N MN HC: SOCIAL ENGINEERING GVHD: Ths. L Phc SVTH: H Ngc Thin Trn Th Thy Mai TP.H Ch Minh, 4/ 2009 Social Engineering 2 MC LC Chng 1: GII THIU TNG QUAN V SOCIAL ENGINEERING 1.1 Khi nim v Social Engineering 1.2 Th thut 1.3 im yu ca con ngi Chng 2: PHN LOI 2.1 Human based 2.1.1 Impersonation 2.1.2 Important User 2.1.3 Third-party Authorization 2.1.4 Technical Support 2.1.5 In Person 2.2 Computer based 2.2.1 Phising 2.2.2 Vishing 2.2.3 Pop-up Windows 2.2.4 Mail attachments 2.2.5 Websites 2.2.6 Interesting Software Chng 3: CC BC TN CNG TRONG SOCIAL ENGINEERING 3.1 Thu thp thng tin 3.2 Chn mc tiu 3.3 Tn cng Chng 4: CC MI E DA T SOCIAL ENGINEERING 4.1 Cc mi e da trc tuyn (Online Threats) 4.1.1 Cc mi e da t E-mail (E-mail Threats) 4.1.2 Cc ng dng pop-up v hp hi thoi( Pop-Up Applications and Dialog Boxes) 4.1.3 Instant Mesaging 4.2 Telephone-Based Threats 4.2.1 Private Branch Exchange 4.2.2 Service Desk 4.3 Waste Management Threats 4.4 Personal Approaches 4.4.1 Virtual Approaches 4.4.2 Physical Approaches 4.5 Reverse Social Engineering Chng 5: THIT K S PHNG V CHNG LI CC MI E DA T SOCIAL ENGINEERING 5.1 Xy dng mt framework qun l an ninh 5.2 nh gi ri ro 5.3 Social engineering trong chnh sch an ninh Social Engineering 3 Chng 6: THC THI S PHNG V CHNG LI CC MI E DA T SOCI AL ENGINEERING 6.1 S nhn thc 6.2 Qun l s c 6.3 Xem xt s thc thi 6.4 Social Engineering v m hnh phn l p phng th chiu su Social Engineering 4 Social Engineering 5 1.1 Khi nim v Social Engineering: Social engineering l li dng s nh hng v nim tin la mt ngi no nhm mc ch ly cp thng tin hoc thuyt phc nn nhn thc hin vic g. Cc cng ty mc d p dng cc phng php xc thc, cc firewalls, cc mng ring o VPN, cc phn mm gim st mng vn c rt nhiu kh nng b tn cng. Mt nhn vin c th v tnh l thng tin key trong email hoc tr li in thoi ca mt ngi m h khng quen bit hoc thm ch ni v n ca h vi ng nghip hng gi lin qun ru. Bo mt c xem l tt nht nu n c th pht huy tr n c nhng lin kt yu nht. Social Engineering l li dng s nh hng v nim tin la mt ngi no nhm mc ch ly cp thng tin hoc thuyt phc nn nhn thc hin vic g. V khng c vn g khi cc cng ty u t cho cc h thng cht lng cao v cc gii php bo mt chng hn nh cc phng php xc thc n gin, cc firewalls, mng ring o VPN v cc phn mm gim st mng. Khng c thit b hay gii hn bo mt no hiu qu khi mt nhn vin v tnh l thng tin key trong email, hay tr li in thoi ca ngi l hoc mt ngi mi quen thm ch khoe khoang v d n ca h vi ng nghip hng gi lin qun ru. Thng thng, mi ngi khng nhn thy sai st ca h trong vic bo mt, mc d h khng c . Nhng ngi tn cng c bit rt thch pht trin k nng v Social Engineering v c th thnh tho n mc nhng nn nhn ca khng h bit rng h ang b la. Mc d c nhiu chnh sch bo mt trong cng ty, nhng h vn c th b hi do hacker li dng lng tt v s gip ca mi ngi. Nhng k tn cng lun tm nhng cch mi ly c thng tin. H chc chn l h nm r vnh ai bo v v nhng ngi trc thuc nhn vin bo v, nhn vin tip tn v nhng nhn vin b phn h tr - li dng s h ca h. Thng th mi ngi da vo v b ngoi phn on. V d, khi nhn thy mt ngi mc ng phc mu nu v mang theo nhiu hp cm, mi ngi s m ca v h ngh y l ngi giao hng. Mt s cng ty lit k danh sch nhn vin trong cng ty km theo s in thai, email trn Website ca cng ty. Ngoi ra, cc cng ty cn thm danh sch cc nhn vin chuyn nghip c o to trong c s d liu Oracle hay UNIX servers. y l mt s t thng tin gip cho attacker bit c loi h thng m h ang nh xm nhp. 1.2 Th thut: Social Engineering bao gm vic t c nhng thng tin mt hay truy cp tri php, bng cch xy dng mi quan h vi mt s ngi. Kt qu ca social engineer l la mt ngi no cung cp thng tin c gi tr hay s dng thng tin . N tc ng ln phm cht vn c ca con ngi, chng hn nh mong mun tr thnh ngi c ch, tin tng mi ngi v s nhng rc ri. Social engineering l th thut v k thut lm cho mt ngi no ng lm theo nhng g m attacker mun. N khng phi l cch iu khin suy ngh ngi khc, v n Social Engineering 6 khng cho php attacker lm cho ng i no lm nhng vic vt qu t cch o c thng thng. V trn ht, n khng d thc hin cht no. Tuy nhin, l mt phng php m hu ht Attackers dng tn cng vo cng ty. C 2 loi rt thng dng : Social engineering l vi c ly c thng tin cn thit t mt ngi no hn l ph hy h thng. Psychological subversion: mc ch ca hacker hay attacker khi s dng PsychSub th phc tp hn v bao gm s chun b, phn tch t nh hung, v suy ngh cn thn v chnh xc nhng t s dng v ging iu khi ni, v n thng s dng trong qun i. Xem xt tnh hung sau y: Attacker : Cho b, ti l Bob, ti mun ni chuyn vi c Alice Alice: Xin cho, ti l Alice. Attacker: Cho c Alice, ti gi t trung tm d liu, xin li v ti gi in cho c sm th ny Alice: Trung tm d liu , ti ang n sng, nhng khng sao u. Attacker: Ti gi in cho c v nhng thng tin c nhn ca c trong phiu thng tin to account c vn . Alice: Ca ti .. vng. Attacker: Ti thng bo vi c v vic server mail va b sp ti qua, v chng ti ang c gng phc hi li h thng mail. V c l ngi s dng xa nn chng ti x l trng hp ca c trc tin. Alice: Vy mail ca ti c b mt khng? Attacker: Khng u, chng ti c th phc hi li c m. Nhng v chng ti l nhn vin phng d liu, v chng ti khng c php can thip vo h thng mail ca vn phng, nn chng ti cn c password ca c, nu khng chng ti khng th l m g c. Alice: Password ca ti ?uhm.. Attacker: Vng, chng ti hi u, trong bn ng k ghi r chng ti khng c hi v vn ny, nhng n c vit bi vn phng lut, nn tt c phi lm ng theo lut. ( n lc lm tng s tin tng t nn nhn) Attacker: Username ca c l AliceDxb phi khng? Phng h thng a cho chng ti username v s in thoi ca c, nhng h khng a password cho chng ti. Khng c password th khng ai c th truy cp vo mail ca c c, cho d chng ti phng d liu. Nhng chng ti phi phc hi li mail ca c, v chng ti cn phi truy cp vo mail ca c. Chng ti m bo vi c chng ti s khng s dng password ca c v o bt c mc ch no khc. Alice: uhm, pass ny cng khng ring t lm u, pass ca ti l 123456 Attacker: Cm n s hp tc ca c. Chng ti s phc hi li mail ca c trong v i pht na. Alice: C chc l mail khng b mt khng? Attacker: Tt nhin l khng ri. Chc c cha gp trng hp ny bao gi, nu c thc mc g th hy lin h vi chng ti. C c th t m s lin lc trn