#10 social engineering exploits your users should be aware of
No matter how well you lock down network security, your company can still be compromised. How? Social engineering. Here are 10 ways social engineers can get to your data without touching a keyboard.
无论如何加固网络安全, 你的公司还是有可能被入侵。 原因就在于社会工程学。 这里列出了10种社会工程师无需键盘就能得到你数据的方法。
Hackers know your network security might be their toughest route to getting at your data. So they turn to other means... such as social engineering (SE). SE is a nontechnical method of intrusion that relies on human interaction to trick users into handing over the keys to the kingdom. Unfortunately, it works—and it works well. In fact, SE is one of the biggest threats to your company security.
黑客们知道通过网络安全来获取到你的数据可能是最为棘手的方法。 所以他们转向了其他手段, 如社会工程学。 社会工程学是一种通过人际交流诱骗用户交出密钥的非技术入侵手段。 不幸的是, 这种手段有效, 而且效率很高。 事实上, 社会工程学对贵公司安全而言是最大的威胁之一。
What should you be on the lookout for? Here are 10 common SE ploys you and your users need to know about.
你应当小心些什么? 这里是你与你的用户需要了解的10种常见社会工程学伎俩
##1: The familiarity exploit 熟悉度利用
This exploit is one of the most widely used by those perpetrating SE hacks. It works like this. Hackers make themselves familiar to those around you. Slowly but surely they become known within the confines of the company. They come around a lot, and eventually they become trusted. At that point they can begin working their way inside the company, gaining access to areas of the company they shouldn't be, entering the building after hours, etc.
这种攻击手段是社会工程学攻击者中使用最为广泛的方法. 它的工作原理大致是这样的. 黑客首先让自己熟悉你附近的事物, 渐渐地成为公司内部所熟知的人. 他们时常造访, 并最终赢得信赖. 在此之后, 他们便能在公司中开始实施自己的计划, 访问那些他们本不应当出现的地方, 下班后进入公司大楼, 等等.
##2: The information exploit 信息利用
When you are approached by someone with all the knowledge they should have, it's easy to believe they are part of the plan. So when that stranger enters the company building with an intimate knowledge of the building or of one or more employees, you might be inclined to give them a free pass. In today's world, it is incredibly easy to gather information about a person. Facebook, Twitter, Instagram, Pinterest... they make everyone an easy mark for an information exploit. If someone claims to have intimate knowledge of a fellow employee, summon the employee to the reception area and call the knower on their hack.
当你遇到掌握此身份本应知道的全部知识的人时, 很容易相信他们就是计划中的一部分. 因此, 当一个了解公司内部信息或是部分员工身份的陌生人进入公司大楼时, 你可能会倾向于让他们自由进入. 而时至今日, 获取到对某人的信息是相当容易的. Facebook, Twitter, Instagram, Pinterest... 这些应用给每个人都打上了易于信息收集的标签. 假如有人声称对一个同事非常熟悉, 应将这位员工召唤到接待区并通知此人.
##3: The new hire exploit 新应聘利用
If someone really wants to gain access to company information (or servers or employees), they can apply for a job. This is one of the main reasons why every new employee must be thoroughly vetted. Of course, some social engineers will still fly under the radar. New employees should always be put on a rather short leash at first. It might sound a bit harsh, but you need to give them time to prove they are trustworthy around precious company data. Even then, good social engineers will understand how that works and wait until they've fully gained your trust before they strike.
如果有人真心希望获取公司信息, 他们可以选择应聘该公司的一个职位. 这也是每个新员工必须进过彻底审查的原因之一. 当然, 还是有些社会工程师能够瞒天过海. 所以新员工所处的环境也应当有所限制. 这听起来可能有些严酷, 但必须给他们一些时间来证明自己对于那些宝贵的公司数据而言是值得信赖的. 即便如此, 优秀的社会工程师了解这套工作原理, 并在完全得到信任之后才展开攻击行为.
##4: The interview exploit 面试利用
In a similar vein, important company information often escapes the safe during hiring interviews. There are social engineers who know this and will gain an interview just to squeeze all the information they can without having to bother showing up for a single day of work. Make sure the information handed out during an interview offers nothing in the way of proprietary secrets. Keep it superficial; keep it common.
类似的, 面试过程中公司重要信息往往也会处于不安全的状态. 了解这点的社会工程师们会通过参加一次面试来得到尽可能多的信息, 而无需费心去上哪怕一天班. 公司需要确保面试过程中给出的资料没有包含任何形式上的机密信息. 保持简单, 尽量普遍.
##5: The hostile exploit 恶意利用
This may sound a bit counterintuitive, but it works. Most people avoid hostile people. When you hear someone having an angry conversation on the phone or even mumbling to themselves (as if they've just had an argument), you will avoid them. In fact, a lot of people may avoid that person, clearing the way into the heart of the company—and to your data. Don't be fooled. As soon as you see something like this happening, call security.
