(D05THA1) Final Project - Social Engineering

Social Engineering 1
HC VIN CNG NGH BU CHNH VIN THNG

C S TPHCM

N MN HC:
SOCIAL ENGINEERING
GVHD: Ths. L Phc
SVTH: H Ngc Thin
Trn Th Thy Mai
TP.H Ch Minh, 4/ 2009
MC LC
Chng 1: GII THIU TNG QUAN V SOCIAL ENGINEERING
1.1 Khi nim v Social Engineering
1.2 Th thut
1.3 im yu ca con ngi
Chng 2: PHN LOI
2.1 Human based
2.1.1 Impersonation
2.1.2 Important User
2.1.3 Third-party Authorization
2.1.4 Technical Support
2.1.5 In Person
2.2 Computer based
2.2.1 Phising
2.2.2 Vishing
2.2.3 Pop-up Windows
2.2.4 Mail attachments
2.2.5 Websites
2.2.6 Interesting Software
Chng 3: CC BC TN CNG TRONG SOCIAL ENGINEERING
3.1 Thu thp thng tin
3.2 Chn mc tiu
3.3 Tn cng
Chng 4: CC MI E DA T SOCIAL ENGINEERING
4.1 Cc mi e da trc tuyn (Online Threats)
4.1.1 Cc mi e da t E-mail (E-mail Threats)
4.1.2 Cc ng dng pop-up v hp hi thoi( Pop-Up Applications and Dialog
Boxes)
4.1.3 Instant Mesaging
4.2 Telephone-Based Threats
4.2.1 Private Branch Exchange
4.2.2 Service Desk
4.3 Waste Management Threats
4.4 Personal Approaches
4.4.1 Virtual Approaches
4.4.2 Physical Approaches
4.5 Reverse Social Engineering
Chng 5: THIT K S PHNG V CHNG LI CC MI E DA T SOCIAL
ENGINEERING
5.1 Xy dng mt framework qun l an ninh
5.2 nh gi ri ro
5.3 Social engineering trong chnh sch an ninh
Chng 6: THC THI S PHNG V CHNG LI CC MI E DA T SOCI AL
ENGINEERING
6.1 S nhn thc
6.2 Qun l s c
6.3 Xem xt s thc thi
6.4 Social Engineering v m hnh phn l p phng th chiu su
1.1 Khi nim v Social Engineering:
Social engineering l li dng s nh hng v nim tin la mt ngi no nhm mc
ch ly cp thng tin hoc thuyt phc nn nhn thc hin vic g.
Cc cng ty mc d p dng cc phng php xc thc, cc firewalls, cc mng ring o
VPN, cc phn mm gim st mng vn c rt nhiu kh nng b tn cng.
Mt nhn vin c th v tnh l thng tin key trong email hoc tr li in thoi ca mt
ngi m h khng quen bit hoc thm ch ni v n ca h vi ng nghip hng gi
lin qun ru.
Bo mt c xem l tt nht nu n c th pht huy tr n c nhng lin kt yu nht. Social
Engineering l li dng s nh hng v nim tin la mt ngi no nhm mc ch
ly cp thng tin hoc thuyt phc nn nhn thc hin vic g. V khng c vn g khi
cc cng ty u t cho cc h thng cht lng cao v cc gii php bo mt chng hn nh
cc phng php xc thc n gin, cc firewalls, mng ring o VPN v cc phn mm
gim st mng. Khng c thit b hay gii hn bo mt no hiu qu khi mt nhn vin v
tnh l thng tin key trong email, hay tr li in thoi ca ngi l hoc mt ngi mi
quen thm ch khoe khoang v d n ca h vi ng nghip hng gi lin qun ru.
Thng thng, mi ngi khng nhn thy sai st ca h trong vic bo mt, mc d h
khng c . Nhng ngi tn cng c bit rt thch pht trin k nng v Social
Engineering v c th thnh tho n mc nhng nn nhn ca khng h bit rng h ang
b la. Mc d c nhiu chnh sch bo mt trong cng ty, nhng h vn c th b hi do
hacker li dng lng tt v s gip ca mi ngi.
Nhng k tn cng lun tm nhng cch mi ly c thng tin. H chc chn l h nm
r vnh ai bo v v nhng ngi trc thuc nhn vin bo v, nhn vin tip tn v
nhng nhn vin b phn h tr - li dng s h ca h. Thng th mi ngi da
vo v b ngoi phn on. V d, khi nhn thy mt ngi mc ng phc mu nu v
mang theo nhiu hp cm, mi ngi s m ca v h ngh y l ngi giao hng.
Mt s cng ty lit k danh sch nhn vin trong cng ty km theo s in thai, email trn
Website ca cng ty. Ngoi ra, cc cng ty cn thm danh sch cc nhn vin chuyn
nghip c o to trong c s d liu Oracle hay UNIX servers. y l mt s t thng
tin gip cho attacker bit c loi h thng m h ang nh xm nhp.
1.2 Th thut:
Social Engineering bao gm vic t c nhng thng tin mt hay truy cp tri php, bng
cch xy dng mi quan h vi mt s ngi.
Kt qu ca social engineer l la mt ngi no cung cp thng tin c gi tr hay s
dng thng tin .
N tc ng ln phm cht vn c ca con ngi, chng hn nh mong mun tr thnh
ngi c ch, tin tng mi ngi v s nhng rc ri.
Social engineering l th thut v k thut lm cho mt ngi no ng lm theo
nhng g m attacker mun. N khng phi l cch iu khin suy ngh ngi khc, v n
khng cho php attacker lm cho ng i no lm nhng vic vt qu t cch o c
thng thng. V trn ht, n khng d thc hin cht no. Tuy nhin, l mt phng
php m hu ht Attackers dng tn cng vo cng ty. C 2 loi rt thng dng :
Social engineering l vi c ly c thng tin cn thit t mt ngi no hn l
ph hy h thng.
Psychological subversion: mc ch ca hacker hay attacker khi s dng PsychSub
th phc tp hn v bao gm s chun b, phn tch t nh hung, v suy ngh cn thn v
chnh xc nhng t s dng v ging iu khi ni, v n thng s dng trong qun i.
Xem xt tnh hung sau y:
Attacker : Cho b, ti l Bob, ti mun ni chuyn vi c Alice
Alice: Xin cho, ti l Alice.
Attacker: Cho c Alice, ti gi t trung tm d liu, xin li v ti gi in cho c sm th
ny
Alice: Trung tm d liu , ti ang n sng, nhng khng sao u.
Attacker: Ti gi in cho c v nhng thng tin c nhn ca c trong phiu thng tin to
account c vn .
Alice: Ca ti .. vng.
Attacker: Ti thng bo vi c v vic server mail va b sp ti qua, v chng ti ang
c gng phc hi li h thng mail. V c l ngi s dng xa nn chng ti x l trng
hp ca c trc tin.
Alice: Vy mail ca ti c b mt khng?
Attacker: Khng u, chng ti c th phc hi li c m. Nhng v chng ti l nhn
vin phng d liu, v chng ti khng c php can thip vo h thng mail ca vn
phng, nn chng ti cn c password ca c, nu khng chng ti khng th l m g c.
Alice: Password ca ti ?uhm..
Attacker: Vng, chng ti hi u, trong bn ng k ghi r chng ti khng c hi v vn
ny, nhng n c vit bi vn phng lut, nn tt c phi lm ng theo lut. ( n lc
lm tng s tin tng t nn nhn)
Attacker: Username ca c l AliceDxb phi khng? Phng h thng a cho chng ti
username v s in thoi ca c, nhng h khng a password cho chng ti. Khng c
password th khng ai c th truy cp vo mail ca c c, cho d chng ti phng d
liu. Nhng chng ti phi phc hi li mail ca c, v chng ti cn phi truy cp vo mail
ca c. Chng ti m bo vi c chng ti s khng s dng password ca c v o bt c
mc ch no khc.