Internet. Alice: Cm n. Attacker: Cho c. 1.3 im yu ca mi ngi: Mi ngi thng mc phi nhiu im yu trong cc vn bo mt. Social Engineering 7 phng thnh cng th chng ta phi da vo cc chnh sch tt v hun luyn nhn vin thc hin tt cc chnh sch . Social engineering l phng php kh phng chng nht v n khng th dng phn cng hay phn mm chng li. Ch : Social engineering t p trung vo nhng im yu ca chui bo mt my tnh. C th ni rng h thng c bo mt tt nht ch khi n b ngt in. Mt ngi no khi truy cp vo bt c phn no ca h thng th cc thit b vt l v vn cp in c th l mt tr ngi ln. Bt c thng tin n o thu thp c u c th dng phng php Social engineering thu thp thm thng tin. C ngha l mt ngi khng nm trong chnh sch bo mt cng c th ph hy h thng bo mt. Cc chuy n gia bo mt cho rng cch bo mt giu i thng tin th rt yu. Trong trng hp ca Social engineering, hon ton khng c s bo mt no v khng th che giu vic ai ang s dng h thng v kh nng nh hng ca h ti h thng. C nhiu cch hon thnh mc tiu ra. Cch n gin nht l yu cu trc tip, l t cu hi trc tip. Mc d cch ny rt kh thnh cng, nhng y l phng php d nht, n gin nht. Ngi bit chnh xc h cn g. Cch th hai, to ra mt tnh hung m nn nhn c lin quan n. Vi cc nhn t khc hn ch l vic yu cu xem xt, iu m c nhn h quan tm l nn nhn c th b thuyt phc n mc n o, bi v attacker c th to ra nhng l do thuyt phc hn nhng ngi bnh thng. Attacker cng n lc th kh nng thnh cng cng cao, thng tin thu c cng nhiu. Khng c ngha l cc tnh hung ny khng da trn thc t. Cng ging s tht th kh nng thnh cng cng cao. Mt trong nhng cng c quan trng c s dng trong Social engineering l mt tr nh tt thu thp cc s kin. l iu m cc hacker v sysadmin ni tri hn, c bit khi ni n nhng vn lin quan n lnh vc ca h. Social Engineering 8 Social Engineering 9 Social engineering c th chia lm 2 loi: human based v computer based. 2.1 Human-based Social engineering: l vic trao i gia ngi vi ngi ly c thng tin mong mun. Cc k thut social engineering da vo con ngi c th i khi chia thnh: 2.1.1 Impersonation: vi kiu tn cng social engineering n y, hacker gi lm mt nhn vin hay ngi s dng hp l trong h thng t c quyn truy xut. V d, hacker c th lm quen vi mt nhn vin cng ty , t thu thp mt s thng tin c lin quan n cng ty . C mt quy lut c tha nhn trong giao tip x hi l khi nhn c s gip t mt ngi no , th h sn sng gip li m khng cn iu kin hay yu cu g c. C th xem n nh l mt s bit n. S bit n lun thy trong mi trng hp tc. Mt nhn vi n s sn sng gip ngi khc vi mong mun l sau ny c th ngi ta s gip li h. Social engineers c gng tn dng c im x hi ny khi mo nhn ngi khc. Nhng mu mo ny c s dng trong qu kh cng nh mt s ngy trang t c s truy xut vt l. Nhiu thng tin c th c lm lt t bn giy, thng rc thm ch l s danh b v bin tn ca. 2.1.2 Posing as Important User: S mo nhn t ti mt mc cao h n bng cch nm ly c im ca mt nhn vi n quan trng li ni ca h c gi tr v thng thng ng tin cy hn. Yu t bit n ng vai tr nhn vin v tr thp hn s tm cch gip nhn vin v tr cao hn nhn ly s qu mn ca anh ta. K tn cng gi dng nh mt user quan trng c th li ko d dng mt nhn vin ngi m khng c s phng trc. Social engineer s dng quyn lc hm da th m ch l e da bo co nhn vin vi ngi gim st nhn vi n nu h khng cung cp thng tin theo y u cu. 2.1.3 Third-person Authorization: Mt k thut social engineering ph bin khc l k tn cng by t l ngun ti nguyn ny anh ta c chp nhn ca s y quyn ch nh. Chng hn mt ng i chu trch nhim cho php truy xut n thng tin nhy cm, k tn cng c th quan st cn thn anh ta v li dng s vng mt ca anh ta nh l li th truy xut t i nguyn. K tn cng tip cn vi nhn vin h tr hoc ngi khc v tuyn b l anh ta c chp nhn truy xut thng tin. y c th l hiu qu c bit nu ngi chu trch nhim ang trong k ngh hoc ngo i - ni m s xc minh khng th ngay lp tc. Ngi ta c khuynh hng lm theo s giao ph ni lm vic, thm ch h nghi ng rng nhng y u cu c th khng hp php. Ngi ta c khuynh hng tin rng nhng ngi khc ang th hin nhng quan im ng ca h khi h tuy n b. Tr khi c bng chng mnh m tri ngc li, khng th ngi ta s tin rng ngi m h ang ni chuyn ang ni s tht v ci h thy hoc cn. Social Engineering 10 2.1.4 Technical Support: mt chin thut thng hay c s dng, c bit khi nn nhn khng phi l chuyn gia v k thut. K tn cng c th gi l m mt ngi bn phn cng hoc k thut vi n hoc mt nh cung cp lin quan my tnh v tip cn vi nn nhn. 2.1.5 In Person: K tn cng c th thc s c gng tham quan v tr mc ti u v quan st tnh hnh cho thng tin. Hn ta c th ci trang chnh anh ta th nh ngi phn phi th, ngi lao cng hoc thm ch rong ch i nh mt v khch hnh lang. Anh y c th gi lm nh kinh doanh, khch hoc k thut vin. Khi bn trong, anh ta c th nhn password trn mn hnh, tm d liu quan trng nm tr n bn hoc nghe trm cc cuc ni chuyn b mt. C 2 k thut c s dng bi attacker. l : 2.1.5.1 Dumpster Diving: tm kim trong thng rc, thng tin c vit trn mnh giy hoc bn in my tnh. Hacker c th t m thy password, filename, hoc nhng mu thng tin b mt. 2.1.5.2 Shoulder Surfing: l mt k thut thu thp password bng cch xem qua vai ngi khc khi h ng nhp vo h thng. Hacker c th xem ngi s dng hp l ng nhp v sau s dng password ginh c quyn truy xut n h thng. Khi bn trong, k xm nhp c c mt menu cc sch l c chn, bao gm i lang thang nhng hnh lang ca ta nh tm kim cc vn phng trng vi tn ng nhp m mt khu ca nhn vi n nh trn pc ca h; i vo phng mail chn cc bn ghi nh gi mo vo h thng mail server cng ty; c gng t quyn truy xut n phng server hay phng in thoi ly nhiu thng tin hn t h thng ang vn hnh; t b phn tch protocol trong wiring closet bt gi d liu, username, v password hay ch n gin nh cp thng tin nhm n. V d: Mt ngi gi cho nhn vin h tr v ni l anh ta qun mt password. Trong s hong s, anh ta cn ni thm l nu anh ta nh hn cui ca mt d n qung co th ng ch c th ui vic anh ta. Ngi nhn vin h tr cm thy thng cm cho anh ta v nhanh chng khi ng li password, vic lm ny gip cho hacker xm nhp vo h thng mng ca cng ty. V d: Thng 6 nm 2000, Larry Ellison, ch tch Oracle, tha nhn l Oracle dng n dumpster diving c gng t m ra thng tin v Microsoft trong trng hp chng c quyn. Danh t larrygate, khng l mi trong hot ng t nh bo doanh nghip. Mt s th m dumpster c th mang li: Sch nin gim in thoi cng ty bit