Which part is the weakest link in the network? Internet firewall, anti-virus software, remotely controlled PC, or notebook computer for mobile office? Most security experts agree that cunning computer hackers can often invade almost all networks by asking a few simple questions to specific users.
They will not only use various technical means, but also use the concept of social engineering to cheat. Generally speaking, they will take advantage of the innate trust of human beings, their desire to help others and their curiosity about unknown things. They will use these weaknesses to defraud user names and passwords, making the security protection measures that adopt various advanced technologies useless.
If you don't have a special perceptual knowledge of this situation, you can refer to our insert "5 tricks that hackers often use" and reflect on whether you will be easily fooled in that situation. However, the tricks involved in that insert are only part of the methods used by hackers to spy on useful information.
In fact, computer hackers can get a lot of information without talking to anyone. They can know the leadership positions, financial information, organization chart, e-mail addresses and telephone numbers of employees of your company by visiting the website of your company. In addition, they will sift out many valuable things from the old documents thrown away by the company, such as organization chart, market plan, memorandum, human resources manual, financial statements, company rules and regulations and process instructions, etc. Hackers will use this information to gain the trust of the company's employees, such as pretending to be employees, customers calling or sending emails to the company's employees, gaining the trust of each other step by step, and finally entering the company's network through them.
Techniques for obtaining information from employees of a company include the following categories:
◆ Confuse an employee's thoughts with a lot of incomprehensible information or various strange questions, so that you can't find out what he really wants.
◆ Hackers will deliberately set some technical faults for you, and then help you solve them to win your trust. This method is called reverse social engineering.
command you to obey his instructions with a strong emotional tone or even a threatening tone.
◆ If you are found to have resistance, he will give up a few small demands appropriately. In this way, you feel that you should also meet his requirements in return.
◆ Keep sharing information and technology with you without asking for anything in return (at least at first), and when hackers ask you something, you will feel obliged to tell them.
pretend to have the same hobbies and interests as you, and take the opportunity to join your interest group;
◆ Lie that you can help a colleague complete an important task;
◆ Establish a seemingly friendly relationship with you without any interest disputes, and then get the common terms of the company, the names of key employees, servers and application types from you bit by bit.
you should also pay attention to the fact that a large proportion of security problems are caused by disgruntled employees or non-employees (such as customers or partners of the company), and they often disclose information that should not be disclosed. People always tend to overlook the dangers from within.
Of course, social engineering is not limited to defrauding companies of confidential information. Hackers often use this technology to defraud individual users of credit card numbers, user names and passwords that can be used for online shopping. Their common trick is to convince users that they are visiting the Website of a famous big company through e-mail and fake web sites.
If you still have doubts about the role of social engineering, you should at least be vigilant and take precautions. Kevin Mitnick is one of the most notorious hackers in the 2th century. He has told the media many times that he used human weakness rather than technology to break the network.
On the other hand, most companies are more willing to invest a lot of money in safety protection technology, but ignore the management of employees. However, most security products and technologies do not take social engineering into account. So, how should you deal with it?
you should solve this problem from two aspects: first, you should take necessary protection for the physical places (including desks, filing cabinets and Web sites) that are easy to leak company information; Secondly, you should educate the employees of the company on safety precautions and formulate clear rules and regulations.
the security of physical space may be a relatively simple part. Below we list some important tips, most of which cover the above two aspects (physical protection and rules and regulations).
◆ Let all company employees and visitors wear identification badges or other signs. For visitors, there must be someone to escort them to their destination.
◆ Check which documents must be locked at any time and which can be thrown into the shredder for disposal.
◆ The filing cabinet should be locked and placed in a safe and monitored place.
◆ Ensure that all systems (including all client PCs) are protected by passwords, and strong passwords should be used and changed regularly.
each machine should also be set to enter the screen saver after a few minutes of idleness, and a screen saver password should be set.
◆ If the files on the hard disk contain confidential information, they should be saved by encryption.
◆ Don't disclose too much information about the company on public websites. It is more difficult to establish a good safety system and train employees accordingly. Company employees usually don't realize that the information they spread is of great value. We must always educate them to be vigilant in the face of strangers' information consultation, so that they will not be easily deceived.
The best way to train employees is for teachers to use social engineering technology to extract some valuable information from their mouths before training, and then teachers will analyze and explain these examples as negative teaching materials.
you need to make a clear set of rules and regulations to let everyone know what kind of information can't be leaked to others under any circumstances. A lot of seemingly useless information (such as server name, company organization structure, common terms, etc.) is valuable to hackers. Your rules and regulations should specify the access rules of all kinds of information, and also specify the security precautions that should be taken. There should be clear punishment measures for violations of these regulations. If you make detailed and clear rules and regulations, employees will be less likely to leak company information.
At present, tools specially used to deal with social engineering are rare, but some content filtering tools and anti-spam products (such as MailFrontier Matador) can be used to prevent employees from leaking information through email or preventing fraudulent emails from outside. Matador uses a series of patented technologies to identify suspicious emails.