Alice: uhm, pass ny cng khng ring t lm u, pass ca ti l 123456
Attacker: Cm n s hp tc ca c. Chng ti s phc hi li mail ca c trong v i pht
na.
Alice: C chc l mail khng b mt khng?
Attacker: Tt nhin l khng ri. Chc c cha gp trng hp ny bao gi, nu c thc
mc g th hy lin h vi chng ti. C c th t m s lin lc trn Internet.
Alice: Cm n.
Attacker: Cho c.
1.3 im yu ca mi ngi:
Mi ngi thng mc phi nhiu im yu trong cc vn bo mt.
phng thnh cng th chng ta phi da vo cc chnh sch tt v hun luyn nhn
vin thc hin tt cc chnh sch .
Social engineering l phng php kh phng chng nht v n khng th dng phn cng
hay phn mm chng li.
Ch : Social engineering t p trung vo nhng im yu ca chui bo mt my tnh. C
th ni rng h thng c bo mt tt nht ch khi n b ngt in.
Mt ngi no khi truy cp vo bt c phn no ca h thng th cc thit b vt l v
vn cp in c th l mt tr ngi ln. Bt c thng tin n o thu thp c u c th
dng phng php Social engineering thu thp thm thng tin. C ngha l mt ngi
khng nm trong chnh sch bo mt cng c th ph hy h thng bo mt. Cc chuy n gia
bo mt cho rng cch bo mt giu i thng tin th rt yu. Trong trng hp ca Social
engineering, hon ton khng c s bo mt no v khng th che giu vic ai ang s dng
h thng v kh nng nh hng ca h ti h thng.
C nhiu cch hon thnh mc tiu ra. Cch n gin nht l yu cu trc tip, l
t cu hi trc tip. Mc d cch ny rt kh thnh cng, nhng y l phng php d
nht, n gin nht. Ngi bit chnh xc h cn g. Cch th hai, to ra mt tnh hung
m nn nhn c lin quan n. Vi cc nhn t khc hn ch l vic yu cu xem xt, iu
m c nhn h quan tm l nn nhn c th b thuyt phc n mc n o, bi v attacker c
th to ra nhng l do thuyt phc hn nhng ngi bnh thng. Attacker cng n lc th
kh nng thnh cng cng cao, thng tin thu c cng nhiu. Khng c ngha l cc tnh
hung ny khng da trn thc t. Cng ging s tht th kh nng thnh cng cng cao.
Mt trong nhng cng c quan trng c s dng trong Social engineering l mt tr nh
tt thu thp cc s kin. l iu m cc hacker v sysadmin ni tri hn, c bit khi
ni n nhng vn lin quan n lnh vc ca h.
Social engineering c th chia lm 2 loi: human based v computer based.
2.1 Human-based Social engineering: l vic trao i gia ngi vi ngi ly c
thng tin mong mun. Cc k thut social engineering da vo con ngi c th i khi chia
thnh:
2.1.1 Impersonation: vi kiu tn cng social engineering n y, hacker gi lm
mt nhn vin hay ngi s dng hp l trong h thng t c quyn
truy xut. V d, hacker c th lm quen vi mt nhn vin cng ty , t
thu thp mt s thng tin c lin quan n cng ty . C mt quy lut c
tha nhn trong giao tip x hi l khi nhn c s gip t mt ngi
no , th h sn sng gip li m khng cn iu kin hay yu cu g c.
C th xem n nh l mt s bit n. S bit n lun thy trong mi trng
hp tc. Mt nhn vi n s sn sng gip ngi khc vi mong mun l
sau ny c th ngi ta s gip li h. Social engineers c gng tn dng c
im x hi ny khi mo nhn ngi khc. Nhng mu mo ny c s
dng trong qu kh cng nh mt s ngy trang t c s truy xut vt
l. Nhiu thng tin c th c lm lt t bn giy, thng rc thm ch l s
danh b v bin tn ca.
2.1.2 Posing as Important User: S mo nhn t ti mt mc cao h n bng
cch nm ly c im ca mt nhn vi n quan trng li ni ca h c gi tr
v thng thng ng tin cy hn. Yu t bit n ng vai tr nhn vin
v tr thp hn s tm cch gip nhn vin v tr cao hn nhn ly s
qu mn ca anh ta. K tn cng gi dng nh mt user quan trng c th li
ko d dng mt nhn vin ngi m khng c s phng trc. Social
engineer s dng quyn lc hm da th m ch l e da bo co nhn vin
vi ngi gim st nhn vi n nu h khng cung cp thng tin theo y u
cu.
2.1.3 Third-person Authorization: Mt k thut social engineering ph bin
khc l k tn cng by t l ngun ti nguyn ny anh ta c chp nhn
ca s y quyn ch nh. Chng hn mt ng i chu trch nhim cho php
truy xut n thng tin nhy cm, k tn cng c th quan st cn thn anh ta
v li dng s vng mt ca anh ta nh l li th truy xut t i nguyn. K
tn cng tip cn vi nhn vin h tr hoc ngi khc v tuyn b l anh ta
c chp nhn truy xut thng tin. y c th l hiu qu c bit nu
ngi chu trch nhim ang trong k ngh hoc ngo i - ni m s xc
minh khng th ngay lp tc. Ngi ta c khuynh hng lm theo s giao
ph ni lm vic, thm ch h nghi ng rng nhng y u cu c th khng
hp php. Ngi ta c khuynh hng tin rng nhng ngi khc ang th
hin nhng quan im ng ca h khi h tuy n b. Tr khi c bng chng
mnh m tri ngc li, khng th ngi ta s tin rng ngi m h ang ni
chuyn ang ni s tht v ci h thy hoc cn.
2.1.4 Technical Support: mt chin thut thng hay c s dng, c bit khi
nn nhn khng phi l chuyn gia v k thut. K tn cng c th gi l m
mt ngi bn phn cng hoc k thut vi n hoc mt nh cung cp lin
quan my tnh v tip cn vi nn nhn.
2.1.5 In Person: K tn cng c th thc s c gng tham quan v tr mc ti u
v quan st tnh hnh cho thng tin. Hn ta c th ci trang chnh anh ta th nh
ngi phn phi th, ngi lao cng hoc thm ch rong ch i nh mt v
khch hnh lang. Anh y c th gi lm nh kinh doanh, khch hoc k
thut vin. Khi bn trong, anh ta c th nhn password trn mn hnh, tm
d liu quan trng nm tr n bn hoc nghe trm cc cuc ni chuyn b mt.
C 2 k thut c s dng bi attacker. l :
2.1.5.1 Dumpster Diving: tm kim trong thng rc, thng tin c vit
trn mnh giy hoc bn in my tnh. Hacker c th t m thy
password, filename, hoc nhng mu thng tin b mt.
2.1.5.2 Shoulder Surfing: l mt k thut thu thp password bng cch
xem qua vai ngi khc khi h ng nhp vo h thng. Hacker c
th xem ngi s dng hp l ng nhp v sau s dng password
ginh c quyn truy xut n h thng.
Khi bn trong, k xm nhp c c mt menu cc sch l c chn,
bao gm i lang thang nhng hnh lang ca ta nh tm kim cc vn
phng trng vi tn ng nhp m mt khu ca nhn vi n nh trn pc ca
h; i vo phng mail chn cc bn ghi nh gi mo vo h thng mail
server cng ty; c gng t quyn truy xut n phng server hay phng in
thoi ly nhiu thng tin hn t h thng ang vn hnh; t b phn tch
protocol trong wiring closet bt gi d liu, username, v password hay
ch n gin nh cp thng tin nhm n.
V d: Mt ngi gi cho nhn vin h tr v ni l anh ta qun mt
password. Trong s hong s, anh ta cn ni thm l nu anh ta nh hn cui
ca mt d n qung co th ng ch c th ui vic anh ta. Ngi nhn
vin h tr cm thy thng cm cho anh ta v nhanh chng khi ng li
password, vic lm ny gip cho hacker xm nhp vo h thng mng ca
cng ty.