ai gi sau dng mo nhn l nhng bc u tin t quyn truy xut ti cc d liu nhy cm. N gip c c tn v t cch chnh xc lm c v nh l nhn vin hp l. Tm cc s gi l mt nhim v d dng khi k tn cng c th xc nh tng i in thoi ca cng ty t sch nin gim. Cc biu t chc; bn ghi nh; s tay chnh sch cng ty; lch hi hp, s kin, v cc k ngh; s tay h thng; bn in Social Engineering 11 ca d liu nhy cm hoc t n ng nhp v password; bn ghi source code; bng v a; cc a cng ht hn. 2.2 Computer-based Social engineering: l s dng cc phn mm ly c thng tin mong mun. C th chia thnh cc loi nh sau: 2.2.1 Phising: Thut ng ny p dng cho mt email xut hin n t mt cng ty kinh doanh, ngn hng hoc th tn dng yu cu chng thc thng tin v cnh bo s xy ra hu qu nghi m trng nu vic ny khng c lm. L th thng cha mt ng link n mt trang web gi mo trng hp php vi logo ca cng ty v ni dung c cha form yu cu username, password, s th tn dng hoc s pin. 2.2.2 Vishing: Thut ng l s kt hp ca voice v phishing. y cng l mt dng phising, nhng k tn cng s trc tip gi in cho nn nhn thay v gi email. Ngi s dng s nhn c mt thng ip t ng vi ni dung cnh bo vn lin quan n ti khon ngn hng. Thng ip ny hng dn h gi n mt s in thoi khc phc vn . Sau khi gi, s in thoi ny s kt ni ngi c gi ti mt h thng h tr gi, yu cu h phi nhp m th tn dng. V Voip tip tay c lc thm cho dng tn cng mi ny v gi r v kh gim st mt cuc gi bng Voip. 2.2.3 Pop-up Windows: Mt ca s s xut hin tr n mn hnh ni vi user l anh ta mt kt ni v cn phi nhp li username v password. Mt chng trnh c ci t trc bi k xm nhp sau s email thng tin n mt website xa. 2.2.4 Mail attachments: C 2 hnh thc thng thng c th c s dng. u tin l m c hi. M ny s lun lun n trong mt file nh k m trong email. Vi mc ch l mt user khng nghi ng s cli ck hay m file , v d virus IloveYou, su Anna Kournikova( trong tr ng hp ny file nh km tn l AnnaKournikova.jpg.vbs. Nu tn file b ct bt th n s ging nh file jpg v user s khng ch phn m rng .vbs). Th hai cng c hiu qu tng t, bao gm gi mt file nh la hi user xa file hp php. Chng c lp k hoch l m tc nghn h thng mail bng cch bo co mt s e da khng tn ti v yu cu ngi nhn chuyn tip mt bn sao n tt c bn v ng nghip ca h. iu ny c th to ra mt hiu ng gi l hiu ng qu cu tuyt. 2.2.5 Websites: Mt mu mo lm cho user khng ch l ra d liu nhy cm, chng hn nh password h s dng ti ni lm vic. V d, mt website c th to ra mt cuc thi h cu, i hi user in vo a ch email v password. Password i n vo c th tng t vi password c s dng c nhn ti ni lm vic. Nhiu nhn vin s in vo password ging vi password h s dng ti ni lm vic, v th social engineer c username hp l v password truy xut vo h thng mng t chc. Social Engineering 12 2.2.6 Interesting Software: Trong trng hp ny nn nhn c thuyt phc ti v v ci t cc chng trnh hay ng dng hu ch nh ci thin hiu sut ca CPU, RAM, hoc cc tin ch h thng hoc nh mt crack s dng cc phn mm c bn quyn. V mt Spyware hay Malware ( chng hn nh Keylogger) s c ci t thng qua mt chng trnh c hi ngy trang di mt chng trnh hp php. Social Engineering 13 3.1 Thu thp thng tin: Mt trong nhng cha kha thnh cng ca Social Engineering l thng tin. ng ngc nhin l d dng thu thp y thng tin ca mt t chc v nhn vin trong t chc . Cc t chc c khuynh h ng a qu nhiu thng tin ln website ca h nh l mt phn ca chin lc kinh doanh. Thng tin ny thng m t hay a ra cc u mi nh l cc nh cung cp c th k kt; danh sch in thoai v email; v ch ra c chi nhnh hay khng nu c th chng u. Tt c thng tin ny c th l hu ch vi cc nh u t tim nng, nhng n cng c th b s dng trong tn cng Social Engineering. Nhng th m cc t chc nm i c th l ngun ti nguyn thng tin quan tr ng. Tm kim trong thng rc c th khm ph ha n, th t , s tay,.. c th gip cho k tn cng kim c cc thng tin quan trng. Mc ch ca k tn cng trong b c ny l hiu cng nhiu thng tin cng tt lm ra v l nhn vin, nh cung cp, i tc chin lc hp l, 3.2 Chn mc tiu: Khi khi lng thng tin ph hp c tp hp, k tn cng tm kim im yu ng ch trong nhn vi n ca t chc . Mc tiu thng thng l nhn vin h tr, c tp luyn a s gip v c th thay i password, to t i khon, kch hot li ti khon, Mc ch ca hu ht k tn cng l tp hp thng tin nhy cm v ly mt v tr trong h thng. K tn cng nhn ra l khi chng c th truy cp, thm ch l cp khch, th chng c th nng quyn ln, bt u tn cng ph hoi v che giu vt.Tr l administrator l mc tiu k tip. l v cc c nhn ny c th tip cn vi cc d liu nhy cm thng thng c lu chuyn gia cc thnh vin qun tr cp cao. Nhiu cc tr l ny thc hin cc cng vic hng ngy cho qun l ca h m cc cng vic ny yu cu c quyn ti khon ca ngi qun l. 3.3 Tn cng: S tn cng thc t thng thng da trn ci m chng ta gi l s lng gt. Gm c 3 loi chnh: o Ego attack: trong loi tn cng u tin ny, k tn cng da vo mt vi c im c bn ca con ngi. Tt c chng ta thch ni v chng ta thng minh nh th no v chng ta bit hoc chng ta ang l m hoc hiu chnh cng ty ra sao. K tn cng s s dng iu ny trch ra thng tin t nn nhn ca chng. K tn cng thng chn nn nhn l ngi cm thy b nh gi khng ng mc v ang lm vic v tr m di ti nng ca h. K tn cng thng c th phn on ra iu ny ch sau mt cuc ni chuyn ngn. o Sympathy attacks: Trong loi tn cng th hai ny, k tn cng thng gi v l nhn vin tp s, mt nh thu, hoc mt nhn vin mi ca mt nh cung cp hoc Social Engineering 14 i tc chin lc, nhng ngi ny xy ra tnh hung kh x v cn s gip thc hin xong nhim v. S quan trng ca bc thu thp tr nn r rng y, khi k tn cng s to ra s tin cy vi nn nhn bng cch dng cc t chuyn ngnh thch hp hoc th hin kin thc v t chc. K tn cng gi v l hn ang bn v phi hon thnh mt vi nhim v m yu cu truy xut, nhng hn khng th nh username v password, Mt cm gic khn cp l un lun l phn trong kch bn. Vi bn tnh con ngi l thng cm nn trong hu ht cc trng hp yu cu s c chp nhn. Nu k tn cng tht bi khi ly truy xut hoc thng tin t mt nhn vin, hn s tip tc c gng cho n khi t m thy ngi thng cm, hoc cho n khi hn nhn ra l t chc nghi ng. o Intimidation attacks: Vi loi th ba, k tn cng gi v l l mt nhn vt c quyn, nh l mt ngi c nh hng trong t chc. K tn cng s nhm vo nn nhn c v tr thp hn v tr ca nhn vt m hn gi v. K tn cng to mt l do hp l cho cc yu cu nh thit lp li password, thay i t i khon, truy xut n h thng, hoc thng tin nhy cm. Social