You are here: Home Contents V4 N2 V4N2_White.html
Personal tools

Just Trying to Be Friendly: A Case Study in Social Engineering



Full text

Journal of Information System Security
Volume 4, Number 2 (2008)
Pages 5685
ISSN 1551-0123
Doug White — Roger Williams University, USA
Alan Rea — Western Michigan University, USA
Information Institute Publishing, Washington DC, USA




This case is to be used in networking or general security courses Using a generational system security approach (Baskerville 1993; Siponen 2001) the case demonstrates how security policies and organizational procedures that do not take into account socio-technical approaches will ultimately not protect organizational systems in today's Digital Economy.

The scenario has been modified to protect the organizations and individuals involved. The case examines this scenario and focuses on how a security consultant tries to determine a technical solution only to find that the answer is in the social engineering realm. This case focuses on developing techniques to determine, evaluate, and then thwart social engineering mechanisms through the use of user education and socio-technical security policies and procedures.




Social Engineering, Case Studies, Data Security, Security Education, Hacker Tactics




AccessData (2008), "FTK Imager Forensic Toolkit",, 6 September 2008.

AWStats (2008), "AWStats: Free Real-time Log Scanner",, 5 September 2008.

Backhouse, J. and Dhillon, G. (1996), "Structures of Responsibilities and Security of Information Systems", European Journal of Information Systems, 5(1): 2-10.

Baskerville, R. (1993), "Information Systems Security Design Methods: Implications for Information Systems Development", ACM Computing Surveys (CSUR), v.25 n.4: 375-414.

Bernstein, D.J., (2007), "Poisoning",, 3 March 2007. (2008), "Quarterly Retail E-Commerce Sales: 2nd Quarter 2008",, 6 September 2008.

Dhillon, G. (1997), Managing Information Systems Security. McMillan Press LTD, UK.

Dhillon, G. and Moore, S (2001), "Computer Crimes: Theorizing about the Enemy Within", Computers & Security, 20(8): 715-723.

Fyodor (2008), "NMAP: Network Mapper",, 6 September 2008.

Gerace, T. and Cavusoglu, H. (2005), "The Critical Elements of Patch Management", SIGUCCS 2005. November 6-9. Monterey, CA.

GFI (2008), "GFIEventsManager",, 6 September 2008.

GFI (2007a), "GFIEventsManager",, 3 March 2007.

Goodhue, D. L. and Straub, D. W. (1991), "Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security Measures", Information & Management, (20:1): 13-27.

Granger, S. (2001). "Social Engineering Fundamentals, Part I: Hacker Tactics",,, December 18, 2001.

Kerner, S.M. (2005), "Retail E-Commerce Growth Outpacing the Pack",, 24 May 2005.

Lewandowski, J. O. (2005), "Creating a Culture of Technical Caution: Addressing the Issues of Security, Privacy Protection and the Ethical Use of Technology", SIGUCCS 2005. November 6-9. Monterey, CA.

Limoncelli, T. and Hogan, C. (2002), The Practice of System and Network Administration, Addison-Wesley, New York.

Mandriva (2008), "Mandrake Linux",, 6 September 2008.

Mitnick, K., and Simon W. (2002), The Art of Deception: Controlling the Human Element of Security, Wiley Publishing Inc, Indianopolis, IN.

MySQL (2008), "MySQL: The World's Most Popular Database",, 6 September 2008.

Nessus (2008), "Nessus Open Source Vulnerability Scanner Project",, 6 September 2008. (2008), "NetStumbler",, 6 September 2008.

Noblett, M., Pollitt, M., and Presley, L. (2000), "Recovering and Examining Forensic Computer Evidence", Forensic Science Communications, 2(4). (2008), "John the Ripper Password Cracker",, 6 September 2008.

Orgill, G., Romney, G., Bailey, M., and Orgill, P. (2004). "The Urgency for Effective User Privacy-Education to Counter Social Engineering Attacks on Secure Computer Systems". Conference on Information Technology Education. Proceedings of the 5th Conference on Information Technology Education. October 28-30. Salt Lake City, UT.

Panurach, P. (1996), "Money in Electronic Commerce: Digital Cash, Electronic Fund Transfer, and Ecash", Communications of the ACM, 39(6): 45-50.

PCSTATS (2003), "Beginners Guides: Forgotten Passwords & Recovery Methods",, 17 December 2003.

Reardon, M. (2004), "Browser Security Takes off in VPNs",, 14 January 2004.

Regan, K. (2002), "U.S. : E-Commerce Up 24 Percent in Q2",, 23 August 2002.

Rogers, L. (2004). "What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?",, 6 September 2008.

Rogers, L. (2006), "Buffer Overflows: What Are They and What Can I Do About Them?", Special Report,, 2006. (2002), "SQL Injection Walkthrough",, 26 May 2002.

SecurityFocus (2003), "IP Spoofing: An Introduction",, 3 November 2003

Seelig, C. (2005), "Bastion Server",, 6 July 2005.

Segev, A., Porra, J, and Roldan, M. (1998), "Internet Security and the Case of Bank of America", Communications of the ACM, Vol. 41, No. 10: 81-87.

Siponen, M. (2001), "An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications", in Information Security Management:

Global Challenges in the New Millennium, eds. G. Dhillon, Hershey: Idea Group.

Straub, D. W. and Welke, R. J., (1998), "Coping with Systems Risks: Security Planning Models for Management Decision Making", MIS Quarterly, 22: 441-469.

The Apache Server Foundation (2008), "Apache HTTP Server Project",, 6 September 2008.

The Register (2004), "Security Report: Windows vs Linux",, 2 October 2004.

ThinkQuest (2007), "Cybercrime: Piercing the Darkness",, 3 March 2007.

Tripwire (2008), "Open Source Tripwire",, 6 September 2008.

White, D. and Rea, A. (2003). "The Jing An Telescope Factory (JATF): A Network Security Case Study", Journal of Information Systems Education, (14:3): 307-318.

Xu, J., Kil, C., Zhai, Y., and Bookholt, C. (2005), "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities", CCS 2005. November 7-11, Alexandria, VA.

Yarden, S. (1997), "Evaluating the Performances of Electronic Commerce Systems", Winter Simulation Conference. December 7-10. Atlanta, GA.