V d: Thng 6 nm 2000, Larry Ellison, ch tch Oracle, tha nhn
l Oracle dng n dumpster diving c gng t m ra thng tin v
Microsoft trong trng hp chng c quyn. Danh t larrygate, khng l
mi trong hot ng t nh bo doanh nghip.
Mt s th m dumpster c th mang li:
Sch nin gim in thoi cng ty bit ai gi sau dng
mo nhn l nhng bc u tin t quyn truy xut ti
cc d liu nhy cm. N gip c c tn v t cch chnh
xc lm c v nh l nhn vin hp l. Tm cc s gi l
mt nhim v d dng khi k tn cng c th xc nh tng
i in thoi ca cng ty t sch nin gim.
Cc biu t chc; bn ghi nh; s tay chnh sch cng ty;
lch hi hp, s kin, v cc k ngh; s tay h thng; bn in
ca d liu nhy cm hoc t n ng nhp v password; bn
ghi source code; bng v a; cc a cng ht hn.
2.2 Computer-based Social engineering: l s dng cc phn mm ly c
thng tin mong mun. C th chia thnh cc loi nh sau:
2.2.1 Phising: Thut ng ny p dng cho mt email xut hin n t mt
cng ty kinh doanh, ngn hng hoc th tn dng yu cu chng thc thng
tin v cnh bo s xy ra hu qu nghi m trng nu vic ny khng c
lm. L th thng cha mt ng link n mt trang web gi mo trng
hp php vi logo ca cng ty v ni dung c cha form yu cu
username, password, s th tn dng hoc s pin.
2.2.2 Vishing: Thut ng l s kt hp ca voice v phishing. y cng l
mt dng phising, nhng k tn cng s trc tip gi in cho nn nhn thay
v gi email. Ngi s dng s nhn c mt thng ip t ng vi ni
dung cnh bo vn lin quan n ti khon ngn hng. Thng ip ny
hng dn h gi n mt s in thoi khc phc vn . Sau khi gi, s
in thoi ny s kt ni ngi c gi ti mt h thng h tr gi, yu cu
h phi nhp m th tn dng. V Voip tip tay c lc thm cho dng tn
cng mi ny v gi r v kh gim st mt cuc gi bng Voip.
2.2.3 Pop-up Windows: Mt ca s s xut hin tr n mn hnh ni vi user l
anh ta mt kt ni v cn phi nhp li username v password. Mt
chng trnh c ci t trc bi k xm nhp sau s email thng
tin n mt website xa.
2.2.4 Mail attachments: C 2 hnh thc thng thng c th c s dng.
u tin l m c hi. M ny s lun lun n trong mt file nh k m trong
email. Vi mc ch l mt user khng nghi ng s cli ck hay m file , v
d virus IloveYou, su Anna Kournikova( trong tr ng hp ny file nh
km tn l AnnaKournikova.jpg.vbs. Nu tn file b ct bt th n s
ging nh file jpg v user s khng ch phn m rng .vbs). Th hai cng
c hiu qu tng t, bao gm gi mt file nh la hi user xa file hp
php. Chng c lp k hoch l m tc nghn h thng mail bng cch
bo co mt s e da khng tn ti v yu cu ngi nhn chuyn tip mt
bn sao n tt c bn v ng nghip ca h. iu ny c th to ra mt
hiu ng gi l hiu ng qu cu tuyt.
2.2.5 Websites: Mt mu mo lm cho user khng ch l ra d liu nhy
cm, chng hn nh password h s dng ti ni lm vic. V d, mt
website c th to ra mt cuc thi h cu, i hi user in vo a ch email
v password. Password i n vo c th tng t vi password c s dng
c nhn ti ni lm vic. Nhiu nhn vin s in vo password ging vi
password h s dng ti ni lm vic, v th social engineer c username hp
l v password truy xut vo h thng mng t chc.
2.2.6 Interesting Software: Trong trng hp ny nn nhn c thuyt phc ti
v v ci t cc chng trnh hay ng dng hu ch nh ci thin hiu sut
ca CPU, RAM, hoc cc tin ch h thng hoc nh mt crack s dng
cc phn mm c bn quyn. V mt Spyware hay Malware ( chng hn nh
Keylogger) s c ci t thng qua mt chng trnh c hi ngy trang
di mt chng trnh hp php.
3.1 Thu thp thng tin: Mt trong nhng cha kha thnh cng ca Social Engineering l
thng tin. ng ngc nhin l d dng thu thp y thng tin ca mt t chc v nhn vin
trong t chc . Cc t chc c khuynh h ng a qu nhiu thng tin ln website ca h nh
l mt phn ca chin lc kinh doanh. Thng tin ny thng m t hay a ra cc u mi
nh l cc nh cung cp c th k kt; danh sch in thoai v email; v ch ra c chi nhnh hay
khng nu c th chng u. Tt c thng tin ny c th l hu ch vi cc nh u t tim
nng, nhng n cng c th b s dng trong tn cng Social Engineering. Nhng th m cc t
chc nm i c th l ngun ti nguyn thng tin quan tr ng. Tm kim trong thng rc c th
khm ph ha n, th t , s tay,.. c th gip cho k tn cng kim c cc thng tin quan
trng. Mc ch ca k tn cng trong b c ny l hiu cng nhiu thng tin cng tt lm ra
v l nhn vin, nh cung cp, i tc chin lc hp l,
3.2 Chn mc tiu: Khi khi lng thng tin ph hp c tp hp, k tn cng tm kim
im yu ng ch trong nhn vi n ca t chc . Mc tiu thng thng l nhn vin h
tr, c tp luyn a s gip v c th thay i password, to t i khon, kch hot li
ti khon, Mc ch ca hu ht k tn cng l tp hp thng tin nhy cm v ly mt v tr
trong h thng. K tn cng nhn ra l khi chng c th truy cp, thm ch l cp khch, th
chng c th nng quyn ln, bt u tn cng ph hoi v che giu vt.Tr l administrator l
mc tiu k tip. l v cc c nhn ny c th tip cn vi cc d liu nhy cm thng
thng c lu chuyn gia cc thnh vin qun tr cp cao. Nhiu cc tr l ny thc hin
cc cng vic hng ngy cho qun l ca h m cc cng vic ny yu cu c quyn ti khon
ca ngi qun l.
3.3 Tn cng: S tn cng thc t thng thng da trn ci m chng ta gi l s
lng gt. Gm c 3 loi chnh:
o Ego attack: trong loi tn cng u tin ny, k tn cng da vo mt vi c
im c bn ca con ngi. Tt c chng ta thch ni v chng ta thng minh nh
th no v chng ta bit hoc chng ta ang l m hoc hiu chnh cng ty ra sao. K
tn cng s s dng iu ny trch ra thng tin t nn nhn ca chng. K tn
cng thng chn nn nhn l ngi cm thy b nh gi khng ng mc v ang
lm vic v tr m di ti nng ca h. K tn cng thng c th phn on ra
iu ny ch sau mt cuc ni chuyn ngn.
o Sympathy attacks: Trong loi tn cng th hai ny, k tn cng thng gi v l
nhn vin tp s, mt nh thu, hoc mt nhn vin mi ca mt nh cung cp hoc
i tc chin lc, nhng ngi ny xy ra tnh hung kh x v cn s gip
thc hin xong nhim v. S quan trng ca bc thu thp tr nn r rng y, khi
k tn cng s to ra s tin cy vi nn nhn bng cch dng cc t chuyn ngnh
thch hp hoc th hin kin thc v t chc. K tn cng gi v l hn ang bn v
phi hon thnh mt vi nhim v m yu cu truy xut, nhng hn khng th nh
username v password, Mt cm gic khn cp l un lun l phn trong kch bn.