Engineering 15 Social Engineering 16 C 5 nhn t tn cng chnh m mt hacker social engineering s dng: 4.1 Cc mi e da trc tuyn (Online Threats): trong th gii kinh doanh c kt ni ngy cng tng ca chng ta, nhn vin thng s dng v p ng cc yu cu v thng tin n mt cch t ng t c inside v outside cng ty. S kt ni ny gip hacker c th tip cn c vi cc nhn vin. Cc tn cng trc tuyn nh e-mal, pop-up application, v instant message s dng trojan, worm, virus gi l malware gy thit hi v ph hy ti nguyn my tnh. Hacker social engineering thuyt phc nhn vin cung cp thng tin thng qua mu mo tin c, hn l lm nhim malware cho my tnh thng qua tn cng trc tip. Mt tn cng c th cung cp thng tin m s gip cho hacker lm mt cuc tn cng malware sau , nhng kt qu khng l chc nng ca social engineering. V th, phi c li khuyn cho nhn vin lm th no nhn din v trnh cc cuc tn cng social engineering trc tuyn. 4.1.1 Cc mi e da t E-mail (E-mail Threats): Nhiu nhn vin nhn hng chc hoc hng trm e-mail mi ngy, t c kinh doanh v t h thng e-mail ring. Khi lng e-mail c th lm cho n tr thnh kh khn gy s ch cho mi bi vit. iu ny th rt hu ch vi hacker. Hu ht ngi dng e-mail cm thy tt khi h gii quyt vi mt mu th. Nu hacker c th lm mt yu cu n gin m d dng gii quyt, th sau mc tiu s ng m khng ngh l anh y hoc c y ang lm chuyn g. Mt v d ca tn cng kiu ny l gi e-mail n nhn vin ni rng ng ch mun tt c lch ngh gi cho cuc hp v tt c mi ngi trong danh sch c sao chp vo trong e-mail. Ch n gin l trich tn ngoi t danh sch sao chp v nh la tn ngi gi mail xut hin bt u t ngun b n trong. Vic nh la ny c bit n gin nu mt hacker t quyn truy xut n mt h thng my tnh cng ty, bi v khng cn phi ph v thng qua phm vi t ng la. S hiu bit v lch trnh k ngh c th khng l mi e da bo mt, nhng n c ngha l mt hacker bit khi no nhn vin vng mt. Hacker sau c th gi mo ng i ny vi kh nng b khm ph ra gim i. S dng e-mail nh l mt cng c social engineering tr nn ph bin qua hn mt thp k qua. Phising c m t l s dng e-mail nhn dng c nhn hoc thng tin gii hn t mt user. Hacker c th gi e-mail m c v n t t chc hp l, chng hn ngn h ng hoc cc cng ty i tc. Minh ha di y ch ra mt link hp l b ngoi n t trang qun l ti khon Contoso. Social Engineering 17 Tuy nhin, nu nhn k hn chng ta c th nhn thy 2 s khc bit: Dng ch trong dng link trn ch ra l trang web ny bo mt, s dng https, mc d link tht s ca trang web s dng http Tn cng ty trong mail l Contoso, nhng link th t s th tn cng ty gi l Comtoso Nh thut ng phising ng , s tip cn c tnh l thuyt, vi mt y u cu chung cho thng tin khch hng. S ngy trang thc t c dng trong nhng thng bo th in t, vi nhng biu t ng cng ty, phng, v thm ch nhng s in thoi h tr t do r rng hp l, lm th in t c v c th tin c hn. Trong mi e- mail phising l mt yu cu cho thng tin user, thng lm thun tin cho vic nng cp hay thm vo dch v. E-mail c th cha hyperlink c th xi gic nhn vi n ph v tnh bo mt ca cng ty. C mt lot cc la chn khc nhau cho hacker s dng trong phising, bao gm cc hnh nh c hyperlink m ti xung l malware, chng hn virus hoc spyware, hoc vn bn c th hin trong mt tm nh, vt qua b lc bo mt hyperlink. Hu ht cc bin php bo mt l m cho cc user khng c chng thc ngoi. Mt hacker c th vt qua nhiu s phng th nu hn c th la mt user a vo trojan, worm, hoc virus vo cng ty thng qua ng link. Mt hyperlink c th dn mt user n mt tr ang web m s dng ng dng pop-up yu cu cung cp thng tin hoc a ra s gip . c th chng li cc cuc tn cng ca hacker social engineering bng cch tip cn vi ch ngha hoi nghi bt c th g khng ng trong Inbox. h tr phng php tip cn ny trong mt t chc, nn bao gm trong cc chnh sch an ninh c th e-mail hng dn cch s dng bao gm: nh km trong ti liu Hyperlink trong ti li u Yu cu thng tin c nhn hay cng ty t b n trong cng ty. Yu cu thng tin c nhn hay cng ty t bn ngoi cng ty. 4.1.2 Cc ng dng pop-up v hp hi thoi( Pop-Up Applications and Dialog Boxes) Khng thc t khi cho rng cc nhn vi n khng s dng Internet trong cng ty truy xut cho cc hot ng khng phi l cng vic. Hu ht nhn vin duyt Web cho cc l do c nhn, chng hn nh mua sm hoc nghin cu trc tuyn. Trnh duyt c nhn c th lm cho nhn vin, v v th h thng my tnh cng ty, tip xc vi cc social engineer. Mc d iu ny c th khng l mc tiu c th ca cng ty, h s s dng cc nhn vi n trong mt n lc t c quyn truy xut vo ti nguyn cng ty. Mt trong nhng mc ch ph bin l nhng mt mail engine vo mi trng my tnh cng ty thng qua hacker c th bt u phising hoc cc tn cng khc vo email ca c nhn hay ca cng ty. Hai phng thc thng thng li ko user click vo mt nt bm bn trong mt hp hi thoi l a ra mt cnh bo ca vn , chng hn nh hin th Social Engineering 18 mt thng bo li ng dng hoc h thng, bng cch ngh cung cp thm dch v - v d, mt download min ph l m cho my tnh ca user nhanh hn. Vi cc user IT v Web c kinh nghi m, nhng phng php ny dng nh l cc mnh khe la bp d thy. Nhng vi cc user thiu kinh nghim th cc phng thc ny c th e da v la c h. Bo v user t cc ng dng pop-up social engineering phn ln l mt chc nng ca s thc. trnh vn ny, bn c th thit lp cu hnh trnh duyt mc nh s ngn chn pop-up v download t ng, nhng mt vi pop-up c th vt qua thit lp ny. S hiu qu hn m bo rng ngi dng nhn thc c rng h khng nn bm vo ca s pop-up, tr khi h kim tra vi nhn vi n h tr. 4.1.3 Instant Mesaging: C mt s mi e da tim t ng ca IM khi n c hacker nhm n. u tin l tnh cht khng chnh thc ca IM. Tnh tn gu ca IM, k m theo l la chn cho mnh mt ci tn gi mo, ngha l s khng hon ton r rng khi bn ang ni chuyn vi mt ngi m bn tin rng bn ang ni n. Hnh minh ha di y ch ra spoofing l m vic nh th no, cho c e-mail v IM: Hacker (mu ) gi mo user bit v gi mt bn tin e-mail hay IM m ngi nhn s cho rng n n t mt ngi m h bit. S quen bit lm gim nh s phng th ca user, v th h c nhiu kh nng click vo mt lin kt hoc m tp tin nh km t mt ai m h bit hoc h ngh l h bit. Hu ht cc nh cung cp IM cho php xc nhn user da trn a ch e-mail, iu ny c th gip cho hacker ngi m c xc nhn vi mt a ch theo tiu chun trong cng ty gi li mi n nhng ng i khc trong t chc. Tnh nng ny hin khng cha mt mi e da, nh ng n c ngha l s lng cc mc tiu bn trong cng ty c tng ln rt nhiu. 4.2 Telephone-Based Threats: N l mt mi trng truyn thng quen thuc, nhng n cng khng m ch ai, bi v mc tiu khng th thy c hacker. Cc ty chn thng tin lin lc cho hu ht cc h thng my tnh Social Engineering 19 cng c th lm Private Branch Exchange (PBX) mt mc tiu hp dn. Thm na, c l rt th l, tn cng l n cp th tn dng hoc th in thoi ti cc bung in thoi. Hu ht cc cuc tn cng ny l mt hnh vi trm cp thng thng l t mt c nhn. Hu ht mi ngi thc c rng h nn thn trng vi nhng i mt t m khi s dng ATM, nhng a s t thn trng hn khi s dng m PIN ti bung in thoi. Voip l mt th trng ang pht trin m cung cp li ch v chi ph cho cng ty. Hin nay, do s gii hn tng i s lng cc bn ci t, VoIP hacking khng c xem l mi e da chnh. Tuy nhin, cng nhi u doanh nghip s dng cng ngh n y, VoIP spoofing tr nn lan rng nh e-mail v IM spoofing. 