[Classic series of social engineering] 1. What is social engineering?

The following is my summary, more of which are the legs of great gods.
Social Engineering Series for continuous updates. Thank you for your support!
Question 1: What is social engineering?
Definition: social engineering refers to the establishment of theories through natural, social, and institutional approaches, with special emphasis on solving various social problems step by step based on realistic two-way planning and design experience.
In general, social engineering is an art and knowledge that allows people to obey your wishes and satisfy your desires.
It is not just a way to control the will, but it cannot help you grasp people's behaviors beyond normal consciousness, and it is not easy to learn and use this knowledge.
It also contains a variety of flexible ideas and changing factors.
At any time, before obtaining the required information, the implementers of social engineering must: master a large amount of relevant knowledge, and spend time collecting data and conducting necessary communication activities, such as conversation.
Similar to previous intrusions, social engineering has to complete a lot of relevant preparations before implementation, which is even heavier than itself.
You may think that our current arguments are just a breakthrough in proving "how to use this technology to carry out intrusions.
Well, it's fair enough. In any case, "knowing how these methods are used" is also the only way to prevent and defend against this type of intrusion attacks.
The knowledge gained from these technologies can help you or your organization prevent such attacks.
In the case of a social engineering attack, Warnings such as a small amount of related information issued by CERT are meaningless.
They generally sum up simply: "Some people try to access your system by 'pretend something is true. Don't let them succeed ."
However, this phenomenon often happens.
What then?
Social engineering is positioned in the most vulnerable aspect of the Computer Information Security Work link.
We often say that the safest computer is the one that has pulled the plug (Network Interface) ("physical isolation ").
In reality, you can persuade someone (User) to connect a vulnerable machine in an abnormal working state to the network and start providing daily services.
We can also see that the "person" link is very important in the entire security system.
Unlike the computer system on the Earth, this does not rely on manual intervention by others, and people have their own subjective thinking.
This means that the vulnerability of information security is widespread, and it will not be different because of different factors such as the system platform, software, network, or device age.
No matter physical or virtual electronic information, anyone who can access a certain part of the system (a service) may pose potential security risks and threats.
Any subtle information may be used by social engineers as "supply materials" to obtain other information.
This means that there is no "person" (here it refers to the user/management personnel and other participants) if this factor is put into the enterprise security management policy, it will constitute a great security "crack ".
A big problem?
Security experts often inadvertently leave the concept of security very vague, which will lead to uncertain information security.
Under such circumstances, social engineering is one of the root causes of insecurity.
We should not blur the fact that humans use computers or affect the operation of computer systems, because I have already declared it.
Computer systems on the Earth cannot be independent of the human factor.
Almost everyone has a way to try out an "attack" on social engineering. The only difference is the skill level when using these methods.
Method
There are many ways to drive someone to follow your will to complete the task you want to complete.
The first and simplest way is to give a direct "Guide" to the target individual when asked to accomplish your goal.
There is no doubt that this is the easiest and most intuitive way to succeed.
Of course, guided individuals will clearly know what you want them to do.
The second is to create a specific situation and environment for an individual (through fabricated means.
This method has more factors than simply taking into account the information of an individual.
For example, how to persuade your object, you can set (deliberately arrange) A Reason and motivation to force it to complete a behavior result for you that is not your own will.
This involves far from creating a convincing attempt for a specific individual, with a lot of knowledge about the desired "goal.
This means that specific situations/environments must be built on objective facts. A small number of lies will make the effect better.
One of the most refined methods in social engineering is the ability to remember real things.
On this issue, hackers and system administrators are more focused, especially when something is related to their field.
To illustrate the above method, I am going to list a small example.
Example: When you place an individual "under" group and social pressure (such as public opinion pressure ),
Individuals are likely to make behaviors that conform to group decisions, although this decision is clearly incorrect.
Consistency
In some cases, if some people believe that their group decisions are correct, this may lead them to make different judgments and actions.
