3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Reading Room

Sorry! The requested paper could not be found.

Social Engineering

Featuring 17 Papers as of June 17, 2014


  • The SANS 2013 Help Desk Security and Privacy Survey Analyst Paper
    by Barbara Filkins - July 16, 2013 

    Survey/report will serve as a starting point to promote awareness and help bridge the educational gap between what a help desk is and what a secure help desk should be.

  • PDF Obfuscation - A Primer by Chad Robertson - October 15, 2012 

    PDF, or Portable Data Format, is a widely used business file format that is often the target of exploitation.

  • Covert Channels Over Social Networks by Jose Selvi - June 4, 2012 

    Today we live in a malware age, with the malware industry growing exponentially (AV-Test, 2012).

  • Which Disney© Princess are YOU? by Joshua Brower - March 18, 2010 

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Social Engineering: Manipulating the Source by Jared Kee - October 14, 2008 

    A company has a duty to every employee to inform and prepare them for social engineering attacks. If it fails to do so, it WILL become a victim of such attacks. The methods described in this paper will detail methods you can use for your companys aversion of social engineers.

  • Social Engineering Your Employees to Information Security by Martin Manjak - December 19, 2006 

    Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.

  • Corporate Identity Fraud: Life-Cycle Management of Corporate Identity Assets by Bryan Fite - April 3, 2006 

    The advent of the World Wide Web has provided many new and innovative ways for organizations to conduct business. It has also exposed organizations to new and innovative forms of trademark & brand abuse. Corporate Identity Fraud can be defined as the abuse of traditional and nontraditional identity assets with the intent to divert, deceive or defraud consumers.

  • The Inside Story: A Disgruntled Employee Gets His Revenge by Heather Kratt - February 10, 2005 

    In this paper, I will present the fictional story of a disgruntled employee who exacts revenge on his employer by stealing sensitive customer information and posting it on a public website. While the character is fictional, the security risk he represents is quite real. I will describe his motive for attacking his employer's network, analyze the tools and techniques that he used to circumvent existing security measures, and detail the steps involved in the attack process.

  • Psychology: A Precious Security Tool by Yves Lafrance - June 9, 2004 

    Security specialists have to master many technologies to help organizations being more secured. People tend to forget an important factor influencing computer security: The human factor. Understanding attackers' motivation can help to improve security measures.

  • Social Engineering by Aaron Dolan - April 8, 2004 

    It's not always what you know, it's who you know. Whether it is a good deal on a product, a free place to stay on a vacation or the extra edge to beat out competition for a job, knowing the right people helps people get the things they want.

  • Understanding and Auditing by Chris Jones - March 3, 2004 

    Social engineering is an oft-underestimated threat that can be warranted against through education and policies and procedures. While most companies are utilizing training and introducing new policies and procedures to combat social engineering, the only way they can be sure these methods are effective is through auditing specifically for these types of attacks.

  • The Threat of Social Engineering and Your Defense Against It by Radha Gulati - October 31, 2003 

    This paper describes various forms of Social Engineering, its cost to the organization and ways to prevent social engineering attacks, highlighting the importance of policy and education.

  • A Multi-Level Defense Against Social Engineering by David Gragg - March 13, 2003 

    This paper will add value to the security community in three ways: by incorporating the current social psychological research into the discussion of understanding and resisting social engineering; by using the psychological literature to provide a multi-level defensive strategy for hardening employees to social engineering threats; and by developing the concept of "social engineering land mines" as a part of the multi-level defense against social engineering.

  • Corporate Espionage 201 by Shane Robinson - February 15, 2002 

    This paper presents some background information on corporate espionage, who is doing the spying, how it is being done, a few real life examples, and some guidelines to follow in order to protect a business from becoming a victim.

  • The Enemy Within: A System Administrator's Look at Network Security by Lawrence Dubin - January 7, 2002 

    This paper addresses the intrusion detection and measures of protection.

  • Social Engineering: A Means To Violate A Computer System by Malcolm Allen - October 12, 2001 

    The purpose of this paper is to act as a guide on the subject of Social Engineering and to explain how it might be used as a means to violate a computer system(s) and/or compromise data and the counter-measures that can be implemented to protect against such an attacks.

  • A Proactive Defence to Social Engineering by Wendy Arthurs - August 2, 2001 

    This paper addresses the need for good policies to defend against social engineering attacks, as well as an effective, on-going security awareness program.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.