4.2.1 Private Branch Exchange: Hacker c 3 mc ch chnh tn cng mt PBX: o Yu cu thng tin, thng l thng qua vic gi dng mt ngi s dng hp php, hoc truy cp vo cc h thng in thoi hoc truy cp t xa vo h thng my tnh o t quyn truy xut s dng min ph in thoi o t quyn truy xut giao tip vi h thng mng Mi mc ch ny l mt bin th ca cng mt ch , vi cc hacker gi in thoi cho cng ty v c gng c c s in thoi cung cp truy cp trc tip hoc thng qua mt PBX n mng in thoi cng cng. Thut ng hacker gi l phreaking. Cch tip cn thng thng nht l hacker gi v l mt k s in thoi, yu cu mt ng dy bn ngoi hoc password phn tch v gii quyt cc vn c bo co trong h thng in thoi ni b, nh mnh minh ha bn di: Yu cu v thng tin hoc truy cp qua in thoi l mt tng i ri ro di hnh thc tn cng. Nu mc ti u tr nn ng ng hoc t chi tun th yu cu, cc hacker c th ch cn gc my. Tuy nhin, nhn thy l cc cuc tn cng c nhiu phc tp hn mt hacker ch cn gi in thoi mt cng ty v cc yu cu cho mt ngi s dng ID v mt khu. Cc hacker thng trnh by mt kch bn, yu cu hoc cung cp tr gip, tr c khi Social Engineering 20 yu cu thng tin xy ra cho c nhn hoc doanh nghip , gn nh l mt s suy ngh sau khi hnh ng. Hu ht cc user khng c bt k kin thc v h thng in thoi ni b, ngoi cc s in thoi ring ca mnh. y l mt phn ca vic phng th quan trng nht m bn c th a vo chnh sch bo mt. Tht l him khi hacker tip cn user thng thng theo cch ny. Cc mc tiu thng thng hu ht l nhn vin tip tn hay tng i. Bn phi ch r rng ch c bn dch v c chng thc cung cp s tr gip n nh cung cp in thoi. Bng cch ny, tt c cc c nhn c thm quyn i v i tt c cc cuc gi h tr k thut. Cch tip cn ny cho php nhn vin mc tiu nh hng li nh cc truy vn c hiu qu v nhanh chng ti mt thnh vin iu kin. 4.2.2 Service Desk: Bn cung cp dch v - hoc bn tr gip l mt trong nhng phng th tr ct chng li hacker, nhng ngc li n cng l mc tiu cho cc hacker social engineering. Mc d nhn vin h tr thng nhn thy c mi e da ca hacking, h cng o to gip v h tr ngi gi, cung cp cho h t vn v gii quyt cc vn ca h. i khi s nhit tnh chng t bi nhn vi n h tr k thut cung cp mt gii php l m mt hiu lc s cam kt ca h tun th cc th tc bo mt v a nhn vin cung cp gii php vo mt tnh th kh x: nu h thc thi nghi m ngt cc tiu chun bo mt, yu cu xc nhn tnh hp l l cc yu cu hoc cu hi n t mt y quyn ng i s dng, th iu ny c th khng c tc dng v lm cn tr. Nhn vin tip th, bn hng v sn xut cm thy rng l cc b phn IT khng cung cp dch v tc thi m h yu cu th c khuynh hng than phin, v nhng ngi qun l cp cao nht c yu cu chng minh nhn dng ca h thng t thng cm vi tnh cn thn ca nhn vi n h tr. Bn cung cp dch v cn phi cn bng tnh b o mt vi hiu qu kinh doanh, chng hn nh cc th tc v chnh sch bo mt phi h tr h. Tht kh hn bo v cho nhn vin phn tch bn dch v chng li hacker bn trong hay lm hp ng. Chng hn hacker c s hiu bit v cc th tc bn trong v c thi gian m bo rng h c tt c cc thng tin cn thit, trc khi h tin hnh mt cuc gi cho bn dch v. 4.3 Waste Management Threats: Dumpster diving l mt hot ng c gi tr cho hacker. Giy t vt i c th cha thng tin mang li li ch tc thi cho hacker, chng hn nh user ID v s ti khon b i, hoc c th phc v nh l thng tin nn, nh cc biu t chc v danh sch in thoi. Cc loi thng tin ny l v gi i vi hacker social engineering, bi v n lm cho hn ta c v ng tin khi bt u cuc tn cng. Phng tin lu gi in t thm ch cn hu ch hn cho hacker. Nu mt cng ty, khng c cc quy tc qun l cht thi bao gm s dng cc ph ng tin thng tin d tha, th c th tm thy tt c cc loi thng tin trn a cng, CD, DVD khng cn s dng. Nhn vin phi hiu c y s tc ng ca vic nm giy thi hoc ph ng tin lu tr in t vo thng rc. Sau khi di chuyn rc thi ra ngoi cng ty, th tnh s hu n c th tr thnh khng r rng v php lut. Dumpster diving c th khng c coi l bt hp php trong mi hon cnh, v th phi chc chn rng a ra li khuyn nh th no gii quyt vi nhng vt liu thi. Lun lun ct thnh ming nh giy vn v xa i hoc ph hy cc phng tin c t tnh. Nu c loi cht thi qu ln hoc kh t v o my hy, chng hn nh nin gim in thoi, hoc n c k thut vt qu kh nng ca user hy n, th Social Engineering 21 phi pht trin mt giao thc cho vic vt b. Nn t cc thng rc trong vng an ton m khng tip cn vi cng cng. Bn cnh qun l cht thi bn ngoi cng cn phi qun l cht thi bn trong. Chnh sch bo mt thng khng ch vn ny, bi v n thng c gi nh rng bt c ai cho php truy cp vo cc cng ty phi l ng tin cy. R rng, iu ny khng phi lc no cng ng. Mt trong nhng bin php c hiu qu nht qun l giy thi l c t ca vic phn loi d liu. Bn xc nh loi giy khc nhau da tr n cc thng tin v ch nh cch thc nhn vin qun l s vt b ca h. V d c th phn thnh cc loi: o B mt cng ty. Ct nh tt c cc t i liu b mt b i trc khi b vo thng rc o Ring t. Ct nh tt c ti liu ring t b i trc khi b vo thng rc o Vn phng. Ct nh tt c ti liu vn phng b i trc khi b vo thng rc. o Cng cng. Vt b ti liu cng cng vo bt k thng rc no hoc ti ch chng lm giy thi. 4.4 Personal Approaches Cch r nht v n gin nht cho hacker ly thng tin l hi trc tip. Cch t ip cn ny c v th l v r rng, nhng n nn tng ca cc th on nh la b mt giai on u tin. C 4 cch tip cn chnh minh chng thnh cng ca social engineer: o S e da: cch tip cn ny c th bao gm s mo danh mt ngi c thm quyn p buc mc tiu lm theo yu cu. o S thuyt phc: hnh thc thng thng ca s thuyt phc gm c nnh ht hay bng cch ni rng mnh quen ton nhng nhn vt ni ting. o S mn m: cch tip cn ny l mt th on di hi, trong ngi cp di hoc ng