Social Engineering社会工程学

Social Engineering

社会工程学

Social engineering is a form of attack that exploits human nature and human behavior. People are a weak link in security because they can make mistakes, be fooled into causing harm, or intentionally violate company security. Social engineering attacks exploit human characteristics such as a basic trust in others, a desire to provide assistance, or a propensity to show off. It is important to consider the risks that personnel represent to your organiza-tion and implement security strategies to minimize and handle those risks.

社会工程学是一种利用人性和人类行为的攻击形式。人是安全的薄弱环节，因为他们可能会犯错误、上当受骗造成伤害或故意违反公司安全。社会工程学攻击利用的是人的特性，如对他人的基本信任、提供帮助的愿望或炫耀的倾向。重要的是要考虑人员对组织构成的风险，并实施安全策略来最大限度地降低和处理这些风险。

Social engineering attacks take two primary forms: convincing someone to perform an unauthorized operation or convincing someone to reveal confidential information. In just about every case, in social engineering the attacker tries to convince the victim to perform some activity or reveal a piece of information that they shouldn’t. The result of a successful attack is information leakage or the attacker being granted logical or physical access to a secure environment.

社会工程学攻击主要有两种形式：说服他人执行未经授权的操作或说服他人泄露机密信息。几乎在每种情况下，社交工程攻击者都试图说服受害者执行某些活动或透露一些不该透露的信息。攻击成功的结果是信息泄露或攻击者获准对安全环境进行逻辑或物理访问。

Here are some example scenarios of common social engineering attacks:

下面是一些常见社交工程攻击的示例场景：

•  A website claims to offer free temporary access to its products and services, but it requires web browser and/or firewall alterations in order to download the access software. These alterations may reduce the security protections or encourage the victim to install malicious browser helper objects (BHOs) (also known as plug-ins, extensions, add-ons).

  一个网站声称可免费临时访问其产品和服务，但需要更改网络浏览器和/或防火墙才能下载访问软件。这些更改可能会降低安全保护，或鼓励受害者安装恶意浏览器辅助对象（BHOs）（也称为插件、扩展、附加组件）。

• The help desk receives a call from someone claiming to be a department manager who is currently involved in a sales meeting in another city. The caller claims to have forgotten their password and needs it to be reset so that they can log in remotely to download an essential presentation.

• 服务台接到一个自称是部门经理的电话，他目前正在另一个城市参加销售会议。来电者声称忘记了密码，需要重新设置密码，以便远程登录下载重要的演示文稿。

• Someone who looks like a repair technician claims a service call was received for a malfunctioning device in the building. The “technician” is sure the unit can be accessed from inside your office work area and asks to be given access to repair the system.

  有一个看起来像维修技术人员的人声称接到了关于大楼内设备故障的服务电话。该 "技术人员 "确信可以从您的办公区内进入该设备，并要求获准进入维修系统。

• If a worker receives a communication from someone asking to talk with a coworker by name, and there is no such person currently or previously working for the organization,this could be a ruse to either reveal the names of actual employees or convince you to“provide assistance” because the caller has incorrect information.

  如果员工收到某人的来信，要求与同事通话，但对方目前或以前并不在公司工作，这可能是一个诡计，目的是暴露实际员工的姓名，或说服你 "提供帮助"，因为来电者所知道的信息是错误的。

• When a contact on a discussion forum asks personal questions, such as your education,history, and interests, they could be focused on learning the answers to password reset questions.

    当论坛上的联系人询问您的教育背景、历史和兴趣等个人问题时，他们的重点可能是了解密码重置问题的答案。

Some of these examples may also be legitimate and benign occurrences, but you can see how they could mask the motives and purposes of an attacker. Social engineers attempt to mask and hide their true intentions by crafting their attack to seem as normal and typical as possible.

其中一些例子也可能是合法和良性的，但你可以看到它们是如何掩盖攻击者的动机和目的的。社会工程师试图通过精心设计攻击，使其看起来尽可能正常和典型，从而掩盖和隐藏他们的真实意图。

Whenever a security breach occurs, an investigation should be performed to determine what was affected and whether the attack is ongoing. Personnel should be retrained to detect and avoid similar social engineering attacks in the future. Although social engineering attacks primarily focus on people, the results of an attack can be disclosure of private or confidential materials, physical damage to a facility, or remote access to an IT environment. Therefore, any attempted or successful social engineering breach should be thoroughly investigated and responded to. Methods to protect against social engineering include the following:

每当发生安全漏洞时，都应进行调查，以确定受影响的内容以及攻击是否仍在继续。应对员工进行再培训，以检测和避免今后发生类似的社会工程学攻击。虽然社会工程学攻击主要针对人，但攻击的结果可能是个人或机密材料的泄露、设施的物理损坏或 IT 环境的远程访问。因此，应彻底调查和应对任何企图或成功的社会工程入侵。防范社会工程学的方法包括以下几种：

• Training personnel about social engineering attacks and how to recognize common signs

  就社会工程学攻击以及如何识别常见迹象对人员进行培训

• Requiring authentication when performing activities for personnel over the phone

  在通过电话为人员开展活动时要求进行身份验证
  

• Defining restricted information that is never communicated over the phone or through plaintext communications such as standard email

  定义绝不能通过电话或标准电子邮件等明文通信传递的受限信息

• always verifying the credentials of a repair person and verifying that a real service call was placed by authorized personnel

    始终核实维修人员的资质，并核实真正的服务电话是由授权人员拨打的

•  Never following the instructions of an email without verifying the information with at least two independent and trusted sources

  在未向至少两个独立且可信的来源核实信息的情况下，切勿按照电子邮件的指示行事

• Always erring on the side of caution when dealing with anyone you don’t know or recognize, whether in person, over the phone, or over the internet/network

  在与不认识或不了解的人打交道时，无论是当面、通过电话还是通过互联网/网络，都要谨慎行事

If several workers report the same odd event, such as a call or email, an investigation should look into what the contact was about, who initiated it, and what the intention or purpose was.

如果多名工人报告了同样的奇怪事件，如电话或电子邮件，调查人员应调查联系的内容、发起人以及意图或目的。

The most important defense against social engineering attacks is user education and awareness training. A healthy dose of paranoia and suspicion will help users detect or notice more social engineering attack attempts than without such preparation. Training should include role playing and walking through numerous examples of the various forms of social engineering attacks. However, keep in mind that attackers are constantly altering their approaches and improving their means of attack. So, keeping current with newly discovered means of social engineering attack is also necessary to defend against this human focused threat.

防范社会工程学攻击最重要的是用户教育和意识培训。与没有这种准备的情况相比，健康的偏执和怀疑会帮助用户发现或注意到更多的社会工程学攻击企图。培训应包括角色扮演和演示各种形式的社交工程攻击。但要记住，攻击者会不断改变他们的方法，改进他们的攻击手段。因此，与新发现的社会工程学攻击手段保持同步也是抵御这种以人为中心的威胁的必要条件。

Users should receive training when they first enter an organization, and they should receive periodic refresher training, even if it’s just an email from the administrator or training officer reminding them of the threats.

用户应在首次进入组织时接受培训，并定期接受复习培训，哪怕只是管理员或培训官员发送电子邮件提醒他们注意威胁。

原文始发于微信公众号（网络安全等保测评）：Social Engineering社会工程学