Personnel Enumeration

Personnel enumeration entails seeking out employee names, email addresses, telephone and FAX numbers, office locations, training and skill requirements, job titles, job descriptions, employment histories, trust relationships between employees, pay scales, internal social politics, personnel dissatisfaction, turnover rates, hirings and firings, social activities, hobbies, and personalities.

This type of information is generally seen by employees as insignificant and is, therefore, leaked out onto the Internet with little or no thought or understanding of the impact that it may have on the organization's security, or on the employees themselves. By gathering personnel information, an attacker is able to passively develop a profile of various individuals and roles, allowing vulnerable employees to be enumerated and trusted users to be determined. One specific type of personnel that attackers attempt to profile is technical employees. Interactions with technical employees should be treated with caution as they are generally more security aware; however, they are highly sought after by attackers due to the likelihood that they have elevated privileges on the internal systems. Less technical staff members, as well as new staff members, are also popular targets as they aren't as likely to understand the implications of breaching the IT security policy, if they even know what the IT security policy consists of, and therefore may leak sensitive information to the Internet.

Some Internet search engines provide a "People Search" option, such as http://www, where you can almost instantly create profiles of people based on information found on the Internet. This, however, is not the biggest threat. Personal networking websites, such as Facebook, LinkedIn, Orkut, and MySpace, allow individuals to develop their professional and social networks. These sites also provide an attacker with the ability to search for and enumerate an enormous amount of information about individuals. Facebook ( is a prime example of a social networking website where an attacker is able to search for people based on name, sex, town, state, country, zip code, relationship status, whether they are looking for a relationship, political and religious views, interests, activities, music, movies, TV shows, books, education, land phone and mobile phone, email address, company name, or position.

By searching for a company name only, an attacker is able to enumerate possibly hundreds of employees' profiles within a target organization, including all of the just-listed details, as well as photos, friends' names and profiles, groups they have joined, cities and countries they have visited, what they did on Friday, whether they are good dancers, what drinks they like, restaurants they visit, and even what they are doing right now! If you think you need more information than this to pull off a successful social engineering attack, then you are probably in the wrong profession and should get out now!

Was this article helpful?

0 0
12 SEO Myths Busted

12 SEO Myths Busted

Within this guide you will find 12 cold, bitter truths about search engine optimization myths that have been busted. This is a common myth that is fed to new website owners as a quick way to get backlinks and traffic. If youve got a new site, the best thing to do is to find a lot of related blogs and post comments, right? Wrong. Most, if not all, blogs have nofollow tags within their code. Nofollow tags will stop the page rank and SEO from one blog from going into the other.

Get My Free Ebook

Post a comment