nghip xy dng mt mi quan h ly l ng tin, thm ch, thng tin t mc tiu. o S tr gip: vi cch tip cn ny, hacker t ra sn sng gip mc tiu. S tr gip ny cui cng i hi mc tiu tit l ra thng tin c nhn gip hacker nh cp nhn dng ca mc tiu. Bo v user chng li nhng loi ca tip cn c nhn th rt kh khn. Vic bo v chng li tn cng e da l pht trin mt nn vn ha khng s hi trong kinh doanh. Nu cch c x thng thng l lch s, th s thnh cng ca s e da b gim xung, bi v cc c nhn ring l thch leo thang v tr i u. Mt thi h tr trong qun l v vai tr gim st v pha s leo thang ca vn v ra quyt nh l th t nht m c th xy ra vi hacker social engineering. Mc ch ca h l khuyn khch mc tiu ra quyt nh nhanh hn. Vi vn ny chuyn cp c thm quyn cao hn, th cng t c kh nng t c mc tiu ny. Thuyt phc lun lun l mt phng php quan trng t c mc ch. Bn khng th thit k iu ny ra khi lc lng lao ng ca bn, nhng c th cung cp cc hng dn nghim ngt v nhng g mt c nhn nn lm v khng nn lm. Hacker s lun lun hi hoc a ra mt kch bn ni m mt user a ra thng tin gii hn. Tip tc cc chin dch nng cao nhn thc v hng dn c bn bao gm cc thit b an ninh nh cc mt khu l s phng th tt nht. 4.4.1 Virtual Approaches Hacker social engineering cn phi thc hin li n lc vi mc tiu thc hin cc cuc tn cng. Thng thng nht, iu ny s din ra thng qua mi tr ng in t, chng Social Engineering 22 hn nh e-mail hay ca s pop-up. Khi lng spam v junk mail n hu ht trong hp th c nhn lm cho phng thc tn cng ny t thnh cng hn, chng hn user tr nn hoi nghi hn vi hng lot l th v cc yu cu b n tham gia cc giao dch ti chnh c li v hp php. Mc d vy, khi lng mail v s dng cc trojan c ngha l n vn cn hp dn, d ch vi t l thnh cng ti thiu, i vi mt vi hacker. Hu ht cc cuc tn cng ny l c nhn v mc ch khm ph thng tin v mc ti u. Tuy nhin, vi cc doanh nghip, cc vi phm ph bin rng r i trong cc h thng kinh doanh, chng hn nh truy cp Internet v my tnh, cho c nhn s dng ngha l hacker c th xm nhp vo h thng mng. in thoi cung cp chi tit c nhn h n, phng php tip cn ny thnh cng thp hn. Nhng nguy c hn ch b bt gi ngha l cc hacker s dng in thoi nh l phng tin tip cn, nhng cch tip cn ny ch yu cho tn cng PBX v bn dch v, hu ht user s nghi ng v mt cuc gi y u cu thng tin t mt ai m h khng bit. 4.4.2 Physical Approaches t ph bin, nhng hiu qu hn cho hacker, trc tip, c nhn tip xc vi mc ti u. Ch c nhng nhn vin ng ng nht s nghi ng tnh hp l ca mt ngi no m t gii thiu v mnh v yu cu hay tr gip cho h thng my tnh. Mc d nhng tip cn ny c ri ro ln hn cho th phm, cc li ch vn r rng. Hacker c th c truy xut t do n h thng my t nh trong cng ty, bn trong chu vi c s phng th tn ti. S pht trin trong vic s dng cng ngh mobile, gip nhng user kt ni vi h thng mng cng ty trong khi ang tr n ng hay nh ca h, l mi e da chnh khc cho ti nguyn IT cng ty. Cc cuc tn cng c th c c y bao gm tn cng quan st d nht, chng hn mt hacker xem qua vai mt ngi s dng my tnh di ng trn xe la thy ID v password, ti nhng s tn cng phc tp hn ch c th hay nng cp b nh tuyn c gi v ci t bi mt k s dch v ngi t quyn truy xut n h thng mng doanh nghip bng cch hi user ID, password. 4.5 Reverse Social Engineering L mt hnh thc cao hn social engineering m gii quyt cc kh khn ph bin ca social engineering bnh thng. Hnh thc ny c th m t l mt user hp php ca h thng hi hacker cc cu hi cho thng tin. Trong RSE, hacker c cho l c v tr cao hn user hp php, ngi thc s l mc tiu. thc hin mt tn cng RSE, k tn cng phi c s hiu bit v h thng v lun lun phi c quyn truy xut trc m c cp cho anh ta, thng l do social engineering bnh thng tin hnh. Ta c s so snh SE v RSE: o Social engineering: hacker tin hnh cuc gi v ph thuc vo user o Reverse Social Engineering: user tin hnh cuc gi v ph thuc vo hacker o Social engineering: user cm thy l hacker mang n h o Reverse Social engineering: user cm thy mang n hacker o Social engineering: cc cu hi thng vn cha gii quyt cho nn nhn o Reverse Social engineering: tt c cc vn c gii quyt, nhng kt thc khng ng nghi ng Social Engineering 23 o Social engineering: user c kim sot bng cch cung cp thng tin o Reverse Social engineering: hacker hon ton iu khin. o Social engineering: t hoc khng cn s chun b. o Reverse Social engineering: nhi u k hoch v s truy xut cn thit lp tr c Tn cng RSE tiu biu bao gm 3 phn chnh: s ph hoi, s qung co, s gip . Sau khi t quyn truy xut bng cc phng tin khc, hacker ph hoi workstation bng lm h station, hoc lm cho n c v l h hng. vi s phong ph cc thng bo li, chuyn cc tham s/ty chn, hoc chng trnh gi mo c th thc hin vic ph hoi. Ngi s dng thy cc trc trc v sau tm kim s gip . l ngi c user gi ti, k tn cng phi qung b l hn ta c kh nng sa c li. S qung b c th bao gm t cc th kinh doanh gi mo xung quanh cc vn ph ng hay thm ch cung cp s in thoi gi n trong thng bo li. Mt thng bo li v d c th: ** ERROR 03 - Restricted Access Denied ** - File access not allowed by user. Consult with Mr. Downs at (301) 555-1414 for file permission information. Trong trng hp ny, user s gi Mr. Downs c gip , v tit l thng tin ti khon m khng nghi ng tnh hp php ca Mr. Downs . Phng php khc ca s qung b c th bao gm social engineering. Mt v d ca iu ny l hacker gi n mc tiu v thng bo vi h l s in thoi h tr k thut mi thay i, v sau hacker s a cho h s ca ring mnh. Phn th ba ( v d nht) ca mt cuc tn cng RSE l cho hacker gip gii quyt vn . Bi v hacker l k ch mu ca s ph hoi, vn d dng sa, v mc tiu khng nghi ng ngi gip b v hn ta th hin l mt user am hiu h thng. Trch nhim ca hacker ch l ly thng tin ti khon t mc tiu trong khi gip h. Sau khi thng tin t c, hacker gii quyt vn v sau kt thc cuc tr chuyn vi mc tiu. Social Engineering 24 Social Engineering 25 Sau khi hiu c phm vi rng ln ca cc mi e da, c ba b c cn thit thit k s phng v chng li mi e da t social engineering i vi nhn vin trong cng ty. S phng v hiu qu l mt chc nng ca lp k hoch. Thng s phng v l phn ng li bn khm ph ra mt cuc tn cng thnh cng v dng ln mt hng ro m bo l vn khng xy ra ln na. Mc d cc tip cn ny minh chng mt mc nhn thc, gii php n qu tr nu vn ln hoc tn km. chn trc kch bn nh th, c ba bc tin hnh nh sau: Xy dng mt framework qun l an ninh. Phi xc nh