A Social Engineering Project in a Computer Security Course

By Endicott-Popovsky, Barbara; Lockwood, Diane L. | Academy of Information and Management Sciences Journal, January 1, 2006 | Go to article overview
Save to active project

A Social Engineering Project in a Computer Security Course


Endicott-Popovsky, Barbara, Lockwood, Diane L., Academy of Information and Management Sciences Journal


ABSTRACT

A small private university began to offer undergraduate and graduate courses in computer security during the academic year 2002-2003 within the schools of computer science and business. In the introductory computer security course, a "social engineering" team project was included as a required assignment. This article briefly summarizes the social engineering literature, describes the project assignment and learning objective, provides actual student sample deliverables, and presents results of a follow-up student survey on the experience. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework.

INTRODUCTION

A woman, ostensibly fromthe human resources department, calls the company help desk and says she has forgotten her password. In a panic, she adds that if she misses the deadline to submit employee insurance applications online, all employees will be without health insurance until the problem can be corrected, adding that she might even be fired for this. The help desk worker feels sorry for her and quickly resets the password - unwittingly giving a hacker entrance into the corporate network. The hacker got the names of human resources employees from the company's recycling bin the previous night. This caper is known as social engineering. Social engineering is basically pulling a con job to get information or access to systems that are normally only used by privileged users (Mitnick, 2002). Social engineering is the human side (i.e., "wetware" in hacker slang) of breaking into a corporate network. Organizations with elaborate firewalls, authentication processes, virus scan software, and network security monitoring technology are "still open to an attack if an employee unwittingly gives away key information in an email, by answering question over the phone with someone they don't know," by not shredding sensitive documents, or even talking about a project with coworkers at a restaurant (Gaudin, 2002b).

Kevin Mitnick, the famous convicted computer hacker, offered advice to businesses afraid that corporate spies and hackers may gain access to their internal systems using social engineering saying that "on the corporate side, as an employee, it all comes down to user awareness and education (Savage, 2003)."

Courses in computer security predominantly discuss the technical side of security (e.g., encryption, network security defenses, firewalls, software reliability, digital certificates, wireless eavesdropping, biometrics.), but often give short shrift to the human side of security - especially social engineering. The purpose of this article is to describe a social engineering student project that was undertaken to increase student awareness of this serious security vulnerability. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework (Vaughn & Boggess, 1999).

DESCRIPTION OF SOCIAL ENGINEERING ASSIGNMENT

Students in a graduate MBA business class on Computer security were given a reading assignment from Kevin Mitnick's book, The Art of Deception (Mitnick, 2002), to learn what is meant by social engineering. With that background, they were asked to develop an exploit, using information gleaned from any open source (e.g., including telephone directories, dumpsters, waste baskets, online information, and any other publicly available information), against some specific target person on campus. They were prohibited from actually impersonating anyone like campus police since impersonating a law enforcement official is considered a criminal offense. They were also prohibited from contacting the target "mark" directly, or actually executing their exploit.

To bound and control this assignment, student activities were confined to local campus personnel and campus security was informed to prevent any misunderstandings. Students were instructed to carry a copy of their assignment (see Appendix A) at all times in the event they were confronted; however, they were warned that getting caught would result in a significant deduction of points!

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
Loading One moment ...
Project items
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited article

A Social Engineering Project in a Computer Security Course
Settings

Settings

Typeface
Text size Smaller Larger
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

While we understand printed pages are helpful to our users, this limitation is necessary to help protect our publishers' copyrighted material and prevent its unlawful distribution. We are sorry for any inconvenience.
Full screen

matching results for page

Cited passage

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.

Are you sure you want to delete this highlight?