For example, if I have come to a conclusion, the arguments have very good reasons (this refers to meeting the wishes of most people in the group)
Then no matter how much energy I spent trying to persuade them, it was impossible for them to change their decisions.
In addition, a group is composed of members of different positions/layers.
This location/hierarchy problem is called "demandcharac-teristics" by psychologists ("characteristic of willingness "),
This location/hierarchy problem is affected by the strong social constraints of participants.
Those who do not want to offend other members, those who do not want to be seen by others who want to go to bed in the meeting, those who do not want to undermine the views of partners who have good relations with themselves, will eventually become "stream-by-stream" the cause of the phenomenon.
This approach to feature processing is an effective way to guide people's behavior.
Situation
In any case, most social engineering behaviors are used by individual individuals.
Therefore, social pressure and other influencing factors must be established in a trusted relationship with the target.
In such a situation, when there are inherent characteristics that are true or fictitious, the target individual may follow your will to work.
These inherent features include:
· Stress issues beyond the target individual. For example, it is not his or her responsibility to convince an individual of the consequences of an action.
· Cater to someone with opportunities. These actions depend more on whether the individual determines that a decision can bring "benefits" to someone ". Such behavior can make your relationship with the boss more harmonious.
· Moral responsibility. Individuals follow you because they feel they are morally obligated to do so.
This is the use of the internal sense. People are willing to escape their inner feelings. Therefore, if there is a "possibility" that makes them feel inner, they will try to avoid this "possibility ".
Individual persuasiveness
Personal prestige and persuasion are a favorable means that is often used to encourage someone to cooperate/obey you.
The purpose of personal persuasion is not to force others to accept the "tasks" you have assigned, but to enhance their initiative to obey the tasks you have assigned.
In fact, there are some contradictions. Basically, the goal is simply to be guided to a set (intentionally arranged) mindset.
The goal is to think they can control the situation and help you with their strength.
In fact, there is no conflict between the benefits of the target and those that indirectly help you.
The goal of social engineers is to persuade the target and give it a good reason to believe that it takes only a small amount of time and energy to "get" the benefits.
Cooperation
There are multiple factors that can encourage a Social Engineer to increase the opportunity to "cooperate" with the target.
Try to avoid conflict with the target. Face each other with a peaceful attitude can increase the chances of success.
Drawing relationships or developing new relationships, Common Troubles, or some special tasks can effectively force the target to cooperate with you.
Here, the reason for 'going success' is often focused on whether you have the ability to master and handle your persuasiveness.
This is very important. It is often considered by "scammers" (people who often use spoofing techniques) as a means of trying every effort.
Psychology studies have pointed out that if people have been working (and succeeded) on a very small guide, he/she is more likely to follow a larger one.
If you have had a history of cooperation, you will have a great chance to reach this cooperation.
A better way is to allow social engineering scholars to provide sensitive information to their partners.
In particular, some very realistic visual views, the target can see or hear the information you give them more convincing than they can hear your voice by phone alone.
This point of view is not uncommon. It is hard to convince people to exchange information in writing or electronic form.
This is like rejecting someone for an IRC-style communication.
Association
In any case, whether or not the application of social engineering can be successful depends on the factors associated with the target individual and your purpose.
We can say that system administrators, computer security executives, technical researchers, people who rely on computers and networks to work or communicate with them, and most hackers use social engineering to launch attacks. great Association.
Most highly correlated individuals are persuaded by strong and favorable arguments.
In fact, you can give them more strong and favorable arguments to support your point of view.
Of course, there are also weak points. Whether or not you show the weak side of your argument to a highly associated person knows that it is very likely that you can convince the person.
When someone is directly affected by a social engineering attack, a weak argument may lead to an "Opposite" ideology.
Therefore, in the face of people associated with your purpose, you must give strong arguments to avoid weak arguments.
If you are not interested in your guidance or desired results, you can include them in the "low-Associated Person" category.
Related examples include security personnel, cleaners, or reception ladies in a network system.
Low-correlation individuals do not directly affect your goals/results, and they often do not analyze the dual-sided issues you use to convince them of their arguments.
