Reading Room

Social Engineering

Featuring 16 Papers as of October 15, 2012


  • PDF Obfuscation - A Primer Chad Robertson - October 15, 2012

    PDF, or Portable Data Format, is a widely used business file format that is often the target of exploitation.

  • Covert Channels Over Social Networks Jose Selvi - June 4, 2012

    Today we live in a malware age, with the malware industry growing exponentially (AV-Test, 2012).

  • Which Disney© Princess are YOU? Joshua Brower - March 18, 2010

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Social Engineering: Manipulating the Source Jared Kee - October 14, 2008

    A company has a duty to every employee to inform and prepare them for social engineering attacks. If it fails to do so, it WILL become a victim of such attacks. The methods described in this paper will detail methods you can use for your companys aversion of social engineers.

  • Corporate Espionage 201 Shane Robinson - December 1, 2007

    This paper presents some background information on corporate espionage, who is doing the spying, how it is being done, a few real life examples, and some guidelines to follow in order to protect a business from becoming a victim.

  • Social Engineering: A Means To Violate A Computer System Malcolm Allen - January 18, 2007

    The purpose of this paper is to act as a guide on the subject of Social Engineering and to explain how it might be used as a means to violate a computer system(s) and/or compromise data and the counter-measures that can be implemented to protect against such an attacks.

  • Social Engineering Your Employees to Information Security Martin Manjak - December 19, 2006

    Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.

  • Corporate Identity Fraud: Life-Cycle Management of Corporate Identity Assets Bryan Fite - April 3, 2006

    The advent of the World Wide Web has provided many new and innovative ways for organizations to conduct business. It has also exposed organizations to new and innovative forms of trademark & brand abuse. Corporate Identity Fraud can be defined as the abuse of traditional and nontraditional identity assets with the intent to divert, deceive or defraud consumers.

  • The Inside Story: A Disgruntled Employee Gets His Revenge Heather Kratt - February 10, 2005

    In this paper, I will present the fictional story of a disgruntled employee who exacts revenge on his employer by stealing sensitive customer information and posting it on a public website. While the character is fictional, the security risk he represents is quite real. I will describe his motive for attacking his employer's network, analyze the tools and techniques that he used to circumvent existing security measures, and detail the steps involved in the attack process.

  • Psychology: A Precious Security Tool Yves Lafrance - June 9, 2004

    Security specialists have to master many technologies to help organizations being more secured. People tend to forget an important factor influencing computer security: The human factor. Understanding attackers' motivation can help to improve security measures.

  • Social Engineering Aaron Dolan - April 8, 2004

    It's not always what you know, it's who you know. Whether it is a good deal on a product, a free place to stay on a vacation or the extra edge to beat out competition for a job, knowing the right people helps people get the things they want.

  • Understanding and Auditing Chris Jones - March 3, 2004

    Social engineering is an oft-underestimated threat that can be warranted against through education and policies and procedures. While most companies are utilizing training and introducing new policies and procedures to combat social engineering, the only way they can be sure these methods are effective is through auditing specifically for these types of attacks.

  • The Enemy Within: A System Administrator's Look at Network Security Lawrence Dubin - October 31, 2003

    This paper addresses the intrusion detection and measures of protection.

  • A Multi-Level Defense Against Social Engineering David Gragg - October 31, 2003

    This paper will add value to the security community in three ways: by incorporating the current social psychological research into the discussion of understanding and resisting social engineering; by using the psychological literature to provide a multi-level defensive strategy for hardening employees to social engineering threats; and by developing the concept of "social engineering land mines" as a part of the multi-level defense against social engineering.

  • The Threat of Social Engineering and Your Defense Against It Radha Gulati - October 31, 2003

    This paper describes various forms of Social Engineering, its cost to the organization and ways to prevent social engineering attacks, highlighting the importance of policy and education.

  • A Proactive Defence to Social Engineering Wendy Arthurs - October 31, 2003

    This paper addresses the need for good policies to defend against social engineering attacks, as well as an effective, on-going security awareness program.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.