Social Engineering - For the Good Guys

A security policy can be defined as: 'The total set of security rules enforced by the network including hardware and software security mechanisms and controls.'1 Jim Kerstetter from PC Week Online had this to say about security policy effectiveness. 'Security policies deciding who has access to what knowing how to use the security tools already in place and common sense are the best ways to stop the Huns at the gate. Ignore the human element and all the unbreakable encryption firewalls and sophisticated public-key infrastructures are useless.'2 The best of perimeter defenses defense in depth firewalls and intrusion detection are made impotent by a single individual who does not follow the security policy. Jim Williams from netsecurity.about.com also shows how important policy compliance is to the network security industry. '... security falls short not because of a lack of technology but rather because of failed policy.'3 The purpose of this paper will be to place due emphasis on this important issue. Consideration will be given to the importance of buy-in by management employees and the security team. Ways will also be provided to promote compliance within all three of these levels by the practical application of social engineering.