Response Paper

Submitted By Kabir-Manocha
Words: 999
Pages: 4

Kabir Manocha Dr. Christopher Mascaro May 04, 2015 INFO 375 Response Paper The time has gone when security breaches involved physical or logical attacks. Nowadays, psychological tricks are used to gain unauthorized access to an organization’s network or obtain sensitive information. This method of influencing and persuading to deceive people to obtain information is called Social Engineering. Information security has reached a new level where technology like firewall and IPS/IDS are not enough to protect an organization from all kind of threats. Social Engineering attacks are not something new but in the contemporary world it is the most effective tool to breach security through phishing, impersonating, and elicitation. The most common type of Social Engineering is Phishing and Spear Phishing. Phishing and Spear-­‐phishing emails account for 91% of hacking attacks. In order to tackle the problem of Social Engineering, this article on TechTarget talks about what can we learn from Kevin Mitnick, a security expert. I would like to compare Kevin’s thoughts with another article “Is Security focused on the wrong problem?” also published in TechTarget. After reading both the articles, I believe constant education of employees in understanding dangers of social engineering attacks is more important than having them sign and comply with Information security policies.

According to Kevin Mitnick, training of employees and creating awareness about Social Engineering is the best security strategy. On the other hand, the article ‘Is Security focused on wrong problem’ explains how employee awareness training and pen testing can only get

so far and adopting a new approach ‘know thy data’ might be the key in reducing social engineering attacks. I believe knowing your data is secondary, what matter is how much the employees understand the information security policy and follow it. Employees need to understand the policies as policies are just written statements; they mean nothing until employees understand it. This can only be achieved with proper training and guidance, as no employee is completely aware of the threats to the company information or the information they handle. In my opinion, security policies are like rubrics, how students require a rubric to complete an assignment, likewise, employees require guidelines to handle company information. In absence of these guidelines, employees rely on their judgment which often leads to giving away of information which they shouldn’t.

As stated in the second article “know thy data’ approach might bring us a step closer in fighting social engineering attacks but I feel it would not be effective without understand dangers and