Vi bn tnh con ngi l thng cm nn trong hu ht cc trng hp yu cu s
c chp nhn. Nu k tn cng tht bi khi ly truy xut hoc thng tin t mt
nhn vin, hn s tip tc c gng cho n khi t m thy ngi thng cm, hoc cho
n khi hn nhn ra l t chc nghi ng.
o Intimidation attacks: Vi loi th ba, k tn cng gi v l l mt nhn vt
c quyn, nh l mt ngi c nh hng trong t chc. K tn cng s nhm vo
nn nhn c v tr thp hn v tr ca nhn vt m hn gi v. K tn cng to mt l
do hp l cho cc yu cu nh thit lp li password, thay i t i khon, truy xut
n h thng, hoc thng tin nhy cm.
C 5 nhn t tn cng chnh m mt hacker social engineering s dng:
4.1 Cc mi e da trc tuyn (Online Threats): trong th gii kinh doanh c
kt ni ngy cng tng ca chng ta, nhn vin thng s dng v p ng cc yu cu v
thng tin n mt cch t ng t c inside v outside cng ty. S kt ni ny gip hacker c
th tip cn c vi cc nhn vin. Cc tn cng trc tuyn nh e-mal, pop-up application, v
instant message s dng trojan, worm, virus gi l malware gy thit hi v ph hy ti
nguyn my tnh. Hacker social engineering thuyt phc nhn vin cung cp thng tin thng
qua mu mo tin c, hn l lm nhim malware cho my tnh thng qua tn cng trc tip.
Mt tn cng c th cung cp thng tin m s gip cho hacker lm mt cuc tn cng malware
sau , nhng kt qu khng l chc nng ca social engineering. V th, phi c li khuyn
cho nhn vin lm th no nhn din v trnh cc cuc tn cng social engineering trc
tuyn.
4.1.1 Cc mi e da t E-mail (E-mail Threats): Nhiu nhn vin nhn hng
chc hoc hng trm e-mail mi ngy, t c kinh doanh v t h thng e-mail ring.
Khi lng e-mail c th lm cho n tr thnh kh khn gy s ch cho mi
bi vit. iu ny th rt hu ch vi hacker. Hu ht ngi dng e-mail cm thy tt
khi h gii quyt vi mt mu th. Nu hacker c th lm mt yu cu n gin m
d dng gii quyt, th sau mc tiu s ng m khng ngh l anh y hoc c
y ang lm chuyn g.
Mt v d ca tn cng kiu ny l gi e-mail n nhn vin ni rng ng ch
mun tt c lch ngh gi cho cuc hp v tt c mi ngi trong danh sch c sao
chp vo trong e-mail. Ch n gin l trich tn ngoi t danh sch sao chp v
nh la tn ngi gi mail xut hin bt u t ngun b n trong. Vic nh la
ny c bit n gin nu mt hacker t quyn truy xut n mt h thng my tnh
cng ty, bi v khng cn phi ph v thng qua phm vi t ng la. S hiu bit v
lch trnh k ngh c th khng l mi e da bo mt, nhng n c ngha l mt
hacker bit khi no nhn vin vng mt. Hacker sau c th gi mo ng i ny vi
kh nng b khm ph ra gim i. S dng e-mail nh l mt cng c social
engineering tr nn ph bin qua hn mt thp k qua. Phising c m t l s
dng e-mail nhn dng c nhn hoc thng tin gii hn t mt user. Hacker c
th gi e-mail m c v n t t chc hp l, chng hn ngn h ng hoc cc cng
ty i tc. Minh ha di y ch ra mt link hp l b ngoi n t trang qun l ti
khon Contoso.
Tuy nhin, nu nhn k hn chng ta c th nhn thy 2 s khc bit:
Dng ch trong dng link trn ch ra l trang web ny bo mt, s dng
https, mc d link tht s ca trang web s dng http
Tn cng ty trong mail l Contoso, nhng link th t s th tn cng ty gi l
Comtoso
Nh thut ng phising ng , s tip cn c tnh l thuyt, vi mt y u cu chung
cho thng tin khch hng. S ngy trang thc t c dng trong nhng thng bo
th in t, vi nhng biu t ng cng ty, phng, v thm ch nhng s in thoi
h tr t do r rng hp l, lm th in t c v c th tin c hn. Trong mi e-
mail phising l mt yu cu cho thng tin user, thng lm thun tin cho vic nng
cp hay thm vo dch v. E-mail c th cha hyperlink c th xi gic nhn vi n
ph v tnh bo mt ca cng ty. C mt lot cc la chn khc nhau cho hacker s
dng trong phising, bao gm cc hnh nh c hyperlink m ti xung l malware,
chng hn virus hoc spyware, hoc vn bn c th hin trong mt tm nh,
vt qua b lc bo mt hyperlink. Hu ht cc bin php bo mt l m cho cc user
khng c chng thc ngoi. Mt hacker c th vt qua nhiu s phng th nu
hn c th la mt user a vo trojan, worm, hoc virus vo cng ty thng qua
ng link. Mt hyperlink c th dn mt user n mt tr ang web m s dng ng
dng pop-up yu cu cung cp thng tin hoc a ra s gip .
c th chng li cc cuc tn cng ca hacker social engineering bng cch tip
cn vi ch ngha hoi nghi bt c th g khng ng trong Inbox. h tr phng
php tip cn ny trong mt t chc, nn bao gm trong cc chnh sch an ninh c
th e-mail hng dn cch s dng bao gm:
nh km trong ti liu
Hyperlink trong ti li u
Yu cu thng tin c nhn hay cng ty t b n trong cng ty.
Yu cu thng tin c nhn hay cng ty t bn ngoi cng ty.
4.1.2 Cc ng dng pop-up v hp hi thoi( Pop-Up Applications and Dialog Boxes)
Khng thc t khi cho rng cc nhn vi n khng s dng Internet trong cng
ty truy xut cho cc hot ng khng phi l cng vic. Hu ht nhn vin duyt
Web cho cc l do c nhn, chng hn nh mua sm hoc nghin cu trc tuyn.
Trnh duyt c nhn c th lm cho nhn vin, v v th h thng my tnh cng ty,
tip xc vi cc social engineer. Mc d iu ny c th khng l mc tiu c th
ca cng ty, h s s dng cc nhn vi n trong mt n lc t c quyn truy
xut vo ti nguyn cng ty. Mt trong nhng mc ch ph bin l nhng mt mail
engine vo mi trng my tnh cng ty thng qua hacker c th bt u phising
hoc cc tn cng khc vo email ca c nhn hay ca cng ty.
Hai phng thc thng thng li ko user click vo mt nt bm bn
trong mt hp hi thoi l a ra mt cnh bo ca vn , chng hn nh hin th
mt thng bo li ng dng hoc h thng, bng cch ngh cung cp thm dch
v - v d, mt download min ph l m cho my tnh ca user nhanh hn. Vi cc
user IT v Web c kinh nghi m, nhng phng php ny dng nh l cc mnh
khe la bp d thy. Nhng vi cc user thiu kinh nghim th cc phng thc ny
c th e da v la c h.
Bo v user t cc ng dng pop-up social engineering phn ln l mt chc
nng ca s thc. trnh vn ny, bn c th thit lp cu hnh trnh duyt
mc nh s ngn chn pop-up v download t ng, nhng mt vi pop-up c th
vt qua thit lp ny. S hiu qu hn m bo rng ngi dng nhn thc c
rng h khng nn bm vo ca s pop-up, tr khi h kim tra vi nhn vi n h tr.
4.1.3 Instant Mesaging:
C mt s mi e da tim t ng ca IM khi n c hacker nhm n. u tin l
tnh cht khng chnh thc ca IM. Tnh tn gu ca IM, k m theo l la chn cho mnh
mt ci tn gi mo, ngha l s khng hon ton r rng khi bn ang ni chuyn vi mt
ngi m bn tin rng bn ang ni n.
