最近的一条新闻让我意识到人类的情感和思想如何可以(或,被)用于他人的利益。几乎你们每个人都知道爱德华·斯诺登(Edward Snowden ),他是美国国家安全局( (Edward Snowden)NSA )窥探世界的告密者。路透社报道说,他让大约 20-25名NSA人员将他们的密码交给他,以恢复他后来泄露的一些数据 [1]。想象一下(Imagine),即使使用最强大和最好的安全软件,您的公司网络也会变得多么脆弱!
什么是社会工程学
人类(Human)的弱点、好奇心、情感和其他特征经常被用于非法提取数据——无论是任何行业。然而, IT 行业(IT Industry)已将其命名为社会工程。我将社会工程学定义为:
“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”
这是我想引用的同一新闻报道 [1] 中的另一句话——“安全机构很难接受隔壁隔间里的人可能不可靠的想法(Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable)”。我稍微修改了该语句以使其适合此处的上下文。您可以使用参考(References)部分中的链接阅读完整的新闻。
换句话说,您无法完全控制组织的安全性,因为社会工程的发展速度比应对它的技术要快得多。社交(Social)工程可以像打电话给某人说您是技术支持并要求他们提供登录凭据一样。您一定一直在收到关于彩票、中东(Mid East)和非洲(Africa)富人想要商业合作伙伴的网络钓鱼电子邮件,以及询问您详细信息的工作机会。
与网络钓鱼攻击不同,社会工程在很大程度上是直接的人与人之间的互动。前者(网络钓鱼)使用诱饵——也就是说,“钓鱼”的人正在向您提供一些东西,希望您会爱上它。社会(Social)工程学更多的是赢得内部员工的信任,以便他们泄露您需要的公司详细信息。
阅读:(Read:) 社会工程的流行方法。
已知的社会工程技术
有很多,而且他们都使用基本的人类倾向来进入任何组织的数据库。最常用(可能已经过时)的社会工程技术是打电话和会见人们,让他们相信他们来自需要检查您的计算机的技术支持。他们还可以制造假身份证以建立信心。在某些情况下,肇事者冒充州政府官员。
另一种著名的技术是雇用您的人作为目标组织的员工。现在,既然这个骗子是你的同事,你可以相信他的公司详细信息。外部员工可能会帮助你做一些事情,所以你觉得有义务,那就是他们可以做出最大贡献的时候。
我还阅读了一些关于人们使用电子礼物的报道。在您的公司地址交付给您的精美USB记忆棒或放在您车上的笔式驱动器可能会带来灾难。在一个案例中,有人故意在停车场留下一些USB驱动器作为诱饵 [2]。(USB)
如果您的公司网络在每个节点都有良好的安全措施,那么您有福了。否则,这些节点为恶意软件(在那个礼物或“被遗忘的”笔式驱动器中)提供了通往中央系统的便捷通道。
因此,我们无法提供社会工程方法的完整列表。它是一门核心的科学,与顶部的艺术相结合。你知道他们都没有任何界限。社会(Social)工程人员在开发也可能滥用无线设备访问公司Wi-Fi 的(Wi-Fi)软件时不断发挥创造力。
阅读:(Read:) 什么是社会工程恶意软件。
防止社会工程学
就个人而言,我不认为管理员可以使用任何定理来防止社会工程黑客攻击。社会工程技术不断变化,因此 IT 管理员很难跟踪正在发生的事情。
当然,有必要密切关注社会工程新闻,以便获得足够的信息以采取适当的安全措施。例如,对于USB设备,管理员可以阻止单个节点上的USB驱动器,只允许它们在具有更好安全系统的服务器上。同样(Likewise),Wi-Fi需要比大多数本地ISP(ISPs)提供的更好的加密。
培训员工并对不同的员工群体进行随机测试可以帮助识别组织中的薄弱环节。训练和警告较弱的人很容易。警觉(Alertness)是最好的防御。压力应该是登录信息不应该与团队领导共享 - 无论压力如何。如果团队负责人需要访问成员的登录名,她/他可以使用主密码。这只是保持安全和避免社会工程黑客的一个建议。
底线是,除了恶意软件和在线黑客之外,IT 人员还需要处理社会工程。在识别数据泄露的方法(如写下密码等)时,管理员还应确保他们的员工足够聪明,能够识别出一种社会工程技术来完全避免它。您认为防止社会工程学的最佳方法是什么?如果您遇到任何有趣的案例,请与我们分享。
下载这本由 Microsoft 发布的关于社会工程攻击的电子书,了解如何在您的组织中检测和防止此类攻击。(Download this ebook on Social Engineering Attacks released by Microsoft and learn how you can detect and prevent such attacks in your organization.)