Their decisions often follow your will or are completely unaffected by other "consciousness.
These "consciousness" such as the reasons provided by social engineering, the force and urgency on the surface of the situation, or the strong persuasion of someone.
In terms of experience, in this case, we can only give it as much arguments and reasons as possible, and it is estimated that this effect will be better.
Basically, for those who are inconsistent with your consciousness, they try to use a lot of arguments and guidance to persuade them more than how much they are associated with your purpose.
One thing to note is that when performing some work, more individuals with lower capacities will follow the behavior patterns of individuals with higher capacities.
In terms of computer system management, "individuals with low capabilities" refer to the "low-associated persons" mentioned above ".
From the above point of view, do not try to conduct social engineering attacks on individuals in the system administrator category, unless they are inferior to you, but this is very unlikely.
Defend against attacks by others
Can readers better ensure the security of their entire computer system based on the above information?
In fact, the first step to "beautiful" is to determine whether employees can ensure the information security of their computer systems in their jobs.
This not only requires you to enhance their security awareness unconditionally, but also requires you to have higher vigilance.
For example, if you want someone to protect the security of your computer system, it is easier for that person to access your system without normal permission.
In any case, the most effective way to deal with and defend against such attacks is also the most common means, namely "education/training.
The first step is to educate your employees about the importance of computer/information security with those who are likely to be exploited for implementing social engineering.
It is enough to warn people who are prone to attacks to identify social engineering attacks.
But remember, when educating them about computer information security, we can use some stories and their "two-sided" as examples.
This is not my personal preference. When an individual understands the "two-sidedness" of this focus, they will not shake their positions.
And if they focus on computer security technology, they are more likely to stand on maintaining your data security.
There are also thinking factors that do not follow people's persuasive tendencies to make actions.
Here you must have a clear mind, a high degree of creativity, the ability to cope with and handle the pressure, and the appropriate confidence.
The ability to handle pressure and confidence can be cultivated by the day after tomorrow.
As for their own ideas and opinions, they are often used in the management of employees. Training it can reduce the chance of some individuals being attacked by social engineering and help others.
Measure the test taker's knowledge about various factors that may reduce people's awareness of information security and threaten your security policies.
In fact, you only need to invest a small amount of energy to reduce security risks.
Conclusion
Contrary to the general idea, it is much easier to use social engineering to capture people's psychological status than to intrude into an email server.
But if you want your employees to prevent and detect social engineering attacks, the effect will never be more effective than letting them maintain UNIX system security.
From the standpoint of the system administrator, do not let the "relationship between people" issue intervene in your information security link, so that your efforts can be abandoned.
From the standpoint of hackers, when the system administrator's "work chain" stores the data you need, never let him "get rid of" his own weaknesses.
Social Engineering)
A harmful means such as deception and injury to the psychological traps of the victim, such as psychological weakness, instinctive reaction, curiosity, trust, and greed.
In recent years, the method of acquiring its own interests has become a trend of rapid increase or misuse. So what is social engineering?
It is not the same as a general deception. Social engineering is especially complicated. Even if you think you are the most vigilant and careful person, it will be compromised by brilliant social engineering techniques.
The trap of social engineering is to obtain the secrets of the user system from legal users by means of conversation, deception, counterfeiting, or speaking.
Social engineering is different from common deception and fraud.
Because social engineering needs to collect a large amount of information about the actual situation of the other party, a method of psychological tactics.
System and program security is often avoided. In terms of human nature and psychology.
Social engineering is often a type of attack that uses the psychological manifestations of the weakness of human nature and greed.
By analyzing the existing methods of social engineering attacks, we use analysis to improve some of our defense methods for social engineering.
Skilled social engineers are good at collecting information.
Many seemingly useless information will be exploited by these people for penetration.
For example, a phone number is a person's name. The latter's work ID number may be used by social engineers.
There is a saying circulating on the Internet, that is what we call → human search talents, and social engineering practitioners.
Recently, NOHACK published a new book "social engineering". The author is fan Jianzhong. You can use it as a reference.