Hnh minh ha di y ch ra spoofing l m vic nh th no, cho c e-mail v IM:
Hacker (mu ) gi mo user bit v gi mt bn tin e-mail hay IM m ngi
nhn s cho rng n n t mt ngi m h bit. S quen bit lm gim nh s phng
th ca user, v th h c nhiu kh nng click vo mt lin kt hoc m tp tin nh km t
mt ai m h bit hoc h ngh l h bit. Hu ht cc nh cung cp IM cho php xc
nhn user da trn a ch e-mail, iu ny c th gip cho hacker ngi m c xc
nhn vi mt a ch theo tiu chun trong cng ty gi li mi n nhng ng i khc
trong t chc. Tnh nng ny hin khng cha mt mi e da, nh ng n c ngha l s
lng cc mc tiu bn trong cng ty c tng ln rt nhiu.
4.2 Telephone-Based Threats:
N l mt mi trng truyn thng quen thuc, nhng n cng khng m ch ai, bi v mc
tiu khng th thy c hacker. Cc ty chn thng tin lin lc cho hu ht cc h thng my tnh
cng c th lm Private Branch Exchange (PBX) mt mc tiu hp dn. Thm na, c l rt th l,
tn cng l n cp th tn dng hoc th in thoi ti cc bung in thoi. Hu ht cc cuc tn
cng ny l mt hnh vi trm cp thng thng l t mt c nhn. Hu ht mi ngi thc c
rng h nn thn trng vi nhng i mt t m khi s dng ATM, nhng a s t thn trng hn
khi s dng m PIN ti bung in thoi.
Voip l mt th trng ang pht trin m cung cp li ch v chi ph cho cng ty. Hin nay,
do s gii hn tng i s lng cc bn ci t, VoIP hacking khng c xem l mi e da
chnh. Tuy nhin, cng nhi u doanh nghip s dng cng ngh n y, VoIP spoofing tr nn lan
rng nh e-mail v IM spoofing.
4.2.1 Private Branch Exchange:
Hacker c 3 mc ch chnh tn cng mt PBX:
o Yu cu thng tin, thng l thng qua vic gi dng mt ngi s dng hp php,
hoc truy cp vo cc h thng in thoi hoc truy cp t xa vo h thng my
tnh
o t quyn truy xut s dng min ph in thoi
o t quyn truy xut giao tip vi h thng mng
Mi mc ch ny l mt bin th ca cng mt ch , vi cc hacker gi in
thoi cho cng ty v c gng c c s in thoi cung cp truy cp trc tip hoc
thng qua mt PBX n mng in thoi cng cng. Thut ng hacker gi l phreaking.
Cch tip cn thng thng nht l hacker gi v l mt k s in thoi, yu cu mt
ng dy bn ngoi hoc password phn tch v gii quyt cc vn c bo co
trong h thng in thoi ni b, nh mnh minh ha bn di:
Yu cu v thng tin hoc truy cp qua in thoi l mt tng i ri ro di hnh
thc tn cng. Nu mc ti u tr nn ng ng hoc t chi tun th yu cu, cc hacker c
th ch cn gc my. Tuy nhin, nhn thy l cc cuc tn cng c nhiu phc tp hn mt
hacker ch cn gi in thoi mt cng ty v cc yu cu cho mt ngi s dng ID v mt
khu. Cc hacker thng trnh by mt kch bn, yu cu hoc cung cp tr gip, tr c khi
yu cu thng tin xy ra cho c nhn hoc doanh nghip , gn nh l mt s suy ngh sau khi
hnh ng.
Hu ht cc user khng c bt k kin thc v h thng in thoi ni b, ngoi cc
s in thoi ring ca mnh. y l mt phn ca vic phng th quan trng nht m bn
c th a vo chnh sch bo mt. Tht l him khi hacker tip cn user thng thng theo
cch ny. Cc mc tiu thng thng hu ht l nhn vin tip tn hay tng i. Bn phi
ch r rng ch c bn dch v c chng thc cung cp s tr gip n nh cung cp in
thoi. Bng cch ny, tt c cc c nhn c thm quyn i v i tt c cc cuc gi h tr k
thut. Cch tip cn ny cho php nhn vin mc tiu nh hng li nh cc truy vn c
hiu qu v nhanh chng ti mt thnh vin iu kin.
4.2.2 Service Desk:
Bn cung cp dch v - hoc bn tr gip l mt trong nhng phng th tr ct
chng li hacker, nhng ngc li n cng l mc tiu cho cc hacker social engineering.
Mc d nhn vin h tr thng nhn thy c mi e da ca hacking, h cng o to
gip v h tr ngi gi, cung cp cho h t vn v gii quyt cc vn ca h. i
khi s nhit tnh chng t bi nhn vi n h tr k thut cung cp mt gii php l m mt
hiu lc s cam kt ca h tun th cc th tc bo mt v a nhn vin cung cp gii
php vo mt tnh th kh x: nu h thc thi nghi m ngt cc tiu chun bo mt, yu cu
xc nhn tnh hp l l cc yu cu hoc cu hi n t mt y quyn ng i s dng, th
iu ny c th khng c tc dng v lm cn tr. Nhn vin tip th, bn hng v sn xut
cm thy rng l cc b phn IT khng cung cp dch v tc thi m h yu cu th c
khuynh hng than phin, v nhng ngi qun l cp cao nht c yu cu chng minh
nhn dng ca h thng t thng cm vi tnh cn thn ca nhn vi n h tr.
Bn cung cp dch v cn phi cn bng tnh b o mt vi hiu qu kinh doanh,
chng hn nh cc th tc v chnh sch bo mt phi h tr h. Tht kh hn bo v
cho nhn vin phn tch bn dch v chng li hacker bn trong hay lm hp ng. Chng
hn hacker c s hiu bit v cc th tc bn trong v c thi gian m bo rng
h c tt c cc thng tin cn thit, trc khi h tin hnh mt cuc gi cho bn dch v.
4.3 Waste Management Threats:
Dumpster diving l mt hot ng c gi tr cho hacker. Giy t vt i c th cha
thng tin mang li li ch tc thi cho hacker, chng hn nh user ID v s ti khon b i,
hoc c th phc v nh l thng tin nn, nh cc biu t chc v danh sch in thoi. Cc
loi thng tin ny l v gi i vi hacker social engineering, bi v n lm cho hn ta c v
ng tin khi bt u cuc tn cng.
Phng tin lu gi in t thm ch cn hu ch hn cho hacker. Nu mt cng ty,
khng c cc quy tc qun l cht thi bao gm s dng cc ph ng tin thng tin d tha, th
c th tm thy tt c cc loi thng tin trn a cng, CD, DVD khng cn s dng.
Nhn vin phi hiu c y s tc ng ca vic nm giy thi hoc ph ng tin
lu tr in t vo thng rc. Sau khi di chuyn rc thi ra ngoi cng ty, th tnh s hu n c
th tr thnh khng r rng v php lut. Dumpster diving c th khng c coi l bt hp
php trong mi hon cnh, v th phi chc chn rng a ra li khuyn nh th no gii
quyt vi nhng vt liu thi. Lun lun ct thnh ming nh giy vn v xa i hoc ph hy
cc phng tin c t tnh. Nu c loi cht thi qu ln hoc kh t v o my hy, chng
hn nh nin gim in thoi, hoc n c k thut vt qu kh nng ca user hy n, th
phi pht trin mt giao thc cho vic vt b. Nn t cc thng rc trong vng an ton m
khng tip cn vi cng cng.
