Social engineering information security against the new field-bug warning-the black bar safety net

2006-10-24T00:00:00
ID MYHACK58:62200612483
Type myhack58
Reporter 佚名
Modified 2006-10-24T00:00:00

Description

Information security vulnerabilities are widespread, any one system are a potential security risk. In recent years, the use of means of social engineering, break through the information security defensive measures of an event, has shown a rise even spread of the trend, become the information security and confidentiality in the work of one of the most vulnerable links. Society and risk

Social engineering Social Engineering)is a use of human weaknesses: as a human instinct, curiosity, trust, greed, etc. conduct such as fraud, injury and other harm means, to obtain the self-interest approach.

In recent years, due to the information security vendors continue to develop more advanced security products, system security in the technology more and more closely, so that attackers exploit technical vulnerabilities becomes more and more difficult. Thus, more people are turning to the use of human factors tools----social engineering to attack.

Many Information Technology practitioners are generally there is a similar notion: they believe that their system of deployment of advanced and sophisticated safety equipment----firewall, IDS, IPS, vulnerability scanning, anti-virus gateways, content filtering, security audit, authentication and access control system, even the latest UTM and waterproof walls, that rely on these safety facilities to ensure the system's security.

In fact, many of the security behavior to appear on defrauding the internal staff, Information System Management, use, maintenance personnel, etc. trust, and thus easily bypass all the technical protection. Trust is everything secure base for protection and audit of the trust, generally considered to be the entire security chain the weakest link. To avoid security risks, technical experts carefully design The security solutions, but very little attention to and solve the biggest security vulnerabilities----human factors.

Whether it is in the real world or in virtual cyberspace, no one can access the system of people, are likely to constitute potential security risks and threats. Many of the most sensitive information exists in the human mind, various security facilities to be used by people to control, which means that if there is no the“people”of this factors into the overall security management policy, only keen on the technical level of the so-called comprehensive solution, still there will be a lot of security“cracks”, or is the entire security of the“barrel”there is the shortest piece of wood.

The lack of social engineering against information systems, regardless of their security technology, how advanced, is likely to become a self-soothing bauble, which invest large sums of money for the acquisition of the most advanced safety equipment, it may become a waste.

Gartner group information security and risk Research Director Rich Mogull said:“social engineering is the next 1 0 years in a maximum security risk, many of the most destructive behavior is due to social engineering rather than hacking or cracking behavior is caused”. Some information security experts predicted that social engineering will be the future information system intrusion and anti-intrusion significant against the field.

New means of attack

Social engineering attacks can basically be divided into two levels: physical and psychological. With the conventional invasive behavior is similar to social engineering before implementation to complete a lot of relevant previous work, these work even better than the follow-up of the intrusion itself more onerous and more skills, or more“art”.

These include: social engineering, the perpetrators generally referred to as a social engineer have to master the psychology, interpersonal science, behavioral science and other knowledge and skills to collect and master the implementation of the invasion behavior of the required related data and information. Usually in order to achieve the intended purpose, the social engineering attack are the psychological and behavior of the attack a combination of both use. Its common forms include:

First, camouflage. From the early cover letter virus, love bug virus, Christmas greeting cards of the current popular phishing, is the use of e-mail and fake Web sites to carry out fraudulent activities. A survey shows,in all contact fraud information of the user, up to 5%of the people on these Scam response. Attackers increasingly prefer to play around with social engineering means, the evil member, spyware, ransomware software, ransom - ware, and malware and other network traps disguised to deceive the victim to.

Second, the lure. Social engineering is now the majority of the worms to propagate the use of technology that enables computer users instinctively open the message, the implementation of a lure while having harmful attachments. For example, with some information about some models of the Processor the presence of the operational flaws of the“defective statement”or more can cause people's interest in the“lucky jackpot”,“the latest anti-virus software”and other rhetoric, and given a page connected, to tempt you into the page run the downloaded program or to register online personal related information, the use of people's porous mental lure you hooked.

Third, the intimidation. The use of the people on the security, vulnerability, virus, Trojans, hackers, and other content will be particularly sensitive to the authority of the guise, spread such as security warnings, system risk information or the like, using the alarmist tactics of intimidation to deceive computer users, claiming that if not promptly in accordance with their requirements to do it will cause deadly harm or suffer a serious loss.

Fourth, convince. Social engineers convince the target the purpose is to enhance their initiative to complete assigned tasks of a submissive consciousness, and thus becomes one that can be trusted and thereby obtain sensitive information. Most of the Business Advisory help Desk personnel are generally trained are the requirements his or her enthusiasm to treat people and as much as possible to calls to provide help, so here it becomes a social engineering implementers to obtain valuable information“gold mine.”

Fifth, compliment. Social engineers are generally very friendly, very particular art speak, know how to use the opportunity to meet people that match up, so that the majority of people members good to respond to, compliment and vanity of the butt will make the target happy to continue cooperation.

Sixth, penetration. Usually social engineering attacks are good at spying on the information, many on the surface seem Ho useless information are they using to system penetration. By observing the target on the e-mail response speed, attention degree, as well as may provide the relevant information, such as a person's name, birthday, ID, phone number, Administrator's IP address, email, etc. may be utilized, by these collected information to determine the target network architecture or system password of the General content, so use a password of Psychology to analyze the password, and not just use brute force.

In addition to the above means of attack, some of the more offbeat behavior in social engineering, which include things like flip the garbage dumpster diving, and peeping behind(shoulder surfing, and reverse social engineering, etc. are stealing the information of the shortcut approach.

The birth of new means of Defense

As the saying goes, know one foot magic ridge, in the face of social engineering security challenges, businesses must adapt to new defensive methods, including:

First, increase website is fake difficulty. According to the international anti-fraud organizations 2 0 0 5-year report shows that China has become the world's second-largest ownership of counterfeit domain names and websites in the country, accounting for the global 1 2 per cent. The banking sector analysts, the domain name is too long is a fake root. It is reported, to prevent criminals use fake domains for phishing, as of the first half of this year the country has a 1 4 Bank changes the online banking domain, including greater use. CN domain name. Such as Construction Bank online banking domain name from the ccb. com. cn upgrades for the ccb. cn, Bank of China, the domain name by the bank-of-china. com is changed to the boc. cn. At the same time, companies need to regularly to the DNS for the Scan, to check whether the presence of the company has registered a similar domain name. In addition, generally, in web design technology does not use pop-up ads, do not hide the address bar and the frame of the corporate website is fake likelihood is small.

Second, the strengthening of Internal Security Management. As far as the system management work duties to be separated, a reasonable allocation of each system administrator has the authority, to avoid permissions excessively concentrated. To prevent people outside mixed with the inside, the staff should wear a badge marked, set access control and video surveillance system; strict office garbage and maintenance of equipment for scrap handler; put an end to for the sake of convenience, the password is pasted or through QQ and other ways to system maintenance work in daily contact.

Third, conducting security training. Security consciousness than the safety measures are important. Prevention of social engineering attacks, guidance and education is the key. Directly explicitly given to vulnerable employees in some cases education and warning, let them know that these methods are how to apply and succeed, and learn to identify social engineering attacks. In this regard, pay attention to the cultivation and training of enterprises and employees in several capacities, including: discrimination judgment ability, anti-fraud capabilities, the information hiding capacity, self-protection capabilities, emergency capabilities, etc.

From: Silicon Valley power