Social Engineering: The Art of Deception

This means of injury is to cheat and hurt the victim through psychological traps such as psychological weakness, instinctive reaction, curiosity, trust and greed. In recent years, the method of obtaining self-interest has become a trend of rapid rise and even abuse. So, what is social engineering? Unlike ordinary deception, social engineering is particularly complicated. Even those who think they are the most vigilant and careful will be hurt by clever social engineering methods. The trap of social engineering is to extract the secret of user system from legal users by talking, cheating, imitating or speaking. Social engineering is different from ordinary deception and fraud. Because social engineering needs to collect a lot of information and carry out psychological tactics according to each other's actual situation. The security brought by systems and procedures can often be avoided. Humanity and psychology. Social engineering is often an attack that takes advantage of human vulnerability and greed, and it cannot be prevented. In this way, we analyze the existing social engineering attack methods, and use the analysis to improve some of our prevention methods for social engineering. Skilled social engineers are practitioners who are good at collecting information. A lot of seemingly useless information will be used by these people to infiltrate. Such as phone numbers, names. The number of the latter's job ID may be used by social engineers. There is a saying circulating on the cat's robot. Com, which is what we call → human flesh searchers, social engineering practitioners. Recently NOHACK published a new book, Social Engineering, written by Jianzhong Fang, which can be used as a reference. Social engineering is a kind of hacker attack, which uses deception and other means to defraud the other party's trust and obtain confidential information. Domestic social engineering is usually associated with human flesh search. Generally speaking, social engineering is an art and knowledge that makes people obey your wishes and satisfy your desires. It is not a simple method to control the will, but it can't help you master people's behavior outside the abnormal consciousness. It is not easy to learn and use this knowledge. It also contains all kinds of flexible ideas and changing factors. At any time, the implementers of social engineering must master a large number of relevant knowledge bases, spend time on data collection, have conversations and other necessary communication behaviors before obtaining the required information. Similar to the previous invasion, social engineering has to complete a lot of related preparatory work before implementation, which is even more arduous than itself. You may think that our current debate is only focused on a breakthrough to prove "how to use this technology to carry out invasion." Actually, it's fair. In any case, "knowing how these methods are used" is also the only means to prevent and resist such intrusion attacks. The knowledge extracted from these technologies can help you or your organization prevent this type of attack. In the case of social engineering attacks, warnings with a little information like CERT are meaningless. They usually simply boil down to: "Some people try to access your system by' pretending something is true'. Don't let them succeed. " However, this phenomenon often happens. So what? Social engineering is located in the most vulnerable link of computer information security. We often say that the safest computer is a computer with no plug (network interface) ("physical isolation"). In fact, you can persuade someone (user) to connect this fragile machine that is vulnerable to attack under abnormal working conditions to the network and start providing daily services. It can also be seen that the link of "people" is very important in the whole security system. This is not like the computer system on the earth, which does not rely on the manual intervention of others. People have their own subjective thinking. This means that information security vulnerabilities are common and will not be different due to factors such as system platform, software, network or equipment age. No matter in physical or virtual electronic information, anyone who can access a part of the system (a service) may cause potential security risks and threats. Any subtle information may be used by social engineers as "supplementary information" to obtain other information. This means that if the factor of "people" (here refers to users/managers and other participants) is not put into the enterprise safety management strategy, it will constitute a big safety "crack". Big problem? Security experts often inadvertently make the concept of security very vague, which will lead to the instability of information security. In this case, social engineering is one of the root causes of insecurity. We should not blur the fact that human beings use computers or affect the operation of computer systems, because I have stated it before. It is impossible for the computer system on earth to be without the "human" factor. Almost everyone has a way to try to "attack" social engineering. The only difference is the skill in using these methods.