First of all, what is the understanding of social engineering attacks here? this will be a prerequisite for discussion.
——————————————————————
The attack I want to take with social workers is based onHuman NatureAnalysis and understanding of the attack, and no longer based on the understanding of the machine to encode the decryption, rule breaking, and so on.
As far as I know, many of the hackers who can claim the right to be able to hack into the enterprise intranet are not required to analyze the code too much, even some people do not have the ability to encode. However, the fact is, they really put you black, the enterprise in your eyes on the big black.
So what is the degree to which social engineering attacks are based?
——————————————————————
The answer is,It is theoretically possible to black out the extent of any website/business.
The emphasis here is on "theory," because the process may take a long time and effort to find a breakthrough. Do not rule out the way the attackers are tired and give up the situation.
so I'll talk about how social engineering attacks are usually carried out.
——————————————————————
Maybe you are obsessed with sophisticated technology, or I will show the uneven, why? Enterprises spend so much money to purchase defense equipment or systems, the employment of excellent developers, operators, security personnel, how can you be a social worker means to break through.
This is due toBoth sides of the offense and the wrong。
For an attacker, a defensive system that seems impenetrable to the defense can be defeated simply by finding any weakness, no matter how trivial.
However, for defenders, even if spending a huge amount of investment and talent resources for defense technology research, firewalls, WAF one after another, product code audit over and over again, testing over and over again. You may still be one day you have a nearly technical staff on the line of defense is broken, resulting in your security line of defense collapse, but the technical staff may be a moment "guess where the wrong ~". "
And now it seems that a lot of defenders use the wrong place, accurately said to be too limited in some places, and forget some places, you worked hard to do the defense by technical means, but the attackers do not need to go around your home set strict rules, others do not pry lock, directly take your door key to the door!
So for the defender, even if the effort to get 99 points do not count, less than 1 points are doomed to safety without, many cases less that 1 points, your business security is not 99 points, but 0 points!
so I'm going to tell you where you lost that 1 points !
——————————————————————
In one word,people!
Because the object of attack (individuals, enterprises, systems, websites) are operated, maintained, managed by people, as long as the participation of the activities can not be foolproof, invulnerable, there will be many due to the inertia of people or a momentary negligence or weak or discipline loose or dog blood a little just my lovelorn spirit a bit trance ... The problems that are brought about.
Like the classic fancy style.Weak password!
Many, much-too-big-looking holes are just a weak password.
SNS account weak password, personal communication software weak password, staff mailbox weak password, WiFi password weak password, a variety of management system with permissions account number, database rights account weak password, Code managed library weak password .... Any entrance is caught and may be black.
- Pure numerals 123456, 123456789, 888888, 000000 This will not say the dead!
- Similar to the classic admin, admin this weak password, derived from the password = = User name of the situation;
- Password = = User Name Variant, password = = domain name, product name, product name abbreviation, name all spell, and then add 123456, 123 and other digital suffixes;
- Full of feelings of weak password, his birthday, lover's/crush the person's/... The birthday, in short, is a date related to all the field combinations, leehom520,iloveyou, Nishidahuaidan, such as the meaning of pinyin, English phrases;
- Seemingly very witty in fact, early guessed the penetrating, 1h4ngb41lu5h4ngq1ngt14n class, 3.1415926, @/http123.com , etc.
- All-lowercase English word password,scan,lollol,helloworld ...
- Typical lazy "complex password":[email protected] #qweasd type
- ......
The above is just a list of popular science, the industry this dictionary should be very common bar, have the mood when manually guess, most of the time, you can automatically run through the rules, the verification code to do, to the domestic situation to see most of the verification code algorithm is too easy to identify bypass the good, almost equal to No.
There is also a kind of I also put it in weak password, is the different account re-use the same password.
This is providing an opportunity for attackers to pool and explode.
Apart from weak passwords, what weaknesses can we have in humans?
——————————————————————
If the weak password is because of laziness, then all kinds of improper operation, sensitive information exposure is careless, weak consciousness ~
passwords, or sensitive information written in
- In the comments
- In the log
- In the configuration file
- In the document
- In the Instant Messenger tool
- In the Mail
- ......
The result is that I Google a intext:password pwd unexpectedly found your password, filetype searched your staff Information list, inurl Search or scan to your back office address, or exposed to the CMS address or sensitive port, Finally in your document or log or configuration file or code directly record passwords and other sensitive information, I opened a Wi-Fi password sharing software to see you have a lovely staff to share your Wi-Fi password, and then connected to the Wi-Fi smooth intrusion ...
by including but not limited to the above means, if you get the password is directly right, if you get the privacy information, then you can play the characteristics of the visual rape monster to one by one observation and analysis of each person's account, habits and preferences, interpersonal relationships and then through the weak password above to find a breach, or targeting a person and a small number of people for targeted use and attacks, such as directed fishing! The most important thing to use when you don't know the technology is that there is no security awareness, then forge a phishing email or a private message for you, and then you take the bait! Your organisation, your organization, and the systems you have access to are all sold to you!
