Computer security is difficult (maybe even impossible), but imagine for a moment that we did it. Strong cryptography is used where necessary, security protocols work flawlessly. We have reliable hardware and reliable software. Even the network we work on is completely secure. Wonderful!
Unfortunately, that’s not enough. This wonderful system can only do anything useful with the help of its users. And this
human-computer interaction is the most dangerous of all.
People are often the weakest link in security measures, and they are the ones who constantly cause them to fail.
When it comes to security, mathematics is flawless,
computers are vulnerable, networks are lousy, and people are just awful.
Bruce Schneier “Secrets and Lies: Data Security in the Digital World”
Information is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e. under existing or possible circumstances increase income, avoid unjustified expenses, maintain position in the market of goods, works, services or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since people work in any company, the influence of the human factor on all processes of the organization inevitably arises. Including the process of protecting confidential information.
The human factor is a stable expression that denotes the mental abilities of a person as a potential and actual source (cause) of information problems when this person uses modern technologies.
Any human actions related to the violation of the security regime can be divided into two large categories: intentional and unintentional actions. Intentional
actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and it has to be dealt with post factum, involving employees of the internal affairs bodies. Unintentional actions include: loss of information carriers, destruction or distortion of information due to negligence. A person does not realize that his actions lead to a violation of the commercial secret regime. Also, unintentional actions include "helping" the wrong people, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the commercial secret regime, but at the same time the one who asks him to do this clearly knows that he is violating the regime.
Social engineering — is a method (of attacks) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of human weaknesses and is very effective. The attacker obtains information, for example, by collecting information about the employees of the target of the attack, using a regular phone call or by penetrating the organization under the guise of its employee. The attacker can call a company employee (under the guise of technical support) and find out the password, citing the need to solve a small problem in the computer system. Very often, this trick works. The most powerful weapon in this case is the pleasant voice and acting skills of the attacker. The names of employees can be found out after a series of calls and studying the names of managers on the company's website and other sources of open information (reports, advertising, etc.). Using real names in a conversation with the technical support service, the attacker tells a fictitious story that he cannot get to an important meeting on the site with his remote access account. Another aid in this method is the study of waste containers of organizations, virtual waste bins, theft of a laptop and other information carriers. This method is used when the attacker has targeted a specific company as a victim.
All social engineering techniques are based on the peculiarities of human decision-making.
Pretexting is an action that is worked out according to a pre-written scenario (pretext). As a result, the target (victim) must provide certain information or perform a certain action. This type of attack is usually used over the phone. More often than not, this technique involves more than just lies and requires some preliminary research (for example, personalization: finding out the employee’s name, position, and the names of the projects they are working on) in order to ensure the target’s trust.
Phishing is a technique aimed at fraudulently obtaining confidential information. Typically, the attacker sends the target an e-mail that is faked as an official letter — from a bank or payment system — requiring “verification” of certain information or performance of certain actions. This email usually contains a link to a fake web page that imitates an official one, with a corporate logo and content, and contains a form that requires confidential information - from a home address to a bank card PIN.
Trojan Horse: This technique exploits the curiosity or greed of the target. The attacker sends an email containing an important antivirus update as an attachment, or even fresh dirt on an employee. This technique remains effective as long as users blindly click on any attachments.
Travel Apple: This attack method is an adaptation of the Trojan Horse and consists of using physical media. The attacker can plant an infected CD or memory card in a place where the media can be easily found (a corridor, an elevator, a parking lot). The media is faked as official and is accompanied by a signature designed to arouse curiosity.
Example: An attacker may plant a CD with a corporate logo and a link to the target's official website, labeled "Q1 2010 Executive Salaries." The disk may be left on the floor of an elevator or in the lobby. An employee may unknowingly pick it up and insert it into a computer to satisfy his curiosity.
Qui pro quo: An attacker may call a random number at the company and pose as a tech support employee asking if there are any technical problems. If there are, the target enters commands that allow the attacker to run malware while "solving" them.
Reverse Social Engineering:
The goal of reverse social engineering is to trick the target into asking the attacker for "help." To this end, the attacker may use the following techniques:
Sabotage: Creating a reversible malfunction on the victim's computer.
Advertising: The attacker slips the victim an ad like “If you have problems with your computer, call such and such a number” (this mostly applies to employees who are on a business trip or vacation).
The most basic way to protect against social engineering is training. Forewarned is forearmed. And ignorance is no excuse. All company employees should be aware of the dangers of disclosing information and how to prevent it.
In addition, company employees should have clear instructions on how and what topics to talk about with the interlocutor, what information they need to get from the interlocutor for accurate authentication.
Here are some rules that will be useful:
1. All user passwords are the property of the company. All employees should be explained on the day of hiring that the passwords they were given cannot be used for any other purposes, for example, for authorization on Internet sites (it is known that it is difficult for a person to keep all passwords and access codes in his head, so he often uses one password for different situations).
How can such a vulnerability be used in social engineering? Let's say an employee of the company became a victim of phishing. As a result, his password on some Internet site became known to third parties. If this password matches the one used in the company, there is a potential threat to the security of the company itself.
In principle, it is not even necessary for an employee of the company to become a victim of phishing. There is no guarantee that the sites where he logs in maintain the required level of security. So, a potential threat always exists.
2. All employees must be instructed on how to behave with visitors. Clear rules are needed to establish the identity of the visitor and his accompaniment. A visitor must always be accompanied by one of the company's employees. If an employee of the company meets a visitor wandering around the building alone, he must have the necessary instructions to correctly find out why the visitor is in this part of the building and where his accompaniment is.
3. There must be a rule for the correct disclosure of only truly necessary information over the phone and in person, as well as a procedure for checking whether the person requesting something is a real employee of the company. It is no secret that most of the information is obtained by an intruder during direct communication with company employees. It is also necessary to take into account the fact that in large companies, employees may not know each other, so an attacker can easily pretend to be an employee who needs help.
All the measures described are quite simple, but most employees forget about these measures and the level of responsibility that is imposed on them when signing non-disclosure agreements. The company spends huge financial resources to ensure information security using technical methods, but these technical means can be bypassed if employees do not take measures to counter social engineers, and security services do not periodically check the vigilance of the company's personnel. Thus, the funds spent on ensuring information security will be wasted.
P.S. If the topic is interesting, then in the next topic I will tell you in more detail about the methods and procedures that help minimize the negative consequences associated with social engineering methods.
Source
Unfortunately, that’s not enough. This wonderful system can only do anything useful with the help of its users. And this
human-computer interaction is the most dangerous of all.
People are often the weakest link in security measures, and they are the ones who constantly cause them to fail.
When it comes to security, mathematics is flawless,
computers are vulnerable, networks are lousy, and people are just awful.
Bruce Schneier “Secrets and Lies: Data Security in the Digital World”
Intro
Information is one of the most important assets of the company. Information may constitute a commercial secret of the company, i.e. under existing or possible circumstances increase income, avoid unjustified expenses, maintain position in the market of goods, works, services or bring other commercial benefits to the company. Accordingly, such information must be protected.
Since people work in any company, the influence of the human factor on all processes of the organization inevitably arises. Including the process of protecting confidential information.
The human factor is a stable expression that denotes the mental abilities of a person as a potential and actual source (cause) of information problems when this person uses modern technologies.
Any human actions related to the violation of the security regime can be divided into two large categories: intentional and unintentional actions. Intentional
actions include theft of information by employees, modification of information, or its destruction (sabotage). This is an extreme case and it has to be dealt with post factum, involving employees of the internal affairs bodies. Unintentional actions include: loss of information carriers, destruction or distortion of information due to negligence. A person does not realize that his actions lead to a violation of the commercial secret regime. Also, unintentional actions include "helping" the wrong people, or so-called social engineering. When an employee does not realize that his actions are aimed at violating the commercial secret regime, but at the same time the one who asks him to do this clearly knows that he is violating the regime.
Social engineering — is a method (of attacks) of unauthorized access to information or information storage systems without the use of technical means. The method is based on the use of human weaknesses and is very effective. The attacker obtains information, for example, by collecting information about the employees of the target of the attack, using a regular phone call or by penetrating the organization under the guise of its employee. The attacker can call a company employee (under the guise of technical support) and find out the password, citing the need to solve a small problem in the computer system. Very often, this trick works. The most powerful weapon in this case is the pleasant voice and acting skills of the attacker. The names of employees can be found out after a series of calls and studying the names of managers on the company's website and other sources of open information (reports, advertising, etc.). Using real names in a conversation with the technical support service, the attacker tells a fictitious story that he cannot get to an important meeting on the site with his remote access account. Another aid in this method is the study of waste containers of organizations, virtual waste bins, theft of a laptop and other information carriers. This method is used when the attacker has targeted a specific company as a victim.
Social engineering techniques
All social engineering techniques are based on the peculiarities of human decision-making.
Pretexting is an action that is worked out according to a pre-written scenario (pretext). As a result, the target (victim) must provide certain information or perform a certain action. This type of attack is usually used over the phone. More often than not, this technique involves more than just lies and requires some preliminary research (for example, personalization: finding out the employee’s name, position, and the names of the projects they are working on) in order to ensure the target’s trust.
Phishing is a technique aimed at fraudulently obtaining confidential information. Typically, the attacker sends the target an e-mail that is faked as an official letter — from a bank or payment system — requiring “verification” of certain information or performance of certain actions. This email usually contains a link to a fake web page that imitates an official one, with a corporate logo and content, and contains a form that requires confidential information - from a home address to a bank card PIN.
Trojan Horse: This technique exploits the curiosity or greed of the target. The attacker sends an email containing an important antivirus update as an attachment, or even fresh dirt on an employee. This technique remains effective as long as users blindly click on any attachments.
Travel Apple: This attack method is an adaptation of the Trojan Horse and consists of using physical media. The attacker can plant an infected CD or memory card in a place where the media can be easily found (a corridor, an elevator, a parking lot). The media is faked as official and is accompanied by a signature designed to arouse curiosity.
Example: An attacker may plant a CD with a corporate logo and a link to the target's official website, labeled "Q1 2010 Executive Salaries." The disk may be left on the floor of an elevator or in the lobby. An employee may unknowingly pick it up and insert it into a computer to satisfy his curiosity.
Qui pro quo: An attacker may call a random number at the company and pose as a tech support employee asking if there are any technical problems. If there are, the target enters commands that allow the attacker to run malware while "solving" them.
Reverse Social Engineering:
The goal of reverse social engineering is to trick the target into asking the attacker for "help." To this end, the attacker may use the following techniques:
Sabotage: Creating a reversible malfunction on the victim's computer.
Advertising: The attacker slips the victim an ad like “If you have problems with your computer, call such and such a number” (this mostly applies to employees who are on a business trip or vacation).
Countermeasures
The most basic way to protect against social engineering is training. Forewarned is forearmed. And ignorance is no excuse. All company employees should be aware of the dangers of disclosing information and how to prevent it.
In addition, company employees should have clear instructions on how and what topics to talk about with the interlocutor, what information they need to get from the interlocutor for accurate authentication.
Here are some rules that will be useful:
1. All user passwords are the property of the company. All employees should be explained on the day of hiring that the passwords they were given cannot be used for any other purposes, for example, for authorization on Internet sites (it is known that it is difficult for a person to keep all passwords and access codes in his head, so he often uses one password for different situations).
How can such a vulnerability be used in social engineering? Let's say an employee of the company became a victim of phishing. As a result, his password on some Internet site became known to third parties. If this password matches the one used in the company, there is a potential threat to the security of the company itself.
In principle, it is not even necessary for an employee of the company to become a victim of phishing. There is no guarantee that the sites where he logs in maintain the required level of security. So, a potential threat always exists.
2. All employees must be instructed on how to behave with visitors. Clear rules are needed to establish the identity of the visitor and his accompaniment. A visitor must always be accompanied by one of the company's employees. If an employee of the company meets a visitor wandering around the building alone, he must have the necessary instructions to correctly find out why the visitor is in this part of the building and where his accompaniment is.
3. There must be a rule for the correct disclosure of only truly necessary information over the phone and in person, as well as a procedure for checking whether the person requesting something is a real employee of the company. It is no secret that most of the information is obtained by an intruder during direct communication with company employees. It is also necessary to take into account the fact that in large companies, employees may not know each other, so an attacker can easily pretend to be an employee who needs help.
All the measures described are quite simple, but most employees forget about these measures and the level of responsibility that is imposed on them when signing non-disclosure agreements. The company spends huge financial resources to ensure information security using technical methods, but these technical means can be bypassed if employees do not take measures to counter social engineers, and security services do not periodically check the vigilance of the company's personnel. Thus, the funds spent on ensuring information security will be wasted.
P.S. If the topic is interesting, then in the next topic I will tell you in more detail about the methods and procedures that help minimize the negative consequences associated with social engineering methods.
Source