Bn cnh qun l cht thi bn ngoi cng cn phi qun l cht thi bn trong. Chnh
sch bo mt thng khng ch vn ny, bi v n thng c gi nh rng bt c ai cho
php truy cp vo cc cng ty phi l ng tin cy. R rng, iu ny khng phi lc no cng
ng. Mt trong nhng bin php c hiu qu nht qun l giy thi l c t ca vic phn
loi d liu. Bn xc nh loi giy khc nhau da tr n cc thng tin v ch nh cch thc nhn
vin qun l s vt b ca h. V d c th phn thnh cc loi:
o B mt cng ty. Ct nh tt c cc t i liu b mt b i trc khi b vo thng rc
o Ring t. Ct nh tt c ti liu ring t b i trc khi b vo thng rc
o Vn phng. Ct nh tt c ti liu vn phng b i trc khi b vo thng rc.
o Cng cng. Vt b ti liu cng cng vo bt k thng rc no hoc ti ch
chng lm giy thi.
4.4 Personal Approaches
Cch r nht v n gin nht cho hacker ly thng tin l hi trc tip. Cch t ip cn
ny c v th l v r rng, nhng n nn tng ca cc th on nh la b mt giai on u
tin. C 4 cch tip cn chnh minh chng thnh cng ca social engineer:
o S e da: cch tip cn ny c th bao gm s mo danh mt ngi c thm
quyn p buc mc tiu lm theo yu cu.
o S thuyt phc: hnh thc thng thng ca s thuyt phc gm c nnh ht
hay bng cch ni rng mnh quen ton nhng nhn vt ni ting.
o S mn m: cch tip cn ny l mt th on di hi, trong ngi cp
di hoc ng nghip xy dng mt mi quan h ly l ng tin, thm ch,
thng tin t mc tiu.
o S tr gip: vi cch tip cn ny, hacker t ra sn sng gip mc tiu. S
tr gip ny cui cng i hi mc tiu tit l ra thng tin c nhn gip hacker
nh cp nhn dng ca mc tiu.
Bo v user chng li nhng loi ca tip cn c nhn th rt kh khn. Vic bo v
chng li tn cng e da l pht trin mt nn vn ha khng s hi trong kinh doanh. Nu
cch c x thng thng l lch s, th s thnh cng ca s e da b gim xung, bi v
cc c nhn ring l thch leo thang v tr i u. Mt thi h tr trong qun l v vai
tr gim st v pha s leo thang ca vn v ra quyt nh l th t nht m c th xy ra
vi hacker social engineering. Mc ch ca h l khuyn khch mc tiu ra quyt nh
nhanh hn. Vi vn ny chuyn cp c thm quyn cao hn, th cng t c kh nng
t c mc tiu ny.
Thuyt phc lun lun l mt phng php quan trng t c mc ch. Bn
khng th thit k iu ny ra khi lc lng lao ng ca bn, nhng c th cung cp cc
hng dn nghim ngt v nhng g mt c nhn nn lm v khng nn lm. Hacker s lun
lun hi hoc a ra mt kch bn ni m mt user a ra thng tin gii hn. Tip tc cc
chin dch nng cao nhn thc v hng dn c bn bao gm cc thit b an ninh nh cc
mt khu l s phng th tt nht.
4.4.1 Virtual Approaches
Hacker social engineering cn phi thc hin li n lc vi mc tiu thc hin cc
cuc tn cng. Thng thng nht, iu ny s din ra thng qua mi tr ng in t, chng
hn nh e-mail hay ca s pop-up. Khi lng spam v junk mail n hu ht trong hp
th c nhn lm cho phng thc tn cng ny t thnh cng hn, chng hn user tr nn
hoi nghi hn vi hng lot l th v cc yu cu b n tham gia cc giao dch ti chnh c
li v hp php. Mc d vy, khi lng mail v s dng cc trojan c ngha l n vn cn
hp dn, d ch vi t l thnh cng ti thiu, i vi mt vi hacker. Hu ht cc cuc tn
cng ny l c nhn v mc ch khm ph thng tin v mc ti u. Tuy nhin, vi cc
doanh nghip, cc vi phm ph bin rng r i trong cc h thng kinh doanh, chng hn nh
truy cp Internet v my tnh, cho c nhn s dng ngha l hacker c th xm nhp vo h
thng mng.
in thoi cung cp chi tit c nhn h n, phng php tip cn ny thnh cng thp
hn. Nhng nguy c hn ch b bt gi ngha l cc hacker s dng in thoi nh l
phng tin tip cn, nhng cch tip cn ny ch yu cho tn cng PBX v bn dch v,
hu ht user s nghi ng v mt cuc gi y u cu thng tin t mt ai m h khng bit.
4.4.2 Physical Approaches
t ph bin, nhng hiu qu hn cho hacker, trc tip, c nhn tip xc vi mc ti u.
Ch c nhng nhn vin ng ng nht s nghi ng tnh hp l ca mt ngi no m t
gii thiu v mnh v yu cu hay tr gip cho h thng my tnh. Mc d nhng tip cn
ny c ri ro ln hn cho th phm, cc li ch vn r rng. Hacker c th c truy xut
t do n h thng my t nh trong cng ty, bn trong chu vi c s phng th tn ti.
S pht trin trong vic s dng cng ngh mobile, gip nhng user kt ni vi h
thng mng cng ty trong khi ang tr n ng hay nh ca h, l mi e da chnh khc
cho ti nguyn IT cng ty. Cc cuc tn cng c th c c y bao gm tn cng quan
st d nht, chng hn mt hacker xem qua vai mt ngi s dng my tnh di ng trn xe
la thy ID v password, ti nhng s tn cng phc tp hn ch c th hay nng cp
b nh tuyn c gi v ci t bi mt k s dch v ngi t quyn truy xut n h
thng mng doanh nghip bng cch hi user ID, password.
4.5 Reverse Social Engineering
L mt hnh thc cao hn social engineering m gii quyt cc kh khn ph bin ca
social engineering bnh thng. Hnh thc ny c th m t l mt user hp php ca h thng
hi hacker cc cu hi cho thng tin. Trong RSE, hacker c cho l c v tr cao hn user hp
php, ngi thc s l mc tiu. thc hin mt tn cng RSE, k tn cng phi c s hiu
bit v h thng v lun lun phi c quyn truy xut trc m c cp cho anh ta, thng
l do social engineering bnh thng tin hnh. Ta c s so snh SE v RSE:
o Social engineering: hacker tin hnh cuc gi v ph thuc vo user
o Reverse Social Engineering: user tin hnh cuc gi v ph thuc vo
hacker
o Social engineering: user cm thy l hacker mang n h
o Reverse Social engineering: user cm thy mang n hacker
o Social engineering: cc cu hi thng vn cha gii quyt cho nn nhn
o Reverse Social engineering: tt c cc vn c gii quyt, nhng kt
thc khng ng nghi ng
o Social engineering: user c kim sot bng cch cung cp thng tin
o Reverse Social engineering: hacker hon ton iu khin.
o Social engineering: t hoc khng cn s chun b.
o Reverse Social engineering: nhi u k hoch v s truy xut cn thit lp tr c
Tn cng RSE tiu biu bao gm 3 phn chnh: s ph hoi, s qung co, s
gip . Sau khi t quyn truy xut bng cc phng tin khc, hacker ph hoi
workstation bng lm h station, hoc lm cho n c v l h hng. vi s phong ph cc
thng bo li, chuyn cc tham s/ty chn, hoc chng trnh gi mo c th thc hin
vic ph hoi. Ngi s dng thy cc trc trc v sau tm kim s gip . l ngi
c user gi ti, k tn cng phi qung b l hn ta c kh nng sa c li. S qung
b c th bao gm t cc th kinh doanh gi mo xung quanh cc vn ph ng hay thm ch
cung cp s in thoi gi n trong thng bo li. Mt thng bo li v d c th:
** ERROR 03 - Restricted Access Denied ** - File access not allowed by user.
Consult with Mr. Downs
at (301) 555-1414 for file permission information.
