Download book here http://wormholetravel.net/darkside.html
As we continue to increase our reliance on computer systems by using them to store and process the world’s information, they have become increasingly popular targets for attackers looking to disrupt, or steal from, the target company. In response to this threat, companies around the world are projected to invest over 151 billion dollars on IT security projects in 20121 in an attempt to protect their businesses. So why, despite these large investments, do we often see constantly see large companies with strong IT systems suffer from service disruptions and leaked information? According to Kevin Mitnick, described by the US government as the most dangerous hacker in the world2, the cause of this could be because “it is much easier to trick someone into revealing a password for a system than to exert the effort of hacking into the system”.
Social Engineering, according to Mitnick, is the use of influence and persuasion to deceive people into divulging information3. While Mitnick was the first to coin the term, the art of social engineering itself is nothing new; in a crude example, International Intelligence claims that social engineering started “way back in time when man started to lie to woman.”4 However, the art of social engineering has enjoyed a strong resurgence due to the low cost of attacks, anonymity of electronic communication and the ease of researching potential targets thanks to the popularity or email and social engineering sites.
The widespread use of social engineering is undeniable. In the few years alone, we have seen social engineering play a critical role in a number of high profile attacks such as in the government-sponsored attacks that have crippled a highly secure nuclear reactor in Iran5 and amateur attacks that have been responsible for the leakage of over 500,000 client records by a cloud application provider6. These attacks clearly show that in many cases, exploiting the human mind is easiest way to breach an organization’s defenses and that social engineering has made IT security a pervasive problem that cannot simply be solved through the provision of hardware or software.
As auditors, we are uniquely positioned to protect our organizations and those we service against social engineering. Unlike most parties within an organization, we are already familiar with the entire organization’s internal controls and have an understanding of day-to-day operations. This helps in the identification of soft spots that a social engineer could exploit when attempting to use social engineering to steal information, passwords or even tangible goods. While auditors may not necessarily possess the technical competency to advise on attacks that incorporate the latest software exploits, the ability to identify potential targets of social engineering, prepare the potential targets from attack and to promote a culture of vigilantly skepticism makes auditors an excellent candidate to address the risks posed by social engineering.
This report will serve as a primer on social engineering by discussing several key aspects of social engineering:
- The psychology that powers social engineering
- The Broad categories of social engineering attacks
- Common areas of vulnerability
- Notable cases of social engineering
- Steps to prevent social engineering attacks from succeeding
- Methods to limit the damage caused in a security breach.
Комментариев нет:
Отправить комментарий