A Social Engineering Project in a Computer Security Course

By Endicott-Popovsky, Barbara; Lockwood, Diane L. | Academy of Information and Management Sciences Journal, January 1, 2006 | Go to article overview

A Social Engineering Project in a Computer Security Course


Endicott-Popovsky, Barbara, Lockwood, Diane L., Academy of Information and Management Sciences Journal


ABSTRACT

A small private university began to offer undergraduate and graduate courses in computer security during the academic year 2002-2003 within the schools of computer science and business. In the introductory computer security course, a "social engineering" team project was included as a required assignment. This article briefly summarizes the social engineering literature, describes the project assignment and learning objective, provides actual student sample deliverables, and presents results of a follow-up student survey on the experience. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework.

INTRODUCTION

A woman, ostensibly fromthe human resources department, calls the company help desk and says she has forgotten her password. In a panic, she adds that if she misses the deadline to submit employee insurance applications online, all employees will be without health insurance until the problem can be corrected, adding that she might even be fired for this. The help desk worker feels sorry for her and quickly resets the password - unwittingly giving a hacker entrance into the corporate network. The hacker got the names of human resources employees from the company's recycling bin the previous night. This caper is known as social engineering. Social engineering is basically pulling a con job to get information or access to systems that are normally only used by privileged users (Mitnick, 2002). Social engineering is the human side (i.e., "wetware" in hacker slang) of breaking into a corporate network. Organizations with elaborate firewalls, authentication processes, virus scan software, and network security monitoring technology are "still open to an attack if an employee unwittingly gives away key information in an email, by answering question over the phone with someone they don't know," by not shredding sensitive documents, or even talking about a project with coworkers at a restaurant (Gaudin, 2002b).

Kevin Mitnick, the famous convicted computer hacker, offered advice to businesses afraid that corporate spies and hackers may gain access to their internal systems using social engineering saying that "on the corporate side, as an employee, it all comes down to user awareness and education (Savage, 2003)."

Courses in computer security predominantly discuss the technical side of security (e.g., encryption, network security defenses, firewalls, software reliability, digital certificates, wireless eavesdropping, biometrics.), but often give short shrift to the human side of security - especially social engineering. The purpose of this article is to describe a social engineering student project that was undertaken to increase student awareness of this serious security vulnerability. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework (Vaughn & Boggess, 1999).

DESCRIPTION OF SOCIAL ENGINEERING ASSIGNMENT

Students in a graduate MBA business class on Computer security were given a reading assignment from Kevin Mitnick's book, The Art of Deception (Mitnick, 2002), to learn what is meant by social engineering. With that background, they were asked to develop an exploit, using information gleaned from any open source (e.g., including telephone directories, dumpsters, waste baskets, online information, and any other publicly available information), against some specific target person on campus. They were prohibited from actually impersonating anyone like campus police since impersonating a law enforcement official is considered a criminal offense. They were also prohibited from contacting the target "mark" directly, or actually executing their exploit.

To bound and control this assignment, student activities were confined to local campus personnel and campus security was informed to prevent any misunderstandings. Students were instructed to carry a copy of their assignment (see Appendix A) at all times in the event they were confronted; however, they were warned that getting caught would result in a significant deduction of points! …

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

A Social Engineering Project in a Computer Security Course
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Full screen

matching results for page

Cited passage

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.