12:02 A brief introduction to social engineering | |
| Ensure that computer security is difficult (perhaps impossible), but imagine for a minute that we managed to do. Where necessary, use powerful cryptography, security protocols perfectly perform their functions. At our disposal as a reliable hardware and reliable software. Even the network in which we work, is perfectly safe. Wonderful! Unfortunately, this is not enough. To do something useful this remarkable system can only with the participation of users. And this interaction human-computer poses the greatest threat of all. People are often the weakest link in security measures, and they always cause the failure of the latter. In terms of safety mathematical tool is perfect, computers as vulnerable networks generally lousy, and people are just disgusting. Bruce Schneier "Secrets and Lies. Data security in a digital world » IntroInformation - is one of the most important assets. Information may constitute a commercial secret of the company, ie under existing or possible circumstances to increase revenue, avoid unnecessary costs, maintain position on the market for goods, works and services, or to bring other commercial benefit of the company. Accordingly, such information must be protected. As in any company working people, then inevitably there is the human factor in all processes of the organization. Including the process of protecting confidential information. Human Factors - stable expression, which indicate the mental abilities of the person as a potential and current source (cause) information problems when using this man of modern technology. Any action by a person associated with security breaches can be divided into two broad categories: intentional and unintentional actions. K premeditated acts include theft of information officers, information modification or destruction of (sabotage). This is an extreme case, and with it comes the fight after the fact, involving employees of the Interior. K unintentional actions include: the loss of media, destruction or falsification of information by negligence. People do not realize that his actions lead to the violation of trade secrets. Just to unintentional acts include "assistance" to persons not, or so-called social engineering. When an employee does not realize that his actions are aimed at violation of trade secrets, but the one who asks for it to do, clearly knows that violate the regime. Social Engineering - this method (of attacks) unauthorized access to information or data storage system without the use of technology. Method is based on the weaknesses of the human factor and is very effective. An attacker gets information, for example, by collecting information about employees of the object of attack, using a simple telephone call or by penetrating into the organization under the guise of its employees. An attacker could call an employee of the company (under the guise of technical service) and find out your password, citing the need to address the small problems in the computer system. Very often this trick passes. The most powerful weapon in this case - a pleasant voice and acting ability attacker. The names of the employees can find out after a series of phone calls and learning the names of managers at the company's website and other sources of public information (reports, advertising, etc.). Using real names in conversation with technical support, the attacker tells the invented story that can not get to an important meeting on site with their dial-up accounts. Another source in this method are the study of dumpsters organizations, virtual wastebaskets, stealing a laptop and other media. This method is used when the attacker has outlined as a victim of a specific company. Social Engineering TechniquesAll the techniques of social engineering based on the characteristics of human decision making. Preteksting - an action that worked to a predefined scenario (pretext). As a result, target (victim) must give certain information, or perform a certain action. This kind of attack is commonly done by telephone. Most often, this technique involves more than just a lie, and requires no prior studies (eg, personalization: finding the name of the employee, his position and names of projects he is working on) in order to ensure confidence in goal. Fishing - a technique aimed at rogue receive confidential information. Typically, the attacker sends a target e-mail, forged a formal letter - from a bank or payment system - which requires "verification" of certain information, or to commit certain acts. This letter usually contains a link to a fake web-page, a reproduction of an official with the corporate logo and content, and containing a form that require you to enter sensitive information - from your home address to a PIN of a credit card. Trojan: This technique exploits the curiosity or greed purposes. An attacker sends an e-mail, containing an attachment in an important update anti-virus, or even fresh dirt on the employee. This technique is effective, while users will blindly click on any attachments. Traffic apple: This method of attack is an adaptation of a Trojan horse, and is using physical media. An attacker could throw an infected CD, or memory, in a place where the carrier can be easily found (the corridor, elevator, parking). Counterfeited by the official media, and is accompanied by the signature, designed to cause curiosity. Example: An attacker could throw a CD, provided with a corporate logo and link to the official website of the company goals, and provide him with the words "salary guideline of Q1 2010. The disc can be left on the floor of the elevator or the lobby. Officer may unknowingly pick up the disc and insert it into the computer to satisfy their curiosity. Qi pro quo: An attacker can call a random number in a company and provide technical support staff, polling, is there any technical problems. If they are, in their "solutions" objective introduces commands that allow an attacker to run malicious software. Reverse social engineering. The purpose of reverse social engineering goal is to make itself appeal to an attacker for the "help". For this purpose, an attacker can use the following techniques: Sabotage: Creating a reversible failure of the victim's computer. Advertisement: An attacker slips victim declaration form "If you have problems with your computer, call such a number" (this is more concerned with employees who are traveling or leave). CountermeasuresThe most basic way to protect against social engineering - is training. Because the one who warned - that is armed. And ignorance, in turn, is not an excuse. All company employees should be aware of the danger of disclosure and how to prevent it. In addition, employees must have clear instructions on how, on what topics to talk with someone, what kind of information for accurate authentication companion they need to get him. Here are some rules that will be useful: 1. All user passwords are the property of the company. All employees should be explained on the day of admission to employment that those passwords that they had been issued, you can not use for any whatsoever other purposes, such as for authentication to web sites (it is known that a person is difficult to keep track of all your passwords and access codes, so he often uses the same password for different situations). As such the vulnerability can be used in social engineering? Assume employee was the victim of phishing. As a result, the password on a website has become known to third parties. If this password is identical to that used in the company, there is a potential security threat to the company. In principle, do not even need to staff the company became a victim of phishing. There is no guarantee that the site where it is authenticated, complied with the required level of security. So, the potential threat is always there. 2. All staff should be instructed how to behave with visitors. Need clear rules to identify the visitor and his escort. When a visitor should always be someone from the company's employees. If the employee meets the visitor wandering through the building alone, it should have the necessary instructions to properly find out the purpose for which the visitor found himself in this part of the building, and where his support. 3. There should be a rule correctly, the disclosure is only really necessary information by telephone and in personal conversation, as well as the verification procedure is the one who asks for something real employee. It is no secret that most of the information produced by an attacker with direct communication with employees. We must also take into account the fact that in large companies, employees may not know each other, so an attacker can easily pose as an employee, who need help. All the above measures are quite simple, but most of the staff to forget about these measures and about the same level of responsibility, which is assigned to them when signing a commitment not to disclose trade secrets. Companies spend huge funds on the provision of information security and technical methods, however, these technical means can be avoided if employees will not apply measures to counter the social engineers, and security services will not be checked periodically vigilant staff. Thus a means to ensure information security will be wasted. P.S. If the topic is interesting, the next topic for me to tell more about the methods and procedures to help minimize the negative consequences associated with social engineering techniques. | |
|
| |
| Total comments: 0 | |