Trong trng hp ny, user s gi Mr. Downs c gip , v tit l thng tin
ti khon m khng nghi ng tnh hp php ca Mr. Downs . Phng php khc ca s
qung b c th bao gm social engineering. Mt v d ca iu ny l hacker gi n mc
tiu v thng bo vi h l s in thoi h tr k thut mi thay i, v sau hacker s
a cho h s ca ring mnh. Phn th ba ( v d nht) ca mt cuc tn cng RSE l cho
hacker gip gii quyt vn . Bi v hacker l k ch mu ca s ph hoi, vn d
dng sa, v mc tiu khng nghi ng ngi gip b v hn ta th hin l mt user am
hiu h thng. Trch nhim ca hacker ch l ly thng tin ti khon t mc tiu trong khi
gip h. Sau khi thng tin t c, hacker gii quyt vn v sau kt thc cuc tr
chuyn vi mc tiu.
Sau khi hiu c phm vi rng ln ca cc mi e da, c ba b c cn thit thit k s
phng v chng li mi e da t social engineering i vi nhn vin trong cng ty. S phng v
hiu qu l mt chc nng ca lp k hoch. Thng s phng v l phn ng li bn khm ph
ra mt cuc tn cng thnh cng v dng ln mt hng ro m bo l vn khng xy ra ln
na. Mc d cc tip cn ny minh chng mt mc nhn thc, gii php n qu tr nu vn
ln hoc tn km. chn trc kch bn nh th, c ba bc tin hnh nh sau:
Xy dng mt framework qun l an ninh. Phi xc nh tp hp cc mc ch ca
an ninh social engineering v i ng nhn vin nhng ngi chu trch nhim cho
vic phn phi nhng mc ch ny.
nh gi thc hin qun l ri ro. Cc mi e da khng th hin cng mt mc
ri ro cho cc cng ty khc nhau. Ta phi xem xt li mi mt mi e da social
engineering v hp l ha mi nguy him trong t chc.
Thc thi phng v social engineering trong chnh sch bo mt. Pht trin mt vn
bn thit lp cc chnh sch v th tc quy nh nhn vi n x tr tnh hung m c
th l tn cng social engineering. Bc ny gi nh l chnh sch bo mt c,
bn ngoi nhng mi e da ca social engineering. Nu hin ti khng c chnh
sch bo mt, th cn phi pht trin chng.
5.1 Xy dng mt framework qun l an ninh
Mt khung qun l an ninh xc nh mt ci nhn tng quan cc mi e da c th
xy ra i vi t chc t social engineering v cp pht tn cng vic c vai tr chu trch
nhim cho vic xy dng chnh sch v th tc lm gim bt cc mi e da ny. Cch
tip cn ny khng c ngha l bn phi s dng nhn vi n ch c chc nng m bo an
ninh ca ti sn cng ty.
Security sponsor. Qun l cp cao, ngi c th cung cp chng thc cn thit
m bo tt c nhn vin tham gia nghim chnh v bo mt cho cng ty.
Security manager. Nhn vin cp qun l, ngi c trch nhim cho b tr s
pht trin v bo dng ca chnh sch bo mt.
IT security officer. i ng nhn vin k thut chu trch nhim cho s pht trin c
s h tng v thc thi chnh sch v th tc bo mt.
Facilities security officer. Mt thnh vin ca i thit b chu trch nhim cho pht
trin vng v thc thi chnh sch v th tc bo mt
Security awareness officer. Mt thnh vin ca i ng qun l nhn vi n thng
t b phn pht trin nhn s hay ngun nhn lc ngi chu trch nhim cho s
pht trin v thc thi chin dch nng cao nhn thc v an ninh.
Nhm ny Security Steering Committee i din cho ban c vn trong cng ty.
Nh l nhng ng vin c la chn cho h thng an ninh, Security Steering
Committee cn phi thit lp mc ti u ct li cho khung qun l an ninh. Nu khng
c tp cc nh ngha cc mc tiu, th kh khuyn khch s tham gia ca nhn
vin hoc o mc thnh cng ca d n. Nhim v ban u ca Security Steering
Committee l xc nh cc ri ro do social engineering t n ti trong cng ty.
Security Steering Committee cn phi xc nh nhng vng c th tn ti nguy c
vi cng ty. Qu trnh ny c th bao gm cc yu t tn cng c xc nh trn
giy t v cc yu t ring bit ca cng ty, chng hn nh s dng terminal cng
cng hay cc th tc qun l vn phng.
V d: Company Social Engineering Attack Vector Vulnerabilities
Attack vector Describe company usage Comments
Online
E-mail All users have Microsoft
Outlook on desktop computers.
Internet Mobile users have Outlook Web
Access (OWA) in addition to
Outlook client access.
Pop-up applications There is currently no technological barrier
implemented against pop-ups.
Instant Messaging The company allows unmanaged
use of a variety of IM products.
Telephone
PBX
Service Desk Currently the Service Desk is a
casual support function provided
by the IT department.
We need to extend support provisions
beyond the IT area.
Waste management
Internal All departments manage their
own waste disposal.
External Dumpsters are placed outside the
company site. Garbage collection
is on Thursday.
We do not currently have any space for
dumpsters within the site.
Personal approaches
Physical Security
Office security All offices remain unlocked
throughout the day.
25 percent of staff works from home.
We have no written standards for
home worker security.
Home workers We have no protocols of home
worker onsite maintenance.
Other/Company-specific
In-house franchisees All catering is managed through a
franchise.
We do not know anything about these staff,
and there is no security policy for them.
5.2 nh gi ri ro
Tt c cc yu cu v an ninh nh gi mc ri ro m mt cuc tn cng tin
hnh trong cng ty. Mc d vic nh gi ri ro cn phi k lng, nhng n khng phi
cn tiu tn nhiu thi gian. Da trn cng vic lm trong khi xc nh cc yu t ct l i
ca khung qun l an ninh bi Security Steering Committee, bn c th phn loi v u tin
cc ri ro. Phn loi ri ro bao gm:
B mt thng tin
S tn nhim kinh doanh
S sn sng kinh doanh
Ti nguyn
Chi ph
C th thit lp cc u tin bng cch xc nh ri ro v tnh ton chi ph lm
gim bt ri ro nu s gim bt ri ro tn nhiu chi ph hn l xy ra ri ro, n c th l
khng hp l. Giai on nh gi ri ro c th rt hu ch trong s pht trin sau cng ca
chnh sch an ninh.
V d: Steering Committee Security Requirement and Risk Matrix
Attack Vector Possible Policy
Requirement
Risk Type
Confidential
information
Business
credibility
Business
availability
Resources
Money
Risk Level
High = 5
Low = 1
Action
Written set of social
engineering security
policies
Changes to make
policy compliance
part of the standard
employee contract
Changes to make
policy compliance
part of the standard
contractor contract
Online
E-mail Policy on types of
attachments and how
to manage them
Internet Internet usage policy
Pop-up applications Policy for Internet
usage, with specific
focus on what to do
with unexpected
dialog boxes
Instant Messaging Policy on supported
and allowable IM
clients
Telephone
PBX Policy for PBX
support management
Service Desk Policy for the
provision of data
access
Attack Vector Possible Policy
Requirement
Risk Type
Confidential
information
Business
credibility
Business
availability
Resources
Money
Risk Level
High = 5
Low = 1
Action
Waste Management
Paper Policy for waste
paper management
Dumpster
management
guidelines
Electronic Policy for the
management of
electronic media
waste materials
Personal Approaches
Physical Security Policy for visitor
management
Office security Policy for user ID
and password
management no
writing passwords on
a sticky note and
attaching it to a
screen, for example
Home workers Policy for the use of
mobile computers
outside the company
Other/
Company-Specific
In-house franchisees Policy for screening
in-house franchise
employees
5.3 Social engineering trong chnh s ch an ninh
Mt c nhn IT v qun l cng ty phi pht trin v gip thc thi mt chnh sch
an ninh c hiu qu trong t chc. i khi, trng tm ca chnh sch an ninh l s iu
khin cng ngh s gip bo v chng li cc mi e da v cng ngh, chng hn virus v
worm. iu khin cng ngh gip bo v cc cng ngh, chng hn cc tp tin d liu, tp
tin chng trnh, v h iu hnh. Security Steering Committee c vng an ninh ct li v
nh gi ri ro m n phi y quyn s pht trin ca ti liu kinh doanh, tin trnh, th tc.
