Social engineering behavior
Hackers define this (social engineering) as non-computer (generally referring to machinery) and non-BUG, and instead use other (such as interpersonal relationships) and even (deception, fraud) , Threats, intimidation and even physical theft) means to obtain information.
It may be a sociological term. But this term is often used and widely defined in computer intrusion.
------------------------------------------- -------------------------------------------------- --------------------------
In general, social engineering is to make people obey your wishes and satisfy you An art and learning of desire. It is not simply a way to control the will, but it cannot help you master people's behavior outside of normal consciousness, and learning and applying this knowledge is not easy at all.
How hackers use it
It also contains a variety of flexible ideas and changing factors. At any time, before the required information is needed, the implementer of social engineering must master a large amount of relevant knowledge base, spend time to engage in data collection and conduct necessary communication behaviors such as conversation. Similar to previous intrusions, social engineering has to complete a lot of related preparations before it is implemented, and these tasks are even more arduous than itself.
Social engineering is positioned on one of the most vulnerable links of the computer information security work chain.
We often say: The safest computer is the one that has been unplugged (network interface) ("physical isolation").
In reality, you can persuade someone (user) to connect this vulnerable machine in an abnormal working state to the network and start to provide daily services.
It can also be seen that the "people" link is very important in the entire security system.
This is not like a computer system on the earth, which does not rely on manual intervention by others, and people have their own subjective thinking.
This means that this vulnerability of information security is universal, and it will not be different due to factors such as system platform, software, network, or equipment age.
Whether in physical or virtual electronic information, anyone who can access a certain part of the system (a certain service) may pose potential security risks and threats.
Any subtle information may be used by social engineers with "supply materials" to get other information.
This means that if the factor of "people" (referring to users/managers, etc.) is not included in the corporate security management strategy, it will constitute a great security." Crack".
A big problem?
Security experts often inadvertently state the concept of security very vaguely, which will lead to insecurity in information security.
In such a situation, social engineering is one of the root causes of insecurity.
We should not obscure the fact that humans use computers or affect the operation of computer systems, for the reasons I have stated before.
The computer system on the earth cannot be without the factor of "human".
Almost everyone has a way to try social engineering "attacks", the only difference is the level of skill in using these methods.
Methods
There are many ways to try to drive someone to follow your wishes to accomplish the task you want to accomplish.
The first method is the simplest and clearest method, which is to give the target individual a direct "guide" when asked to accomplish your goal.
There is no doubt that this is the easiest way to succeed, and it is also the easiest and most intuitive method.
Of course, the individuals being directed will also know exactly what you want them to do.
The second kind is to tailor a specific situation and environment made by man (through fabricated means) for an individual.
This method has more factors than you just need to consider the relevant information status of an individual.
For example, how to persuade your target, you can set (deliberately arrange) some reason and motivation to force it to complete a certain behavior result for you that is not your own will.
This includes work that goes as far as to create a persuasive attempt for a particular individual, and a lot of knowledge about the "goals" you want.
This means that those specific situations/environments must be based on objective facts. A few lies will make the effect better.
One of the most refined methods in social engineering is the ability to remember real things.
Hackers and system administrators will pay more attention to this issue, especially when something is related to their domain.
In order to illustrate the above method, I am going to enumerate a small example.
The example is as follows. When you "place" an individual in a situation/situation under group and social pressures (types such as public opinion pressure, etc.)
The individual is likely to be Make behaviors that conform to the group's decision, even though the decision is obviously wrong.
Consistency
If in some cases someone believes that their group’s decision is correct, then this may cause them to make different judgments and behaviors.
For example, if I have published a certain conclusion, the reason for the argument is very strong (this refers to the will of the majority in the group)
Then no matter how much I spend in the future It’s impossible for them to change their decision anymore with the energy to try to convince them.
In addition, a group is composed of members at different positions/levels.
This position/level problem is called "demandcharac-teristics" by psychologists.
This position/level problem is in the behavior of participants Affected by its strong social constraints.
Those who don’t want to offend other members, don’t want to be seen by others that they want to sleep in a meeting, don’t want to undermine the views of partners who have a good relationship with them, etc. will eventually become "follow the trend" phenomenon. Formation factors.
This approach to characteristics is an effective way to guide people's behavior.
Situations
In any case, most social engineering behaviors are used by individual individuals.
Therefore, social pressure and other influencing factors must be established in a certain credible relationship with the target.
In such a situation, when there are inherent characteristics of real or fiction, the target individual is likely to follow your wishes and work.
Inherent characteristics
Include:
·Stress problems other than the target individual. For example, let the individual believe that the consequences of a certain behavior are not his own responsibility.
·Take advantage of opportunities to cater to someone. These behaviors depend more on whether the individual believes that a certain decision can bring "benefits" to someone. Such behavior can make your relationship with your boss more harmonious.
·Ethical responsibility. Individuals will obey you because they feel they (morally) have an obligation to do so.
This is the use of guilt. People are more willing to avoid guilt, so if there is a "possibility" that makes them feel guilty, they will try to avoid this "possibility" as much as possible.
Personal persuasive power
Personal reputation and persuasive power are a kind of advantageous means often used to motivate someone to cooperate/obey you.
The purpose of using personal persuasion is not to force others to accept the "task" you assign, but to increase their awareness of active compliance with the task you assign.
In fact, this is somewhat contradictory. Basically, the goal is simply guided by us to a specific (deliberately arranged) thinking model that has been set.
The target thinks that they can control the situation, and at the same time they also help you through their power.
In fact, there is no conflict between the benefits that the target gets and the benefits that he indirectly helps you get.
The purpose of a social engineer is to persuade the target to have a good reason to believe that it only takes a small amount of time and energy to "in exchange" for benefits.
Cooperation
There are multiple factors that can prompt a social engineer to increase the chance of "cooperating" with the target.
Try to minimize conflicts with goals. Using a peaceful attitude to face each other can increase the chance of success in achieving the goal.
Winning relationships or developing new relationships, common worries or some special tasks can effectively force the target to cooperate with you.
The factors of ‘success’ here tend to focus on whether you have the ability to master and deal with your persuasive power.
This is very important. This is often considered by "liars" (people who often use deception) as a panacea.
Psychological research indicates that if a person has previously worked (and succeeded) following a very small guideline, he/she is more likely to follow a larger (guideline).
Here, if there has been a history of cooperation, then there is a great chance of cooperation this time.
A better way is for social engineering scholars to give some more sensitive information to the partners.
Especially some very realistic audiovisual perception, the target can see or hear the information you give them on the spot is more convincing to them than they can only hear your voice over the phone.
This view is not uncommon at all. It is difficult to convince people to communicate information in written or electronic form.
It's like denying someone a certain IRC style of communication.
Relevance
In any case, the success of the application of social engineering also depends on how much the target individual is related to your purpose.
We can say that system administrators, computer security executives, technical researchers, those who rely on computers and networks to work or communicate through them, and most hackers use social engineering to attack the target They are all related.
Individuals with a high degree of relevance are mostly persuaded by strong and favorable arguments.
In fact, you can give them more strong and favorable arguments to support your point of view.
Of course, those views also have a weak side. Whether you show the weak side of the argument to a highly connected person knows that it will most likely determine whether you can convince that person.
When someone is likely to be directly affected by a social engineering attack, weak arguments at this time may lead to an "opposite" consciousness in his mind.
So you must give strong arguments when facing people related to your purpose, and avoid weak arguments.
Compared to people who are not interested in your guidance or the results you want, you can put them in the category of "low-relevant people".
Related examples are: security guards, cleaners, or receptionists in a network system organization.
Because low-relevance individuals do not directly affect your goals/results, and they often do not analyze the two-sidedness of the arguments you use to persuade them.
Their decisions often follow your wishes or are completely unaffected by other "consciousness".
These "consciousness" such as: the reasons provided by social engineering, the urgency on the surface, or the strong persuasion of someone.
Based on experience, we can only give as many arguments and reasons as possible under such circumstances. It is estimated that this effect will be better.
Basically, for those who are inconsistent with your consciousness, try to use a lot of arguments and guidance to convince them that they are more relevant to your purpose.
There is one thing to note: when doing certain tasks, individuals with low abilities will more often imitate the behavior patterns of individuals with high abilities.
In terms of computer system management, "individuals with low ability" mostly refer to the "people with low relevance" mentioned above.
Considering from the above point of view, do not try to conduct social engineering attacks on individuals of the system administrator category, unless their ability is not as good as you, but the possibility of this is very low.
Defensive from others' attacks
Does the combination of the above information allow readers to better protect the security of their entire computer system?
In fact, the first step to take the "good" depends on whether employees can guarantee the information security of their computer systems in their jobs.
This not only requires you to unconditionally enhance their security awareness, but also you must have a higher level of vigilance.
For example, if you put someone in charge of protecting the security of your computer system, then it is possible for that person to access your system without normal permission.
In any case, the most effective means to deal with and defend against this type of attack, and as the most common means, is "education/training".
The first step is to educate your employees and those who may be used as the goals of social engineering about the importance of computer/information security.
Giving advance warnings directly to vulnerable people is enough to allow them to identify social engineering attacks.
But remember, you can use some stories and their "double-sidedness" as examples when educating them about computer information security.
This is not my personal preference. When individuals understand the "double-sidedness" of this focus, they will basically not shake their position.
And if they are focused on computer security technology, then they are more likely to stand in the position of maintaining your data security.
There are also thinking factors that do not act according to people’s persuasive tendencies.
Here you must have clear thinking, a high degree of creativity, the ability to cope with and deal with stress, and appropriate self-confidence.
The ability to deal with stress and self-confidence can be cultivated through acquired.
As for one's own propositions and insights are often used in the management of employees, training it can reduce the chance of certain individuals being attacked by social engineering, and also help other aspects of work.
Understand various factors that make people’s information security awareness lower and threaten your security strategy.
In fact, only a small amount of effort is needed in this regard to produce great results in reducing security risks.
Conclusion
Contrary to popular ideas, using social engineering techniques to capture people’s mental states is much easier than hacking into a mail server.
But if you want your employees to prevent and detect social engineering attacks, the effect will never be more obvious than if you let them maintain the security of the UNIX system.
From the standpoint of the system administrator, don't let the issue of "personal relationship" intervene in your information security link, so that your efforts will be wiped out.
From the standpoint of a hacker, when the system administrator's "work chain" stores the data you need, don't let him "get rid of" his own vulnerable links.
Social Engineering
A method of deceiving, hurting, etc. through psychological traps such as psychological weakness, instinctual reaction, curiosity, trust, greed, etc. .
The method of obtaining self-interest has become a trend of rapid rise and even abuse in recent years. So, what is social engineering?
It cannot be equated with common deception methods. Social engineering is particularly complicated. Even the most vigilant and the least minded people will be harmed by smart social engineering methods.
The trap of social engineering is to extract the secrets of the user system from legitimate users by means of conversation, deception, impersonation, or spoken language.
Social engineering is a technique at a different level from ordinary deception and fraud.
Because social engineering needs to collect a large amount of information, it is a method of psychological tactics based on the actual situation of the opponent.
The security brought by systems and programs can often be avoided. In terms of human nature and psychology.
Social engineering is often an attack that uses the psychological manifestations of human vulnerability, greed, etc., which is impossible to prevent.
In this way, we analyze the existing methods of social engineering attacks, and use analysis to improve some of our prevention methods for social engineering.
Skilled social engineers are practitioners who are good at information gathering.
A lot of information that appears to be useless on the surface will be used by these people to infiltrate.
For example, a phone number, a person’s name. The work ID number of the latter may be used by social engineers.
I found a word circulating on Maopu.com, that is what we call→Human Flesh Search Expert, a practitioner of social engineering.
_________________________________________________________________
" Hacker Social Engineering Attacks" is the first hacker security book on social engineering in a series of security books launched by "The Hacker Handbook. Non-An". This is An excellent book on Chinese-style local social work.
"Hacker Social Engineering Attack" is the first book in China on non-traditional information security topics. Non-traditional information security also refers to security threats caused by terrorism, energy, economy, culture, and information. Problem. This book will conduct a complete analysis of information threats to individuals and companies, including information tracking, privacy mining, commercial theft, phishing attacks, psychological attacks, anti-reconnaissance and other cutting-edge information security. This book aims to help individuals and governments , Commercial organizations recognize the threat posed by social engineering attacks, so as to protect individuals and organizations from the risk of theft or intrusion of important secrets.
The holding of the 2008 Olympics, a national event, all shows that China has entered the era of digital information, and the new challenge comes from information security threats, and the development of information security threats will undoubtedly become more and more serious. Traditional computer attackers have many limitations in the environment of system intrusion, while new social engineering attacks will give full play to their advantages and gain system control by deceiving man-made loopholes. This kind of attack surface is difficult to detect, does not require face-to-face communication with the victim's target, does not leave any traceable log records in the system, and forces internal personnel to transfer information assets to social engineers. Trying to track down the attacker is difficult.
At the same time, each of us should not ignore the harmfulness of social engineering attacks. Social engineering engineers behave extremely cordially, and banking institutions will not doubt the use of professional terms and admit that they are legitimate Internal staff; the social engineer is also like a magician, when the left hand attracts your attention, the right hand has quietly taken away your important documents; the social engineer is very talkative, knows how to operate unknown professional equipment, and has a set Information tracking method. When you call him, he will jokingly report your name, age, address, credit card number...
And the author of this book will show the readers that they don’t The well-known inside story of social engineering attacks, from the shallower to the deeper, starts from the experience of the world’s number one hacker Kevin Mitnick invading the Pentagon, and comprehensively explains the specific implementation and details of social engineering attacks, so that readers can clearly understand their attack tactics. The provided cases can visually recognize the threats posed, and in order to avoid the readers’ many security concerns, a complete solution is provided in Chapter 8, which can prevent you from being harmed by information. The company will know how to pass the training. And related protection to hinder social engineering attacks.
Two. Book Features
The important feature of "Hacker Social Engineering Attacks" is based on a large number of classic and practical and rare examples of hacker security social engineering as the main line, supplemented by easy-to-understand Psychological analysis integrates the rare examples and key knowledge points closely, so that the content of the whole book has reached the best state of the unity of knowledge and action.
The book has a total of 224 pages, printed on light paper most suitable for reading, and comes with a 4.5G capacity DVD tool CD. The DVD is refined by the author who has been immersed in hacker security circles at home and abroad for many years. The wonderful hacker security tools that came out are subdivided into 11 categories, featuring the latest, most comprehensive, and rare.
Editor’s recommendation index: ★★★★★
3. After-reading
After-reading: Two idioms can sum up the after-reading of the book-Masai suddenly and horrified , Those psychological codes that have troubled you for a long time will be deciphered; those clues will make you afraid...
Hurry up and read this book, in order to avoid the threats to information security and personal negligence. The loss that comes is also for the overall improvement of your black business and meaningful social interaction skills.