/ * What is social engineering? * / Overall, social engineering is an art and learning that makes people obey your will to satisfy your desire. It is not simply a way to control the will, but it can't help you master people outside the abnormal consciousness, and it is not easy to learn and use this. It also contains a variety of flexible ideas and changes. Regardless of any time, before the need to take the information required, social engineering implementers must: master a large number of relevant knowledge foundations, spend time to engage in information collection and carry out the necessary communication behavior. Similar to past intrusion behaviors, social engineering is to complete a lot of relevant preparations before implementation, and these work is even more heavy than it itself. You may think that our current arguments are just a breakthrough in proven "how to use this technology can also be invasive". Ok, it is actually enough. In any case, "I know how these methods use" is the only means that can prevent and resist this type of intrusion attack. Knowledge derived from these technologies can help you or your organization prevent this type of attack. In the event of a social engineering attack, the warning like CERT is distributed, and the warning with a small amount of relevant information is meaningless. They usually will simply be attributed to: "Some people have tried to visit your system through 'pretending to be true'. Don't let them succeed." However, such phenomena often occurs. / * What is it? * / Social Engineering is located on a largest vulnerable process in computer information security work links. We often say: The safest computer is the one that has already been pulled (notes: network interface) (Note: "Physical Isolation"). Really, you can convince someone (Note: Users) put this abnormal working state, easy to attack (note: a vulnerability) machine to connect the plug (Note: Connect the network) and start ( Note: Provide daily services). It can also be seen that "people" are very important in the entire security system. This is not like the computer system on the earth, does not rely on others to intervene (note: people have their own subjective thinking). This means that the vulnerability of this information security is generally existent, which does not differ from factors such as system platforms, software, networks or agents. Whether in physically or in virtual electronic information, anyone who can access a part (note: some service) may constitute potential security risks and threats. Any subtle information may be used by social engineering users with "replenishment materials" to get other information. This means that there is no "person" (note: the participant here is the participant of the user / manager) This factor will put it in the enterprise security management strategy will constitute a large security "crack". / * A big problem? * / Safety experts often do not carefully put safety concepts very vague, which will lead to unweightening information security. In this case, social engineering is one of the fundamentals that lead to insecurity. We should not fuzzy mankind to use a computer or affect the fact that the computer system is working. Almost everyone has a way to try to conduct social engineering "attack", the only difference is that the skills when using these ways. / * Method * / Try to drive someone to follow your will to complete the task you want to complete, there are many ways. The first method is also the simplest method, that is, the target individual is asked to give him a direct "Guide" when you have to complete your purpose. There is no doubt that this is the easiest to succeed and the simplest and intuitive way. Of course, the individual being guided will also know what you want to do.
The second is to order one person for a personality (note: by fabricating means) specific cases / environment. This approach is more than you just considering the information status of an individual. For example, how to persuade your object, you can set (Note: deliberately arrange) a reason / motivation to force it to complete it A result of a non-its own will. This includes work that is far as to create a persuasive attempt to have a particular individual, with a lot of knowledge you want to get. This means that those specific situations / environments must be based on objective facts. A small amount of lies will make the effect better. One of the most refined means in social engineering is a good memory ability for real things. The hacker and system administrator will focus more on this issue, especially in situations in some things associated with their fields. In order to illustrate the above method, I am ready to list a small example ....... [Examples, when you put a individual "placed in" group / social pressure (note: its type such as public opinion pressure, etc.) When the situation / situation, the individual is likely to make the acts that meet the group decisions, although this decision is obviously wrong. ] / * Consistency * / If someone firmly believes in some cases, the decision of their group is right, then this will cause them to make different judgments / behavior. For example, if I have published a conclusion, the reason for the argument is very full (note: here is the will of the groups in the group), then I will try to convince them, no matter how much energy I am trying to convince them. They change their decisions. In addition, a group is composed of a member of different locations / hierarchies. This location / hierarchy problem is called "Demand Charac-Teristics" (Note: Featured "), this location / hierarchical problem is affected by its strong social constraints in participants. If you don't want to be a member of the sin, you don't want to be seen by others. I don't want to destroy the point of view of my own relationship with good relationship. The minds of the "follow-by-flow" formation factor. This method of processing that uses to characterize is an effective way to guide people's behavior. / * Situations * / No matter how many social engineering behavior is used by some individual individuals, such as social pressure and other influencing factors must