However
——————————————————————
Above is just the tip of the iceberg, because of the chaotic security situation and the weakness of various security infrastructures, attackers have already collected a large amount of personal privacy information through various means. This means that social workers now attack, no longer need to spend too much time on who is being raped, the basic is the select to check the desired person or ID information, you can find that person's past password, mobile phone number, mailbox, even the unit, address and other private information, This helps the attacker perform weak password analysis above or attack the enterprise in which it is located.
More people have already written this process into a fool-operated query system.
The process of guessing passwords, searching for sensitive ports, information, and configuration files has been written in an automated system ranging from personal "toys" to specialized commercial classes.
So, how do you want to prevent it?
——————————————————————
It's a cliché to be personal ...
- Reject weak password, more strict point is to refuse to use any personal relevant meaningful password, you can on the keyboard on the random, the garbled code as a password. You can also use 1Password class software to manage passwords;
- Try not to expose their e-mail address or mobile phone number, if in order to register the account delivery, etc., have to expose, do not use this mailbox or mobile phone number for personal matters. You can also use the temporary mailbox business like https://www. guerrillamail.com/zh/inBox like this, the temporary email address instead of the real e-mail address, to prevent mailbox exposure caused by social workers attacks. Mobile phone number can be used Ali trumpet, but not very stable.
- Two authentication is used for personal or work mailbox security purposes.
- Deny multiple accounts a common password, or share a set of password rules. Or the same as the first one! Each account password is independent of each other, and it is best not to have any meaning and regularity.
- The application of the vest account is too lazy to use complex password, please preset a premise-the account information is open and transparent, no one steals theft will not be for you and your family, the employer caused any loss, if set up, then OK, weak password pls.
- Refuse to use private Wi-Fi passwords to share this type of nature infringement software.
- Refuse to transmit sensitive, confidential information in an instant Messenger or message. After all, the SMTP Simple Mail protocol is clear text transmission, is really not suitable for confidential matters negotiation. Moreover, most attackers can see your mail only through social work.
- The above is only to minimize the risk, not absolutely effective, because the social workers rely on the relationship chain, as well as some dynamic information, you really can not control, you do a good job of your relationship chain your people dropped the chain, then you exposed. But is the privacy of Internet exposure not the premise of using the network, anyway ...
So for the enterprise, it seems more headache. With the technology is not able to solve, this is a management problem !
——————————————————————
- Need to let any employee in your enterprise, no matter what level of what department of what position, up to the CEO to interns, temporary workers, should do the above individuals need to pay attention to matters, in short, there is safety awareness;
- We should also cultivate the safety awareness of the technical post-related operations and maintenance developers, as well as the normative consciousness, sense of responsibility and so on.
- Security infrastructure to be in place, to standardize, exposing the port do not a large pile of business lines do not mess, otherwise it is really difficult to tube, the person in charge may not know how each line is going, out of trouble is not traceable.
- Strict control of employee account rights between different business and post.
- The isolation between the Wi-Fi network guest network and the production environment network, while rejecting weak passwords and denying passwords everywhere. It is best to give only the specified device networking privileges.
- In a word, it is very difficult to say that it is easy to do a project, far more than the increase in investment in technology to solve the matter more complex.
So you can understand why some hackers are always so confident, can black all the enterprise ~
But I think, precisely because of this, it is necessary to penetrate the test of this profession to dynamically detect from the people this uncertainty caused by the omission, enterprises do not have to feel fear of a loophole to feel pills, immediately crisis public relations to evade responsibility, in fact, frank and transparent emergency attitude, timely bug fix, is the best pr. After understanding the situation of both sides of attack and defense, the spectators will understand and study attitude more, rather than condemn the irony, so that the domestic Internet industry, traditional enterprises and security industry can move towards more cooperation rather than confrontation, that is, healthier and more progressive development direction. PS: The current social engineering attack has arrived as long as you
Master of Skills, you can
Black over the worldThe degree.
Those internet companies are weaker than expected, a little understanding of the use of search engines, "collect public information directed fishing", you can indirectly hack into the company's internal office network. (six-degree connections,
It's not important for an attacker to stop looking at your weight, and the attacker will see if you are connected to important people or assets .
The chain of trust relationships. , even attacks that rely on public information, not to mention social work libraries that involve personal privacy.
The current social engineering attack has arrived as long as you
Master of Skills, you can
Black over the worldThe degree.
Those internet companies are weaker than expected, a little understanding of the use of search engines, "collect public information directed fishing", you can indirectly hack into the company's internal office network. (six-degree connections,
It's not important for an attacker to stop looking at your weight, and the attacker will see if you are connected to important people or assets .
The chain of trust relationships. , even attacks that rely on public information, not to mention social work libraries that involve personal privacy.
How to protect social workers from hackers?