Seguranca
Recebi de um amigo, muito interessante. Ah, ele tb eh chefe da administracao de rede aqui... ;]
Mind Games - Social Engineering
Published with permission of author: June 017 2002
Dr.T writes;
This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering.
Social Engineering
Social engineering focuses on the weakest link of the information security chain, and considered a big security threat, according to CERT.
One of the basic laws of information security is that 'Client-Side Security Doesn't Work', or more precisely, as Scott Culp says: "The basic problem with client-side security is that the person sitting physically in front of the client has absolute control over it", and "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore". Social engineering attack uses the fact that the human part of the security is the most essential. Moreover, there is not a single computer system in the world that does not rely on humans. This is why this security weakness is independent of platform, software, network, firewalls, VPNs etc.
The term Social Engineering has two definitions. The first definition is used by hackers/crackers among themselves and it can be found in the hacker's Jargon dictionary. The hacker's Jargon dictionary defines social engineering as:
"Social Engineering: Term used among crackers and samuria for cracking
techniques that relay on weaknesses in wetware rather than software; the
aim is to trick people into revealing passwords or other information that
compromises a target system's security. Classic scams include phoning up
a mark who has the required information and posting as a field service
tech or a fellow employee with an urgent access problem."
The Jargon definition for Social Engineering is basically phone scams, while social engineering is more than phone scams - it is the human side of hacking.
Social engineering is the art (not an attack) of getting people to comply to your wishes. It is not a way of mind control, as some would say, and it will not allow you to get people to perform tasks outside their daily activity. Moreover, it can be said that social engineering is the technique (used not only by hackers) for forcing a response or gaining information out of otherwise unwilling individuals.
Social engineering is not made within a minute, if one wants to get some information he/she does not improvise and play few scenes, but rather begins with excessive 'groundwork', sometimes long before the attack itself. Information gathering and idle chit chat before taking an attempt at gaining information is a common practice. Just like with hacking, most of the work is in the preparation - the attack itself is relatively small part. In some cases, the information that has been gained is used for social engineering further information.
Some would say that social engineering is nothing more than building trust, and relationship (discussed later) between you and other individual(s). Those, who would say such thing are actually right. Their subsequent claim, that social engineering is nothing more than saying "Please" and "Thanks you�h would be though denied by any more or less skilled social engineer.
"Please", "Thanks you" and other words alike, which are part of our daily vocabulary, are used by polite people every day. Therefore if you are trying to perform a social engineering attack by just spicing your speech with them, it leads you nowhere. Building trust between two people, who does not know each other; takes much more that just being polite. You have to focus on the way your party speaks, what questions he/she asks and how he/she answers yours. Smallest mistake can destroy the whole attempt to gain other person�fs trust. Careful planning based on predicting questions, answers and reactions plays the most important role. Good memory for gathered facts is essential as well. A good social engineer would know to predict the whole conversation, using the gathered facts about the other person. This makes the biggest difference between a good social engineer and any other typical human being.
Social engineers know to use a situation to their benefit. Individuals under pressure are very vulnerable to social engineering; therefore it is quite natural for a good social engineer to target someone who is not familiar with his/her work yet, like a fresh customer technical support person.
Social engineering tools are in possession of all of us; conscious and planned use of them makes the difference.
Protecting against social engineering attacks is impossible as you cannot buy and install a firewall, like you would have done for a computer system. Security professionals are being told that security through obscurity is very weak (one of the basic laws of information security). In case of social engineering there is no security at all, simply because one cannot obscure the fact that humans use the system or can influence it.
Nenhum comentário:
Postar um comentário