Week 8 Reading Summary, Question, and In The News…

Allen, M. (2006). “Social Engineering: A Means To Violate A Computer System”, SANS Institute Reading Room.  Allen’s article provides a good introduction and overview of social engineering. It covers definitions, workflow (or “Cycle”), motivation and traits of the social engineer, counter measures and controls to social engineering risks, and reviews and attack simulation to maintain preparedness.  Allen describes the following 8 core controls that organizations can implement: Management buy-in, Security policy, Physical security, Education/Awareness, Good security architecture, Limit data leakage, Incident response strategy, and Security culture.  He goes on to report that social engineering testing is unpopular among many organizations, leaving simulated attack the least common among the approaches to maintaining preparedness.

Question for Class: Are senior citizens more easy targets for social engineering than younger people?  Why or why not?

In the News:  “Amazon Downplays Cloud Breach Threat”, Referring to the research article “Seriously, Get Off My Cloud! Cross-VM RSA Key Recovery in a Public Cloud”, Mathew Schwartz reports that security researchers at Worcester Polytechnic Institute were able to breach one co-located virtual machine within Amazon Web Services’ Elastic Compute Cloud (EC2) machine to hack into another virtual machine.  The researchers demonstrated that “colocation can be achieved, and detected by monitoring the last-level cache in public clouds. More significantly,” they “present, a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a co-located instance.”  http://www.databreachtoday.com/amazon-downplays-cloud-breach-threat-a-8581.