A Social Engineering Project in a Computer Security Course

ABSTRACT A small private university began to offer undergraduate and graduate courses in computer security during the academic year 2002-2003 within the schools of computer science and business. In the introductory computer security course, a "social engineering" team project was included as a required assignment. This article briefly summarizes the social engineering literature, describes the project assignment and learning objective, provides actual student sample deliverables, and presents results of a follow-up student survey on the experience. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework. INTRODUCTION A woman, ostensibly fromthe human resources department, calls the company help desk and says she has forgotten her password. In a panic, she adds that if she misses the deadline to submit employee insurance applications online, all employees will be without health insurance until the problem can be corrected, adding that she might even be fired for this. The help desk worker feels sorry for her and quickly resets the password - unwittingly giving a hacker entrance into the corporate network. The hacker got the names of human resources employees from the company's recycling bin the previous night. This caper is known as social engineering. Social engineering is basically pulling a con job to get information or access to systems that are normally only used by privileged users (Mitnick, 2002). Social engineering is the human side (i.e., "wetware" in hacker slang) of breaking into a corporate network. Organizations with elaborate firewalls, authentication processes, virus scan software, and network security monitoring technology are "still open to an attack if an employee unwittingly gives away key information in an email, by answering question over the phone with someone they don't know," by not shredding sensitive documents, or even talking about a project with coworkers at a restaurant (Gaudin, 2002b). Kevin Mitnick, the famous convicted computer hacker, offered advice to businesses afraid that corporate spies and hackers may gain access to their internal systems using social engineering saying that "on the corporate side, as an employee, it all comes down to user awareness and education (Savage, 2003)." Courses in computer security predominantly discuss the technical side of security (e.g., encryption, network security defenses, firewalls, software reliability, digital certificates, wireless eavesdropping, biometrics.), but often give short shrift to the human side of security - especially social engineering. The purpose of this article is to describe a social engineering student project that was undertaken to increase student awareness of this serious security vulnerability. The lessons learned from this effort should prove useful to other universities and instructors contemplating similar coursework (Vaughn & Boggess, 1999). DESCRIPTION OF SOCIAL ENGINEERING ASSIGNMENT Students in a graduate MBA business class on Computer security were given a reading assignment from Kevin Mitnick's book, The Art of Deception (Mitnick, 2002), to learn what is meant by social engineering. With that background, they were asked to develop an exploit, using information gleaned from any open source (e.g., including telephone directories, dumpsters, waste baskets, online information, and any other publicly available information), against some specific target person on campus. They were prohibited from actually impersonating anyone like campus police since impersonating a law enforcement official is considered a criminal offense. They were also prohibited from contacting the target "mark" directly, or actually executing their exploit. To bound and control this assignment, student activities were confined to local campus personnel and campus security was informed to prevent any misunderstandings. Students were instructed to carry a copy of their assignment (see Appendix A) at all times in the event they were confronted; however, they were warned that getting caught would result in a significant deduction of points! …