Cisco Blogs


Cisco Blog > Security

Social Engineering – A Threat Vector

What is “social engineering?” A simple working definition that I like is, “to induce an individual to take an action in which they otherwise would not engage.” This begs a second question, “What does this have to do with business?” It means that employees of businesses, both large and small, may become targets of unscrupulous and malevolent entities interested in obtaining the information or assets belonging to the business. The individuals may wish to engage in criminal behavior and break into your business headquarters; may attempt to follow an employee through the side door, or perhaps speak to you on the telephone and ask you to share the phone number of an executive; provide your user id and password; reveal the physical whereabouts of a facility or executive.

In all cases two factors are always at play – compassion and urgency. The individual will attempt to trigger the target’s basic human trait to be helpful. The individual will also infuse a sense of urgency in their quest for information or specific action with the expectation that you won’t have sufficient time to verify their proffered bona fides.

So what happens before the phone rings or you’re faced with an unknown person either face-to-face, on the phone, in an instant message window, or via a Twitter/Facebook exchange?

Read More »

Where’s Waldo? Adjusting Law and Policy for Location-Based Services

Last month, my colleague Christopher Burgess shared some thoughts on the “double-edged sword” of location-based services at the Huffington Post. In his post, Christopher highlighted how these services could alternately be a benefit, and where they might cross a line and become undesirable. Recently, some US Federal courts have heard cases about the legality of GPS tracking, including how and when such tracking should require a search warrant. While it will be up to people with far more legal experience than I have to debate exactly how these decisions will impact individual rights vs. police or government powers, I do think that there is something to be concerned about from a purely technical viewpoint. Whether used by government officials or attackers who have unauthorized access to this information, location-based data could result in a person being picked from a crowd when they least expect it.

Read More »

Governments Hash Out Social Media Policies

Facebook membership recently passed 500 million, prompting some to observe that if the social networking site were a country, it would now be the third most populous in the world after China and India. Certainly, the explosive growth of social media communities like Facebook, Twitter, and YouTube, and the part they are coming to play in politics and global business, has made government officials and business executives sit up and take note. Within the space of a few short years, social media and the Internet—in tandem with globalization and the birth of a new middle class—have emerged as forces challenging traditional assumptions of physical borders, individual rights, and cultural identity.

The networks and friendships created online may prove stronger than traditional national boundaries. They may erode political power in one place and create it overnight in another. Governments can embrace or guide social media, discourage or try to shut it down, or use it as a barometer of public opinion. What they cannot do is ignore it.

Read More »

Spotting Trends in Security Industry Reports

What is the state of information security today? Where do organizations stand in comparison to the attackers who are determined to compromise their information resources? What methods are working to protect information assets, and what trends should influence future security purchasing or deployment decisions?

These kinds of questions and more are addressed in the periodic security reports released by security companies on a regular basis. Cisco of course released its 2010 Midyear Security Report recently, and we have also seen the Verizon Business Security 2010 Data Breach Investigation Report and the McAfee Security Journal Summer 2010 issue, and many others. From reading these three reports, in particular, I picked out some similarities about the goings-on in the industry and what the next few years might hold.

Unfortunately, it appears that we will still have to deal with raising awareness about what is appropriate to send to the landfill.

Read More »

On Information Entropy

In this blog post you will learn about entropy within the domain of information theory. You will learn what entropy is and how to compute it. You will be shown some simple C code snippets to bring theory into application. Also, you will be shown why it is an important measurement in the field of computer security. Finally, we will cover some practical applications of entropy calculation and analysis.

Read More »