A while back, I decided that I wanted to speak to the Loss Prevention District Manager about social engineering. I was a bit nervous about how it would make me look in the company's eyes if I showed them what I could do. After carefully considering the best way to approach the company, this is the story of what happened.

Password auditing and recovery is often described with a very unfortunate catchall: cracking. The problem with calling it that is that it does not come close to correctly encapsulating an absolutely necessary and invaluable practice for network administrators.

Like most practices related to security, this coin is a double-sided one. This reality is demonstrated in the kinds of tools used by security professionals; you'll often see tools developed for malicious hacking used in legitimate security audits just as you'll often see legitimate security tools used for dubious purposes.

Over the past year there has been an increasing attack on OpenSSH servers thanks to some cleverly crafted scripts aimed at brute forcing their way in with commonly used passwords. I have seen thousands of foreign IP addresses hit my server in an attempt to make their way onto my system.

What can you do to better protect yourself?

The antivirus business is booming. Even though there still isn't universal acceptance of the need for virus protection, the prevalence of the Internet has forced malware into much of the public's consciousness. Most people at least recognize the need for antivirus software.

Too bad the software isn't working all that well.

Do you think you know what social engineering is all about? Maybe you do. Or maybe you only know what the best social engineers want you to know about their craft. In my studies of social engineering over the years, I've found a number of myths that surround it and it's practice. Let's see how many of your assumptions are correct.