参考(References)
[1]路透社(Reuters),斯诺登(Snowden)说服NSA 员工(NSA Employees Into)获取他们的登录信息(Info)
[2] Boing Net,用于传播恶意软件的(Spread Malware)笔式(Pen)驱动器。
Understand Social Engineering - Protection against Human Hacking
A piece of recent news made me realize how human emotions and thoughtѕ can be (or, are) used for others’ benefit. Almoѕt every one of you knows Edward Snоwden, the whistleblower of NSA snooping the world over. Reuters reported that hе got around 20-25 NSA peoplе to hand over theіr pаsswords tо him for recovering some data he leaked later [1]. Imagine how fragile your corporate network can be, even with the strongest and best of security software!
What is Social Engineering
Human weakness, curiosity, emotions, and other characteristics have often been used in extracting data illegally – be it any industry. The IT Industry has, however, given it the name of social engineering. I define social engineering as:
“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”
Here is another line from the same news story [1] that I want to quote – “Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable“. I modified the statement a bit to fit it into the context here. You can read the full news piece using the link in the References section.
In other words, you do not have complete control over the security of your organizations with social engineering evolving much faster than techniques to cope with it. Social engineering can be anything like calling up someone saying you are tech support and ask them for their login credentials. You must have been receiving phishing emails about lotteries, rich people in Mid East and Africa wanting business partners, and job offers to ask you your details.
Unlike phishing attacks, social engineering is much of direct person-to-person interaction. The former (phishing) employs a bait – that is, the people “fishing” is offering you something hoping that you will fall for it. Social engineering is more about winning the confidence of internal employees so that they divulge the company details you need.
Read: Popular methods of Social Engineering.
Known Social Engineering Techniques
There are many, and all of them use basic human tendencies for getting into the database of any organization. The most used (probably outdated) social engineering technique is to call and meet people and making them believe they are from technical support who need to check your computer. They can also create fake ID cards to establish confidence. In some cases, the culprits pose as state officials.
Another famous technique is to employ your person as an employee in the target organization. Now, since this con is your colleague, you might trust him with company details. The external employee might help you with something, so you feel obliged, and that is when they can make out the maximum.
I also read some reports about people using electronic gifts. A fancy USB stick delivered to you at your company address or a pen drive lying in your car can prove disasters. In a case, someone left some USB drives deliberately in the parking lot as baits [2].
If your company network has good security measures at each node, you are blessed. Otherwise, these nodes provide an easy passage for malware – in that gift or “forgotten” pen drives – to the central systems.
As such we cannot provide a comprehensive list of social engineering methods. It is a science at the core, combined with art on the top. And you know that neither of them has any boundaries. Social engineering guys keep on getting creative while developing software that can also misuse wireless devices gaining access to company Wi-Fi.
Read: What is Socially Engineered Malware.
Prevent Social Engineering
Personally, I do not think there is any theorem that admins can use to prevent social engineering hacks. The social engineering techniques keep on changing, and hence it becomes difficult for IT admins to keep track on what is happens.
Of course, there is a need to keep a tab on social engineering news so that one is informed enough to take appropriate security measures. For example, in the case of USB devices, admins can block USB drives on individual nodes allowing them only on the server that has a better security system. Likewise, Wi-Fi would need better encryption than most of the local ISPs provide.
Training employees and conducting random tests on different employee groups can help identify weak points in the organization. It would be easy to train and caution the weaker individuals. Alertness is the best defense. The stress should be that login information should not be shared even with the team leaders – irrespective of the pressure. If a team leader needs to access a member’s login, s/he can use a master password. That is just one suggestion to stay safe and avoid social engineering hacks.
The bottom line is, apart from the malware and online hackers, the IT people need to take care of social engineering too. While identifying methods of a data breach (like writing down passwords etc.), the admins should also ensure their staff is smart enough to identify a social engineering technique to avoid it altogether. What do you think are the best methods to prevent social engineering? If you have come across any interesting case, please share with us.
Download this ebook on Social Engineering Attacks released by Microsoft and learn how you can detect and prevent such attacks in your organization.
References
[1] Reuters, Snowden Persuaded NSA Employees Into Obtaining Their Login Info
[2] Boing Net, Pen Drives Used to Spread Malware.