Fighting social engineering is a long and arduous task, because attackers will constantly improve their tactics to break through the existing preventive measures. Therefore, once there is a new way of fraud, you need to formulate new rules and regulations as soon as possible to prevent it. And you should constantly remind your employees that they are the real firewall of the company.
5 tricks that hackers often use
① Many people have received such emails: promising you a chance to get a high bonus, and all you need to do is fill out a registration form (write down your user name and password). Surprisingly, quite a few people will reply to this kind of email, and a considerable proportion of them fill in the user name and password exactly the same as those they used when logging in to the company network. Hackers can easily get two or three network login passwords by sending such an email to more than 1 employees of a company.
② Sometimes a dialog box pops up on your computer, telling you that the network connection has been interrupted, and then asking you to re-enter your user name and password to restore the network connection. Sometimes you may receive an e-mail that looks like it is from Microsoft, reminding you that you should run the attached security upgrade program. Have you ever doubted the legality of this dialog box and email?
③ When you go out for a cigarette and join the chat, you may talk about the recent failure of the company's mail server. For a big company, you may not know all the employees, and these chatting people are likely to be mixed with one or two unidentified hackers.
(4) Suddenly, a man came to look at your boss's computer (it happened that the boss might be out), saying that there was something wrong with his Outlook and asked him to help fix it. This reason sounds reasonable. Outlook software does often go wrong, but why do you have to fix it when the boss is away?
(5) Sometimes you will receive a phone call from a woman who claims to be the assistant to the president, asking you to tell her some personal or company information. She will call out the name of the company leader or inadvertently reveal some information that only the employees in the company know to dispel your doubts.
2. Solutions to social problems in the network
/download/%BC% C6% CB% E3% BB% FA% C9% F3% BC% C6% B4% F3% BD% B2% CC% B3/ % BC% C6% CB% E3% BB% FA% C9% F3% BC% C6% B4% F3% BD% B2% CC% B3-4-%BC% C6% CB% E3% BB% FA% CD% F8% C2% E7% D% C5% CF% For example, when employees talk about each other's work in their daily communication, they may leak out projects that the company has not yet made public.
"This may lay a hidden danger for the future." Frank Lee, senior vice president and chief system architect of Wells Fargo, said. What worries him is that there is little the company can do about the fact that employees may put sensitive information in social network site outside the company's control.
The emergence of Enterprise social network site has eliminated this concern. "We need enterprise-class data and application security." Berkwitch of SelectMinds said, "We need to strike a balance between sufficiently free communication and relatively conservative enterprises, so as to assure them that this communication is not an arbitrary talk show." This cautious approach has helped SelectMinds to establish cooperative relations with a number of large-scale accounting and financial companies.
however, SelectMinds has only achieved success on a small scale. Some companies still avoid using applications that can't provide managers with absolute control.
the security challenges faced by the national intelligence department's a-space are staggering. This is partly due to the fact that it chose a network-based social network site instead of a desktop client that needs to go through 16 different security checkpoints and cross 16 different firewalls. However, even if it chooses the latter method, those sensitive data stored in the browser or even the secure intranet will inevitably attract a high degree of "concern".
In fact, this area can be secured by observing traffic patterns, such as looking for suspicious abnormal searches. "We must not take this lightly," Wertheimer stressed. "This is a nightmare of stealing information. You have to ask yourself, if a bad bug crawls in, how much can it steal? Despite this, the rewards still outweigh the risks. " He said.
at the same time, the risks from social networks are obviously not enough for enterprise security vendors to get involved. MessageGate, an e-mail filtering company, could have expanded its business platform to social network site, but they didn't think it was necessary, said Robert Pease, vice president of marketing at MessageGate.
Of course, not all social network site tools follow the community-centric approach of Facebook and Linkedin, and Visible Path is one of them. Using the statistical technology developed 2 years ago, the software products of Visible Path can identify the strength of the relationship in many ways, such as checking the source of information, collecting and analyzing personal activities recorded in calendars, phone calls and emails, the ratio of receiving and sending information, and the length of time spent in private communication.
"We pay great attention to all kinds of transactions that businessmen engage in," said Antony Brydon, CEO of Visible Path. Visible Path cooperates with Hoover's Connect, a commercial research organization, to let users know how they are connected with companies and individuals in Hoover's database. This is the so-called Six Degrees Of Separation Concept. Linkedin's approach is similar, and it also regards friends of friends as a potential connection.
it took Northrop Grumman nearly 1 years to build a system similar to social network site, connecting its 12, employees all over the United States and several other countries.
northrop Company calls it "Community of Practice", in which employees form different teams around a certain theme or technology, from the system engineering elite group to the new employee community, covering almost all members of the company. These communities contain some documents related to the community and a detailed list of team members. Real collaboration also requires an e-mail distribution list, but that is the task of the community that promotes such communication. Scott Shaffar, director of knowledge management at northrop, said.
"Community of Practice" has played an important role. For example, the systems engineering team is now working to standardize engineering procedures and career development and recruitment processes; Through this system, an interpreter was found to provide translation for Japanese guests. New employees who are confused or even at a loss about their work also have a place to gather and exchange experiences. Most vibration