establish a trusted relationship with the goal. Under the case. If you are in this case, the target individual is likely to follow your wishes when there is a real or fictitious intrinsic feature. These inherent features include: • Pressure problems outside the target individual. If you let your individual believe that the consequences of a certain behavior is not his responsibility. · Let someone will meet someone with a chance. These behaviors have more depends on whether this individual is recognized as a "benefit" for someone. Such behavior can make you more harmonious with the boss. · Moral responsibility. Individuals will follow you because they feel ourselves (Note: in morality) is obliged to do this. This is the use of guilt. People are more willing to escape the guilt, so if there is a "possibility" will let them feel guilty, they will avoid this "possibility" as much as possible. / * Personal persuasion * / personal reputation / persuasion ability is a good means that is often used to encourage someone to cooperate / obey you. The purpose of using personal convincing is not to force others to accept the "task" you assign, but to enhance their active obeys of the tasks that complete your assignment. In fact, this is some contradictory. Basically, the goal is only to be simply guided to an already set, specific (note: intentional) thinking mode. The goal will think they can control the situation, and they also help you through their strength. In fact, the interests obtained by the goal are indirectly helped by helping the benefits you get this. The purpose of social engineering users is to persuade their goals, so that they have sufficient reasons to believe that only a small amount of time and energy can be "exchanged". / * Cooperation * / There is a number of factors that can promote a social engineering user to increase the opportunity to "cooperate" with the goal.
Try to conflict with the target. Using peaceful attitudes to face each other can improve the success of the purpose. Pull relationships or develop new relationships, common troubles or some particular tasks can effectively force targets to work with you. The factors in 'walking to success' here are often concentrated in your ability to master and handle your persuasion. This is very important, this is often "liar" (note: people who often use deception) are considered to be a metrics. Psychology research pointed out that if people have previously followed a very small guidance (Note: and success), he / she is more likely to follow a bigger (note: Guide). Here, if there is a cooperative expensive, then this time, the chance to achieve is great. A better way is to give social engineers to some of the more sensitive information. Especially some very realistic audiovisual, the goal can see or hear the information you give to them than they can only convince your voice by phone. This point is not uncomfortable, and information on writing form or electronic means is difficult to convince. This is just like rejecting someone to communicate with an IRC style. / * Association * / No matter how it is said that social engineering can succeed that there is a major relationship between the target individual with your purpose. We can say that system administrators, computer security executives, technical researchers, those who follow computer / networks or communicate with most hackers use social engineering to attack the targets. . An individual with highly correlation will be persecuted by strong and favorable arguments. In fact, you can give them more strong and favorable arguments to support your point of view. Of course, those views also have weak sides. Whether you show the weakness of the argument to a highly associated person knowing that it will greatly determine if you can convince this. When someone is likely to be influenced by social engineering attacks, if weak arguments, there will be a sense of "reverse" in their thoughts. So in the face of people who have associated with your destination, you must give strong arguments, and avoid the discovery of weak reasons. Compared to those who have guidelines for you or what you want, you can include them in the category of "low-related people". Related examples: security personnel in a network system institution, cleaning workers, or ladies reception. Because the individual of the low-related category does not affect your purpose / results, and they often analyze the bilateral issues you use to convince their arguments. Their decisions tend to follow your will or is not affected by other "awareness". These "consciousness", such as: the reasons provided by social engineering, under the surface situation or under someone in persistence. With experience, in this case, we can only give them more arguments and reasons as much as possible, and it is estimated that such an effect will be better. Basically, for those who are inconsistent with your consciousness, try to convince them more than their degree of correlation with your purpose. One thing is to be aware: When some work is performed, the ability of the ability to have a low capabilities will go to the behavior mode of individuals with high degree of ability. In computer system management, "low capabilities" is mostly referred to as "low-related people" mentioned above. Standing on the above views, do not try to social engineering attacks on individuals such as system administrators, unless it is not as good as you, but this may be very low. / * Defense of the attack * / Comprehensive information can make readers better secure their entire computer system security? In fact, the first step in "Beautiful" is to be subject to information security of our computer system depending on whether employees can protect their computer systems in their job. This not only requires you unconditionally enhanced their security awareness, but you must also have higher vigilance. For an alteration, if you let someone responsible for protecting your computer system security, then it is convenient to visit your system without normal licenses. In any case, dealing with the most effective means of defending this type of attack, as the most common means, it is "education / training".
