counter so-called "social engineering" attacks, where people gain illegitimate access to information or computing resources for instance by calling and asking for the information, rather than using advanced hacking attacks. Increased awareness through employee training is an obvious way to reduce the success-ratio of such attacks, but possibly even more could be gained by combining this with clearly defined policies and processes to deal with such attacks. Commonly suggested processes advocate the systematic verification of identity for in-formation requests that may be legitimate if the caller is who he claims to be, and flat rejection of illegitimate requests. This paper argues that an alternative approach, where the attacker is lured on, believing that the attack is succeeding, might in some cases provide even better protection.
Vis fullstendig beskrivelse
