[plug] Security, Social Engineering, Etc

[Christian]

Colin Muller wrote:
> 
> Interesting article on social engineering attacks here:
> 
> http://www.gocsi.com/soceng.htm

If I'm ever interested in social engineering then I might read it.

> and a 1998 article which puts the threat to information into a wider
> context than just intrusions (places external attacks at 5 to 8 % of the
> total dangers to information, dishonest employees at 13%, disgruntled
> ones at 10%):
> http://www.gocsi.com/ip.htm

Yes, he does place the "threat to information" from external attackers
at 5-8% of the total. Mind you, he never clearly states where he gets
this figure from although I suspect it might be from a survey that he
mentions previously...  That in itself should tell you something about
the worth of the article -- A SURVEY!!  If these assertions came from
some relevant, empirical source then they might be worth something but
asking a bunch of people what they think on this subject is probably
next to meaningless (especially since we don't know who these people
even were!).  The paper reads like something aimed at upper management,
there is minimal detail and I didn't notice much original thought
(although I did only skim it).

The fact is, accurately measuring this sort of thing is very difficult
and, in reality, probably can't ever be done properly.  The best answer
I can provide is (quasi) statistical one in that, given the number of
penetration attempts that I see (virtually daily), I don't see how
internal misuse can possibly match that.  Do employees attempt to
circumvent security controls every single day in every organisation? 
None of the organisations I've seen or worked in have had anything like
that sort of level of corruption.  Of course, the cost to businesses due
to employee fraud might be higher than the (acknowledged/known) costs
due to external attack but the actual number of incidents of misuse is
very unlikely to be.

Regards,

Christian.