tp hp cc mc ch ca an ninh social engineering v i ng nhn vin nhng ngi chu trch nhim cho vic phn phi nhng mc ch ny. nh gi thc hin qun l ri ro. Cc mi e da khng th hin cng mt mc ri ro cho cc cng ty khc nhau. Ta phi xem xt li mi mt mi e da social engineering v hp l ha mi nguy him trong t chc. Thc thi phng v social engineering trong chnh sch bo mt. Pht trin mt vn bn thit lp cc chnh sch v th tc quy nh nhn vi n x tr tnh hung m c th l tn cng social engineering. Bc ny gi nh l chnh sch bo mt c, bn ngoi nhng mi e da ca social engineering. Nu hin ti khng c chnh sch bo mt, th cn phi pht trin chng. 5.1 Xy dng mt framework qun l an ninh Mt khung qun l an ninh xc nh mt ci nhn tng quan cc mi e da c th xy ra i vi t chc t social engineering v cp pht tn cng vic c vai tr chu trch nhim cho vic xy dng chnh sch v th tc lm gim bt cc mi e da ny. Cch tip cn ny khng c ngha l bn phi s dng nhn vi n ch c chc nng m bo an ninh ca ti sn cng ty. Security sponsor. Qun l cp cao, ngi c th cung cp chng thc cn thit m bo tt c nhn vin tham gia nghim chnh v bo mt cho cng ty. Security manager. Nhn vin cp qun l, ngi c trch nhim cho b tr s pht trin v bo dng ca chnh sch bo mt. IT security officer. i ng nhn vin k thut chu trch nhim cho s pht trin c s h tng v thc thi chnh sch v th tc bo mt. Facilities security officer. Mt thnh vin ca i thit b chu trch nhim cho pht trin vng v thc thi chnh sch v th tc bo mt Security awareness officer. Mt thnh vin ca i ng qun l nhn vi n thng t b phn pht trin nhn s hay ngun nhn lc ngi chu trch nhim cho s pht trin v thc thi chin dch nng cao nhn thc v an ninh. Nhm ny Security Steering Committee i din cho ban c vn trong cng ty. Nh l nhng ng vin c la chn cho h thng an ninh, Security Steering Committee cn phi thit lp mc ti u ct li cho khung qun l an ninh. Nu khng c tp cc nh ngha cc mc tiu, th kh khuyn khch s tham gia ca nhn vin hoc o mc thnh cng ca d n. Nhim v ban u ca Security Steering Committee l xc nh cc ri ro do social engineering t n ti trong cng ty. Security Steering Committee cn phi xc nh nhng vng c th tn ti nguy c vi cng ty. Qu trnh ny c th bao gm cc yu t tn cng c xc nh trn Social Engineering 26 giy t v cc yu t ring bit ca cng ty, chng hn nh s dng terminal cng cng hay cc th tc qun l vn phng. V d: Company Social Engineering Attack Vector Vulnerabilities Attack vector Describe company usage Comments Online E-mail All users have Microsoft Outlook on desktop computers. Internet Mobile users have Outlook Web Access (OWA) in addition to Outlook client access. Pop-up applications There is currently no technological barrier implemented against pop-ups. Instant Messaging The company allows unmanaged use of a variety of IM products. Telephone PBX Service Desk Currently the Service Desk is a casual support function provided by the IT department. We need to extend support provisions beyond the IT area. Waste management Internal All departments manage their own waste disposal. External Dumpsters are placed outside the company site. Garbage collection is on Thursday. We do not currently have any space for dumpsters within the site. Personal approaches Physical Security Office security All offices remain unlocked throughout the day. 25 percent of staff works from home. We have no written standards for home worker security. Home workers We have no protocols of home worker onsite maintenance. Other/Company-specific In-house franchisees All catering is managed through a franchise. We do not know anything about these staff, and there is no security policy for them. 5.2 nh gi ri ro Tt c cc yu cu v an ninh nh gi mc ri ro m mt cuc tn cng tin hnh trong cng ty. Mc d vic nh gi ri ro cn phi k lng, nhng n khng phi cn tiu tn nhiu thi gian. Da trn cng vic lm trong khi xc nh cc yu t ct l i ca khung qun l an ninh bi Security Steering Committee, bn c th phn loi v u tin cc ri ro. Phn loi ri ro bao gm: B mt thng tin S tn nhim kinh doanh Social Engineering 27 S sn sng kinh doanh Ti nguyn Chi ph C th thit lp cc u tin bng cch xc nh ri ro v tnh ton chi ph lm gim bt ri ro nu s gim bt ri ro tn nhiu chi ph hn l xy ra ri ro, n c th l khng hp l. Giai on nh gi ri ro c th rt hu ch trong s pht trin sau cng ca chnh sch an ninh. V d: Steering Committee Security Requirement and Risk Matrix Attack Vector Possible Policy Requirement Risk Type Confidential information Business credibility Business availability Resources Money Risk Level High = 5 Low = 1 Action Written set of social engineering security policies Changes to make policy compliance part of the standard employee contract Changes to make policy compliance part of the standard contractor contract Online E-mail Policy on types of attachments and how to manage them Internet Internet usage policy Pop-up applications Policy for Internet usage, with specific focus on what to do with unexpected dialog boxes Instant Messaging Policy on supported and allowable IM clients Telephone PBX Policy for PBX support management Service Desk Policy for the provision of data access Social Engineering 28 Attack Vector Possible Policy Requirement Risk Type Confidential information Business credibility Business availability Resources Money Risk Level High = 5 Low = 1 Action Waste Management Paper Policy for waste paper management Dumpster management guidelines Electronic Policy for the management of electronic media waste materials Personal Approaches Physical Security Policy for visitor management Office security Policy for user ID and password management no writing passwords on a sticky note and attaching it to a screen, for example Home workers Policy for the use of mobile computers outside the company Other/ Company-Specific In-house franchisees Policy for screening in-house franchise employees 5.3 Social engineering trong chnh s ch an ninh Mt c nhn IT v qun l cng ty phi pht trin v gip thc thi mt chnh sch an ninh c hiu qu trong t chc. i khi, trng tm ca chnh sch an ninh l s iu khin cng ngh s gip bo v chng li