V d: Steering Committee Procedure and Document Requirements
Policy requirement Procedure / document
requirement
Action on / date
Written set of social engineering security
policies
None
Changes to make policy compliance part
of the standard employee contract
1. Wording for new contract
requirements (Legal)
2. New format for contractor
contracts
Changes to make policy compliance part
of the standard contractor contract
1. Wording for new contract
requirements (Legal)
2. New format for contractor
contracts
Policy for visitor management 1. Procedure for visitor sign in and
sign out
2. Procedure for visitor
accompaniment
Dumpster management guidelines 1. Procedure for waste paper
disposal (see Data)
2. Procedure for electronic media
disposal (see Data)
Policy for the provision of data access
Policy for waste paper management
Policy for the management of electronic
media waste materials
Policy for Internet usage, with specific
focus on what to do with unexpected
dialog boxes
Policy for user ID and password
management no writing passwords on a
sticky note and attaching it to a screen,
etc.
Policy for the use of mobile computers
outside the company
Policy for managing issues when
connecting to partner applications
(banking, financial, buying, stock
management)
Sau khi bn vit v ng vi chnh sch an ninh, bn phi thc hin cc chnh sch dnh
cho nhn vin v bt h tun theo. Mc d bn c th thc thi cc iu khin k thut m khng
cn s hiu bit ca nhn vi n, bn phi c c s h tr ca h nu bn mun thc thi s phng
v thnh cng.
6.1 S nhn thc
Khng c s thay th cho mt cuc vn ng nhn thc tt khi bn thc thi cc yu
t social engineering ca chnh sch an ninh. Phi o to nhn vin h hiu v chnh
sch, hiu ti sao phi c n, v bit lm th no phn ng li mt cuc tn cng nghi
ng. Yu t then cht ca mt cuc tn cng social engineering l s tin tng mc tiu
s tin tng hacker. chng li hnh thc tn cng ny, phi kch thch ch ngha hoi
nghi lnh mnh trong nhn vin ca bt k iu g ngoi vic bnh thng v gy ra s tin
tng ca h vi c s h tng IT h tr cng ty.
Cc yu t ca mt cuc vn ng nhn thc ph thuc vo cch bn trao i thng
tin cho nhn vin trong cng ty. Bn c th chn c cu o to, cc cuc hp khng qu
quan trng, poster, hoc cc s kin khc cng b chnh sch an ninh. Cng tng cng
ni dung trong chnh sch, th cng thnh cng trong thc thi. Mc d c th khi u s
nhn thc v an ninh vi mt s kin ln, iu quan trng l gi s an ton ni bt trn
chng trnh ngh s ca qun l v nhn vin.
6.2 Qun l s c
Khi mt cuc tn cng social engineering xy ra, chc chn rng nhn vi n service
desk bit lm cch no x l s c. Cc giao thc phn ng li nn tn ti trong cc th
tc lin quan n chnh sch an ninh, nhng qun l s c ngha l s dng tn cng khi
u cho vic xem xt li s an ninh. Bo mt l mt hnh trnh ch khng phi l mt im
n bi v yu t tn cng lun thay i.
Mi s c cung cp u vo mi cho s xem xt lin tc v bo mt trong m hnh
hi p s c, nh hnh minh ha di y:
Khi cc s c mi xy ra, Security Steering Committee xem xt n tng ng ri ro
mi hay thay i i vi cng ty v to hay lm mi chnh sch v th tc da trn kt qu
mi thu thp c. Tt c s sa i cn tun th chnh sch an ninh cho cng ty thay i
theo tiu chun qun l.
qun l s c, nhn vin service desk phi c mt quy trnh bo co s c linh
hot m ghi li cc thng tin di y:
Tn mc tiu
Khu vc mc tiu
Ngy
Yu t tn cng
M t tn cng
Kt qu tn cng
Hiu qu tn cng
Cc kin ngh
Bng cch ghi li cc s c, c th xc nh cc mu v c th ngn chn cc cuc
tn cng sau ny.
6.3 Xem xt s thc thi
Khi xem xt li mt an ninh, n c th tr nn qu nhy cm i vi v s cc mi
e da tim tng. Chnh sch an ninh phi duy tr mt s nh gi l doanh nghip lm kinh
doanh. Nu xut bo mt c nh hng xu n li nhun hay s linh ng thng mi
ca t chc, th cn phi nh gi li ri ro. Bn phi t c s cn bng gia bo mt v
tnh kh dng ca thc thi.
cng l iu quan trng nh gi danh ting nh l mt cng ty c thc bo
mt c li ch thng mi. N khng ch ngn cn hacker, m n cn ci thin profile kinh
doanh ca cng ty vi khch hng v i tc.
6.4 Social Engineering v m hnh phn lp phng th chiu su
M hnh phn lp phng th chiu su phn loi cc gii php bo mt chng cc
yu t tn cng nhng vng im yu m hacker c th s dng e da mi tr ng
my tnh. Cc yu t tn cng bao gm:
o Chnh sch, th tc, nhn thc: cc vn bn quy nh rng bn pht trin
qun l tt c cc lnh vc bo mt, v chng trnh gio dc m m bo i
ng nhn vin bit, hiu, v thc thi cc quy nh ny.
o Bo mt vt l: cc ro cn m qun l truy cp n t i sn v ti nguyn.
iu quan trng nh cc yu t sau cng; v d, nu bn t gi rc bn ngoi
cng ty, sau chng bn ngoi s bo mt vt l ca cng ty.
o D liu: thng tin kinh doanh ti khon, e-mail, khi xem xt cc mi e
da, th phi bao gm c hard v soft copy ti liu trong k hoch bo mt d
liu.
o ng dng: cc chng trnh chy bi user. Phi nh gi cc hacker social
engineering c th ph v chng trnh nh th no, chng hn e-mail hoc IM.
o Host: cc my tnh server v client c s dng trong t chc. S tr gip
m bo rng bn bo v cc user chng li cc cuc tn cng trc tip v o cc
my tnh ny bng cch xc nh cht ch cc nguyn tc ch o phn mm
s dng my tnh v lm th no qun l cc thit b bo mt, chng hn nh user
IDs v password.
o Mng ni b: h thng mng m h thng my tnh cng ty truyn thng.
N c th l local, wireless, hoc WAN. Cc mng ni b tr nn t ni b
trong vi nm qua, vi s hot ng ti nh v di ng ph bin. V th phi
lm cho chc chn l user hiu rng h phi lm vic bo mt trong tt c cc mi
trng ni mng.
o Chu vi: im tip xc gia mng ni b v mng bn ngoi, chng
hn nh Internet hay h thng mng l ph thuc vo cc i tc kinh doanh, c
th mt phn ca extranet. Cc tn cng social engineering thng c gng xuyn
thng chu vi khi u tn cng vo d liu, ng dng, v cc host xuyn qua
h thng mng ni b.
Khi thit k s phng v, m hnh phng v chiu su gip hnh dung cc lnh vc
kinh doanh c th b e da. M hnh ny khng c t cc mi e da social engineering,
nhng mi lp phi nn c s phng v.

(D05THA1) Final Project - Social Engineering

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(D05THA1) Final Project - Social Engineering

Uploaded by

Copyright:

Available Formats

Social Engineering 1

HC VIN CNG NGH BU CHNH VIN THNG

You might also like