Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 32

Social engineering is the broad category of attacks typically associated with the computer security field. However, social engineering can take a variety of forms and can be used to facilitate other crimes beyond just computer-based ones. Social engineering can be defined as manipulating an individual to take an action they would not normally take. In the computer field, it is essentially any nontechnical attack to gain access to a computer.

People perceive social engineering as tricking someone into providing them with information or access. In many common scenarios, that is an accurate working definition. This can be achieved through telephone calls, emails, in-person interactions, online chat systems, and so on.

Other forms of social engineering include people essentially sneaking into locations. Dumpster diving, where you literally go through the trash to find useful information, can be considered a form of social engineering. Some people don construction hard hats and reflective vests or utility worker uniforms and walk into a facility. Other people check doors and gates to see if they are locked. Still others try to follow people into facilities through tailgating.

While these tactics can be used to obtain computer access, clearly they can be used for a variety of other types of crimes. A company once tasked us to perform a social engineering simulation to see how outsiders can gain access to a building, because there had been a tragic workplace shooting, where a man had snuck into the building and shot his ex-wife. These things unfortunately can happen.

From a computer attack perspective, social engineering frequently takes the form of phishing, where someone sends a message attempting to get a user to download malware or to disclose login credentials or other useful information.

Sometimes criminals, frustrated with failing to technically hack an organization, will resort to pretext telephone calls attempting to get users to disclose usernames and passwords. Pretext phone calls are also used for a variety of other nefarious purposes to support crimes, such as trying to defraud people for money with fake Microsoft support, claiming the people owe taxes and immediate payment is required, and false claims of needing medical insurance information from the elderly.

Another form of social engineering involves criminals creating USB drives loaded with malware. They place the USB drives in the vicinity of the target and hope that someone from the targeted organization will plug one of them into a computer inside the company. Clearly, this is a hit or miss type of social engineering, but if successful, it can be a very fruitful attack.

The takeaway from our discussion of social engineering is that while insiders may not intend to be malicious, they can be exploited by a malicious outsiders who can obtain insider-level access, both physically and technically. This has to be a critical consideration for any UIL mitigation strategy.