cc mi e da v cng ngh, chng hn virus v worm. iu khin cng ngh gip bo v cc cng ngh, chng hn cc tp tin d liu, tp tin chng trnh, v h iu hnh. Security Steering Committee c vng an ninh ct li v nh gi ri ro m n phi y quyn s pht trin ca ti liu kinh doanh, tin trnh, th tc. V d: Steering Committee Procedure and Document Requirements Social Engineering 29 Policy requirement Procedure / document requirement Action on / date Written set of social engineering security policies None Changes to make policy compliance part of the standard employee contract 1. Wording for new contract requirements (Legal) 2. New format for contractor contracts Changes to make policy compliance part of the standard contractor contract 1. Wording for new contract requirements (Legal) 2. New format for contractor contracts Policy for visitor management 1. Procedure for visitor sign in and sign out 2. Procedure for visitor accompaniment Dumpster management guidelines 1. Procedure for waste paper disposal (see Data) 2. Procedure for electronic media disposal (see Data) Policy for the provision of data access Policy for waste paper management Policy for the management of electronic media waste materials Policy for Internet usage, with specific focus on what to do with unexpected dialog boxes Policy for user ID and password management no writing passwords on a sticky note and attaching it to a screen, etc. Policy for the use of mobile computers outside the company Policy for managing issues when connecting to partner applications (banking, financial, buying, stock management) Social Engineering 30 Social Engineering 31 Sau khi bn vit v ng vi chnh sch an ninh, bn phi thc hin cc chnh sch dnh cho nhn vin v bt h tun theo. Mc d bn c th thc thi cc iu khin k thut m khng cn s hiu bit ca nhn vi n, bn phi c c s h tr ca h nu bn mun thc thi s phng v thnh cng. 6.1 S nhn thc Khng c s thay th cho mt cuc vn ng nhn thc tt khi bn thc thi cc yu t social engineering ca chnh sch an ninh. Phi o to nhn vin h hiu v chnh sch, hiu ti sao phi c n, v bit lm th no phn ng li mt cuc tn cng nghi ng. Yu t then cht ca mt cuc tn cng social engineering l s tin tng mc tiu s tin tng hacker. chng li hnh thc tn cng ny, phi kch thch ch ngha hoi nghi lnh mnh trong nhn vin ca bt k iu g ngoi vic bnh thng v gy ra s tin tng ca h vi c s h tng IT h tr cng ty. Cc yu t ca mt cuc vn ng nhn thc ph thuc vo cch bn trao i thng tin cho nhn vin trong cng ty. Bn c th chn c cu o to, cc cuc hp khng qu quan trng, poster, hoc cc s kin khc cng b chnh sch an ninh. Cng tng cng ni dung trong chnh sch, th cng thnh cng trong thc thi. Mc d c th khi u s nhn thc v an ninh vi mt s kin ln, iu quan trng l gi s an ton ni bt trn chng trnh ngh s ca qun l v nhn vin. 6.2 Qun l s c Khi mt cuc tn cng social engineering xy ra, chc chn rng nhn vi n service desk bit lm cch no x l s c. Cc giao thc phn ng li nn tn ti trong cc th tc lin quan n chnh sch an ninh, nhng qun l s c ngha l s dng tn cng khi u cho vic xem xt li s an ninh. Bo mt l mt hnh trnh ch khng phi l mt im n bi v yu t tn cng lun thay i. Mi s c cung cp u vo mi cho s xem xt lin tc v bo mt trong m hnh hi p s c, nh hnh minh ha di y: Social Engineering 32 Khi cc s c mi xy ra, Security Steering Committee xem xt n tng ng ri ro mi hay thay i i vi cng ty v to hay lm mi chnh sch v th tc da trn kt qu mi thu thp c. Tt c s sa i cn tun th chnh sch an ninh cho cng ty thay i theo tiu chun qun l. qun l s c, nhn vin service desk phi c mt quy trnh bo co s c linh hot m ghi li cc thng tin di y: Tn mc tiu Khu vc mc tiu Ngy Yu t tn cng M t tn cng Kt qu tn cng Hiu qu tn cng Cc kin ngh Bng cch ghi li cc s c, c th xc nh cc mu v c th ngn chn cc cuc tn cng sau ny. 6.3 Xem xt s thc thi Khi xem xt li mt an ninh, n c th tr nn qu nhy cm i vi v s cc mi e da tim tng. Chnh sch an ninh phi duy tr mt s nh gi l doanh nghip lm kinh doanh. Nu xut bo mt c nh hng xu n li nhun hay s linh ng thng mi ca t chc, th cn phi nh gi li ri ro. Bn phi t c s cn bng gia bo mt v tnh kh dng ca thc thi. cng l iu quan trng nh gi danh ting nh l mt cng ty c thc bo mt c li ch thng mi. N khng ch ngn cn hacker, m n cn ci thin profile kinh doanh ca cng ty vi khch hng v i tc. 6.4 Social Engineering v m hnh phn lp phng th chiu su M hnh phn lp phng th chiu su phn loi cc gii php bo mt chng cc yu t tn cng nhng vng im yu m hacker c th s dng e da mi tr ng my tnh. Cc yu t tn cng bao gm: o Chnh sch, th tc, nhn thc: cc vn bn quy nh rng bn pht trin qun l tt c cc lnh vc bo mt, v chng trnh gio dc m m bo i ng nhn vin bit, hiu, v thc thi cc quy nh ny. o Bo mt vt l: cc ro cn m qun l truy cp n t i sn v ti nguyn. iu quan trng nh cc yu t sau cng; v d, nu bn t gi rc bn ngoi cng ty, sau chng bn ngoi s bo mt vt l ca cng ty. o D liu: thng tin kinh doanh ti khon, e-mail, khi xem xt cc mi e da, th phi bao gm c hard v soft copy ti liu trong k hoch bo mt d liu. o ng dng: cc chng trnh chy bi user. Phi nh gi cc hacker social engineering c th ph v chng trnh nh th no, chng hn e-mail hoc IM. o Host: cc my tnh server v client c s dng trong t chc. S tr gip m bo rng bn bo v cc user chng li cc cuc tn cng trc tip v o cc my tnh ny bng cch xc nh cht ch cc nguyn tc ch o phn mm Social Engineering 33 s dng my tnh v lm th no qun l cc thit b bo mt, chng hn nh user IDs v password. o Mng ni b: h thng mng m h thng my tnh cng ty truyn thng. N c th l local, wireless, hoc WAN. Cc mng ni b tr nn t ni b trong vi nm qua, vi s hot ng ti nh v di ng ph bin. V th phi lm cho chc chn l user hiu rng h phi lm vic bo mt trong tt c cc mi trng ni mng. o Chu vi: im tip xc gia mng ni b v mng bn ngoi, chng hn nh Internet hay h thng mng l ph thuc vo cc i tc kinh doanh, c th mt phn ca extranet. Cc tn cng social engineering thng c gng xuyn thng chu vi khi u tn cng vo d liu, ng dng, v cc host xuyn qua h thng mng ni b. Khi thit k s phng v, m hnh phng v chiu su gip hnh dung cc lnh vc kinh doanh c th b e da. M hnh ny khng c t cc mi e da social engineering, nhng mi lp phi nn c s phng v.