, , , , , , , , ,

Chapters 7 and 8 of the book in many respects are the polar opposites in their nature, with Chapter 7 looking at Wireless networks in the Enterprise and technicalities of different encryption frameworks, authentication and authorization.  Then at the other end is chapter 8 facing into the difficulties of social engineering – the approach of using people’s own nature to divulge sensitive information.  Probably one of the most famous people for this sort of thing is Kevin Mitnick and to acts of social engineering are will illustrated in the influential book  Bruce Stirling’s Hacker Crackdown.

Although Chapter 7 is addressing an area many would view as the dark art of wireless network setup; it is well explained and actually worth reading by anyone who would like to better understand their own home wireless network as lot of the information (not all) is relevant even in that context. For example the benefit of supressing the visibility of the Network ID (SSID) doesn’t make the network invisible – it simply makes it harder to spot as any device such as smart phone will call out yo the network to see if it is present and this information can be picked up just as easily if you know what you’re doing.

Drilling into the social engineering aspect, the book looks at the more obvious and perhaps brute force models such as spam to increasingly subtle takes such using social media communications through the likes of linkedin to send emails loaded with malware and see the end user open them. For example pretending to be an agent with a job offer who has found you via LinkedIn. But beyond that, the amount of information being made available via social sites as it can be a means to establish a organisations’ IT fingerprint and therefore suggest the best routes to attacking IT.  The chapter addresses training, and the pros and cons of different approaches, plus mitigation strategies for the different attack strategies.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach