In solving the problems of information security human factor is one of the most important positions. Several years ago, the vast majority of all cases of unauthorized access to information were made by technical means. The situation has changed and replaced by technical means came to social engineering. Security technologies that are rapidly developed recently (firewalls, device identification, encryption, Intrusion Detection System, and others) have been ineffective in countering hackers using social engineering techniques.
Social Engineering (English social engineering) - a way of committing crimes in the sphere of computer information using a set of techniques that are not related to software and hardware techniques NSD committed with the use of knowledge in the field of psychology.
Experts in the field of information security has long paid attention only to the hardware and software protection, but this was not enough. In addition to these methods of protection needed serious work with the staff, teaching staff application of security policy and technology confrontation sotsioinzheneram - only in this case, the system of information security is complex.
In conjunction with the technical knowledge in the field of information security social engineering is a very serious weapon. In the area of computer crimes it is used to achieve the following objectives:
1. Collecting information on potential victims. Some examples: the attacker has only general information about the victim, but to achieve any results from it must have some specific information about the victim. In this case, the attacker, for example, enters into a dialogue (conversations, conversation in Instant Messaging (messenger), for example, ICQ), first with those who directly communicates with the victim, and then with the victim. From this kind of communication the attacker can easily find specific information about the victim, such as time of appearance of the Internet, interests, behaviors, preferences, tastes, hobbies, physical location frequented by resources (eg forums), the names under which the victim appears in the Internet and even the type of operating system used by the victim. From these data, an attacker can plan the next steps aimed at getting unauthorized access.
2. Obtaining confidential information. To achieve this goal, an attacker by prolonged contact with the victim is a trust and a convenient excuse receives the necessary information (for example, to get passwords from email accounts). After entering the credibility of the victim, the attacker can learn the real name of the victim. Then use this information for the rest of the necessary information (eg, using a database to calculate the victim's phone number, address, registration / accommodation and much more down to information about the victim, as a taxpayer).
3. Getting information needed to unauthorized access. The victim has an account at one of the public mail servers (such as mail.ru, yandex.ru, etc.). On any of them there is "password recovery". This service exists in order to enable users to reset your password if it is lost. To do this, when registering, they typically impose a special question, the answer to that is a unique user authentication. Most frequently used questions such as "mother's maiden name", "Your favorite food" or "Passport number. Thus, if a user forgets his password, he turns into an automated service to recover it, correctly answer the question and receive a new password to access your email account. To achieve this goal, the attacker accesses the automated password recovery and learns the secret question. Suppose the question is "What is your favorite dish." Next, the attacker is in the credibility of the victim and offer to meet "live". Next, the attacker under various pretexts (the meeting in a restaurant, preferences in home kitchens, etc.) gets a list of culinary preferences of the victim. An attacker with high probability to correctly answer the security question password recovery. Alternatively, if the security question sounds like "Passport number, the attacker knows the real name of the victim's name and then on illegally mined, however, are in free sale of the computer market database calculates the series and passport number of the victim.
4. Forcing the object to make the necessary malicious actions. Necessary actions under the attacker meant committing such acts, which will compel the victim to do something that would entail the potential for unauthorized access. Consider the following example: the culprit figured out exactly how the browser uses the victim. Suppose it is Internet Explorer version 5.x The attacker has the so-called exploit code, which allows you to make any application on the victim's computer if she would go to a site that contains the exploit, using the Internet Explorer version required. Thus, in advance to prepare the site, the attacker is in the credibility of the victim, and invites her to visit the site under any pretext, for example, under the pretext that this page is a network drawing. If successful, the outcome for the attacker, he gets full access to the victim's computer.
It should be noted that in the modern development of ways to organize information security in Russia, it is necessary to focus on the variants protect against social engineering techniques used by an attacker to obtain sensitive information.
First of all, defense is awareness. She has played a leading role in protecting the organization from entering information systems using social engineering as a social engineering based on the use of such aspects of human nature as negligence and carelessness. Awareness is a key element in ensuring information security and because it is preliminary, a preventive measure aimed at mastering the basic principles of workers and the necessary rules of protection against unauthorized access. Of course, this aspect requires training and testing employees.
To enhance the security of information systems organization should attract the attention of workers to information security issues.