SANS InfoSec Reading Room - Social Engineering

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Click Here

Featuring 16 papers as of May 19, 2013
PDF PDF Obfuscation - A Primer
By: Chad Robertson (posted on October 15, 2012)
PDF, or Portable Data Format, is a widely used business file format that is often the target of exploitation.
PDF Covert Channels Over Social Networks
By: Jose Selvi (posted on June 4, 2012)
Today we live in a malware age, with the malware industry growing exponentially (AV-Test, 2012).
PDF Which Disney© Princess are YOU?
By: Joshua Brower (posted on March 18, 2010)
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
PDF Social Engineering: Manipulating the Source
By: Jared Kee (posted on October 14, 2008)
A company has a duty to every employee to inform and prepare them for social engineering attacks. If it fails to do so, it WILL become a victim of such attacks. The methods described in this paper will detail methods you can use for your company’s aversion of social engineers.
PDF Corporate Espionage 201
By: Shane W. Robinson (posted on December 1, 2007)
This paper presents some background information on corporate espionage, who is doing the spying, how it is being done, a few real life examples, and some guidelines to follow in order to protect a business from becoming a victim.
PDF Social Engineering: A Means To Violate A Computer System
By: Malcolm Allen (posted on January 18, 2007)
The purpose of this paper is to act as a guide on the subject of Social Engineering and to explain how it might be used as a means to violate a computer system(s) and/or compromise data and the counter-measures that can be implemented to protect against such an attacks.
PDF Social Engineering Your Employees to Information Security
By: Martin Manjak (posted on December 19, 2006)
Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.
PDF Corporate Identity Fraud: Life-Cycle Management of Corporate Identity Assets
By: Bryan Fite (posted on April 3, 2006)
The advent of the World Wide Web has provided many new and innovative ways for organizations to conduct business. It has also exposed organizations to new and innovative forms of trademark & brand abuse. Corporate Identity Fraud can be defined as the abuse of traditional and nontraditional identity assets with the intent to divert, deceive or defraud consumers.
PDF The Inside Story: A Disgruntled Employee Gets His Revenge
By: Heather Kratt (posted on February 10, 2005)
In this paper, I will present the fictional story of a disgruntled employee who exacts revenge on his employer by stealing sensitive customer information and posting it on a public website. While the character is fictional, the security risk he represents is quite real. I will describe his motive for attacking his employer's network, analyze the tools and techniques that he used to circumvent existing security measures, and detail the steps involved in the attack process.
PDF Psychology: A Precious Security Tool
By: Yves Lafrance (posted on June 9, 2004)
Security specialists have to master many technologies to help organizations being more secured. People tend to forget an important factor influencing computer security: The human factor. Understanding attackers' motivation can help to improve security measures.
PDF Social Engineering
By: Aaron Dolan (posted on April 8, 2004)
It's not always what you know, it's who you know. Whether it is a good deal on a product, a free place to stay on a vacation or the extra edge to beat out competition for a job, knowing the right people helps people get the things they want.
PDF Understanding and Auditing
By: Chris Jones (posted on March 3, 2004)
Social engineering is an oft-underestimated threat that can be warranted against through education and policies and procedures. While most companies are utilizing training and introducing new policies and procedures to combat social engineering, the only way they can be sure these methods are effective is through auditing specifically for these types of attacks.
PDF The Enemy Within: A System Administrator's Look at Network Security
By: Lawrence Dubin (posted on October 31, 2003)
This paper addresses the intrusion detection and measures of protection.
PDF A Multi-Level Defense Against Social Engineering
By: David Gragg (posted on October 31, 2003)
This paper will add value to the security community in three ways: by incorporating the current social psychological research into the discussion of understanding and resisting social engineering; by using the psychological literature to provide a multi-level defensive strategy for hardening employees to social engineering threats; and by developing the concept of "social engineering land mines" as a part of the multi-level defense against social engineering.
PDF The Threat of Social Engineering and Your Defense Against It
By: Radha Gulati (posted on October 31, 2003)
This paper describes various forms of Social Engineering, its cost to the organization and ways to prevent social engineering attacks, highlighting the importance of policy and education.
PDF A Proactive Defence to Social Engineering
By: Wendy Arthurs (posted on October 31, 2003)
This paper addresses the need for good policies to defend against social engineering attacks, as well as an effective, on-going security awareness program.
SANS Reading Room

The SANS Security Windows track was the best training course I've ever had, far surpassing my already high expectations. Seriously!
-Derek Lidbom, Trone

Security Impact of IPv6 Summit 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

New Blog Post: SANS EU #DFIR Summit in Prague - Call for Spe [...]
May 16, 2013 - 12:33 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd