Despite technological precautions, human activity remains a major problem in securing computer systems and networks. This video is our first look at social engineering, dealing with the vocal interaction (in person or over the phone) of attacker and victim. Other forms of social engineering involving electronic communication, including phishing and others, will be covered in our next unit.
尽管采取了技术预防措施,人类活动仍然是保护计算机系统和网络安全的一个主要问题。这段视频是我们第一次看到社会工程,处理攻击者和受害者的声音互动(面对面或通过电话)。其他形式的社会工程,包括电子通信,包括钓鱼和其他,将在我们的下一个单元讨论。
Phishing involves sending out "bait," mostly through email, to a large number of people, hoping some users will "bite," by sending usernames, passwords, and even credit card information. When clicking a link in a phishing email, the user is brought to a webpage that looks and feels like a real banking site, the real PayPal site, the real eBay site, the real Facebook site, the real LinkedIn site, and much more. Therefore, the user feels safe and secure in entering sensitive information, which goes directly to the attacker. Furthermore, simply visiting these sites could install malware on a victim's machine. More on this type of social engineering coming up next week!
网络钓鱼主要是通过电子邮件向大量用户发送“诱饵”,希望一些用户通过发送用户名、密码甚至信用卡信息来“上钩”。当点击钓鱼邮件中的链接时,用户会进入一个看起来和感觉上都像真实的银行网站、真实的PayPal网站、真实的eBay网站、真实的Facebook网站、真实的LinkedIn网站等等的网页。因此,用户在输入敏感信息时感到安全和安全,这些敏感信息直接传递给攻击者。此外,仅仅访问这些站点就可以在受害者的机器上安装恶意软件。更多关于这类社会工程的内容将在下周公布!
>> "Hello, this is tech support.
“你好,这里是技术支持。”
We need your help to fix a problem with your account.
我们需要你的帮助来解决你的账户问题。
Can you help us out today?Okay, great.
你今天能帮我们吗?
好了,好了。
What's your password?"
你的密码是什么?”
"Hi, I'm from corporate.
“嗨,我是公司的。”
Today I'm just doing a security assessment, and I need you to check out a few things for me."
今天我只是在做一个安全评估,我需要你帮我检查一些东西。
"I'm here to fix the heating in the data center.
“我是来修理数据中心的暖气的。
See the logo on my polo shirt?"
看到我polo衫上的logo了吗?”
"Hold the door please, I forgot my badge."
“请把门关上,我忘记带警徽了。”
How about an employee who finds a flash drive in the parking lot with a label that reads"Corporate finances, top secret information," or something enticing like that?
如果一个员工在停车场发现一个刻有“公司财务、绝密信息”或类似诱人信息的闪存驱动器,他会怎么想?
The employee will then plug it into a company machine and start spreading malwareacross all corporate devices, maybe even ransomware.
然后,该员工将其插入公司的机器,并开始在所有公司设备上传播恶意软件,甚至可能是勒索软件。
These are all scary examples of the only threats to cybersecuritythat doesn't involve any technology.
这些都是网络安全唯一不涉及任何技术的可怕例子。
Social engineering involves preying on humans who are gullible and naive,and will always be the weakest link in cybersecurity system.
社会工程涉及的对象是容易受骗和天真的人,他们永远是网络安全系统中最薄弱的环节。
Social engineering has been described as the art and science of getting people to complyto your wishes and an outside hacker's use of psychological trickson legitimate users of a computer system.
社会工程被描述为一门让人们遵从你的意愿的艺术和科学,以及一名外部黑客对计算机系统的合法用户使用心理诡计。
In order to obtain information, he needs to gain access to the system.
为了获得信息,他需要访问系统。
Social engineering is when a hacker tricks someoneinto doing something they normally wouldn't and shouldn't do from a cybersecurity perspective.
“社会工程”指的是从网络安全的角度出发,黑客欺骗某人去做一些他们通常不会也不应该做的事情。
You can patch a computer, but you can't patch people.
你可以给电脑打补丁,但不能给人打补丁。
You can teach them, but they forget and make mistakes.
你可以教他们,但他们会忘记和犯错误。
As computer vulnerabilities get harder to exploit, people become the most obvious target.
Skilled social engineers fool victims with their body language; body posture; gestures;facial expressions; eye movements; voice sounds; inflection; size;word choices; context; and framework.
"I really need you to help me right now, time is of the essence.""This is Bob Jones, we met last year at the company picnic.
You know me.""Alice told me that you're a great worker willing to help out whenever you can.""If you don't give me the information, I'm going to complain to your manager.""I'm actually the one who signs your checks.
You don't want me on your bad side.""Actually, the other guy in the office did this for me last week."Using social engineering, hackers can commit fraud, network intrusion, industrial espionage,identity theft, and simply disrupt systems and networks.
Potential targets include telephone companies; answering services; big name corporations;financial institutions; military and governmental agencies; hospitals; and even you.
The process starts with information gathering.
Social engineers do their homework to figure out what the victims like and don't like.
They find any potential weaknesses and vulnerabilitiesof the victims that can be exploited.
Public information online is a great resource.
In certain cases, companies don't even realize how much public-facing information can be usedagainst them in a social engineering attack.
Names of employees, titles, phone numbers, and more are waiting to be gleaned.
Dumpster diving is another technique used during this information gathering step.
Yes, attackers will dive into corporate dumpsters and trash cans lookingfor any information that can be used.
They're not really looking for passwords that were written down and thrown out.
In fact, phone directories, calendars, company memos,and more can prove to be even more valuable.
What if an invoice from an HVAC company or a computer contractor was found in the trash?All the attackers need to do is make a knock off polo shirt with a logo and waitfor employees to welcome them back.
The next step is exploitation.
Social engineers develop relationships, rapport, trust, and credibility from their victims.
Alternatively, they threaten, intimidate, impersonate, use scare tactics,and make things seem very urgent.
In this step the attackers get what they want by any means necessary.
Why is social engineering so effective?People want to help others.
People don't want to get in the way, especially if you have a clipboard.
Just look and act like you belong there.
People don't like conflict.
People don't like to question authority.
And for the users who give out usernames, passwords, or other information to participatein some random survey for gifts in return, people like free stuff.
That chocolate bar could prove to be very expensive in the long run, though.
Mitigation of social engineering involves teaching users right from wrong.
Make them read policies and test them to make sure that they follow them.
Throwing legitimate rewards and incentives their way is not a bad idea, either.
转载于:https://www.cnblogs.com/sec875/articles/10420226.html
相关资源:Detection and Prevention of Code Injection Attacks on HTML5-based Apps