这可能听起来有些违背直觉, 但确实奏效. 常人避恶人. 当听到有人用手机与人争吵, 或者愤怒地喃喃自语, 你一般会避开他们. 事实上, 很多人都会避开, 从而为他让出了一条通向公司内部和数据的道路. 不要被骗了. 一旦你看到类似的事情发生, 通知保安就好.
##6: The body language exploit 肢体语言利用
An experienced social engineer will be an expert at reading your body language and using it to get their way. Breathing in concert with you, smiling at all the right times, adapting to emotional changes—there are many ways a social engineer can use your body language to make a connection and earn your trust. Doing this forms a bond that enables the social engineer to manipulate you and eventually acquire your company secrets. If you notice a complete stranger in your company doing or saying all the right things, your first inclination should be suspicion (or at least curiosity).
一个经验丰富的社会工程师也是阅读他人肢体语言并能有加以利用的专家. 在音乐会去与你同呼吸, 恰当时机保持微笑, 适应你的情绪变化--社会工程师可以通过许多方式利用你的肢体语言与你建立链接, 并赢得信任. 这样就在你们之间产生了一个纽带, 从而使得社会工程师可以操纵你得到公司机密. 一旦你发现公司里的一个完全陌生人做的说的一向都很恰当, 那你应有的第一反应该是有疑心的 (或至少是有些好奇的).
##7: The blind date exploit - 盲目相亲漏洞
This one should be obvious. We've actually watched it played out in movies and television to perfection. A handsome or beautiful stranger asks you out on a date. Things go perfectly. So perfectly, in fact, that second and third dates are imminent. The stranger woos you until they can ply secrets from you as if they were common knowledge. Far be it from me to prevent you from having a budding romantic life, but keep your guard up should that dreamy date start asking questions they shouldn't.
这个方法应当是显而易见的. 我们已经见过电影里, 电视上演过的完美情节. 一个帅哥或者美女请你出去约会, 进展完美. 甚至完美到, 第二个, 第三个约会紧接着而来. 这位佳人一直与你欢好, 知道能轻易从你那儿向询问常识一样获取机密. 我并非是想阻止你享受浪漫的生活方式. 而是提醒你提防那些询问机密的梦幻约会.
##8: The consultant exploit - 顾问漏洞
This has happened. A social engineer will pose as a consultant for hire, get the gig, and drain you of your information. This is especially true with IT consultants. You need to make sure you vet those consultants and never give them all the keys to the kingdom. Do not trust blindly. Just because someone has the skills to fix your servers or your network, that doesn't mean they won't take advantage of those skills and create a backdoor—or just blatantly copy your data. Again... vet, vet, vet.
这种事情已经在发生了. 一个社会工程师会扮演一个聘请顾问, 完成顾问工作的同时获取了你的信息. 对于IT顾问来说尤为如此. 你必须对这些顾问进行审查同时确保不会给他们任何泄露机密的可乘之机. 切忌轻信他人. 仅仅因为某人有能力解决你的服务器或网络问题并不意味着他们不会借此来创建一个后面, 或是直接拷贝你的数据. 所以关键还是, 审查, 审查, 再审查.
##9: The piggyback exploit - 背负式漏洞
This one is easy and all too common. How it works is simple: The social engineer waits for someone to use their passcode to enter the building and walks in right behind them. Or the SE struggles with a heavy box and asks the legitimate employee to hold the door for them. Being kind, the employee waits and allows the SE entry into the building... to do what they will.
这种方法简单而又如此常见. 他的工作原理就是, 社会工程师等到别人用他的密码开门时, 紧随其后来进入公司大厦. 又或者社会工程师扛着沉重的大箱子并以此要求合法员工为他们扶住门. 善良的员工会在门口帮助他们进入大楼. 之后, 社会工程师就能开始自己的任务.
##10: The tech talk exploit - 技术讨论利用
You've seen the film Hackers, right? Remember the scene where Dade (aka Zero Cool) calls the company and convinces the hapless employee to give him the modem number? All he had to do was know what he was talking about and the hapless wonder handed him every bit of information he needed. This is a common hack. When those who don't know are confronted by those who do, most often their lack of knowledge will lead them to hand over whatever it is SE needs.
你一定见过电影中的黑客, 对吧? 还记得那个Dade ( 也叫做 Zero Cool ) 打给一家公司并说服这倒霉的职员给他调制解调器数量的那个情景吗? 他要做的全部工作就是了解谈话内容, 那倒霉的员工自会告诉他任何需要的信息. 这就是一次普通的攻击. 当措手不及的职员遇到准备充分的黑客, 他们大都会因为了解不充足交出社会工程师想要的任何资料.
##Have you experienced an SE hack? - 你经历过社会工程学攻击吗?
The social engineering hack exists because it's easy. If you suspect your company is vulnerable to such exploits, make sure your employees are made aware that such possibilities exist.
Have you ever been a victim of social engineering? If so, how did they pull off the hack?
社会工程学黑客因其原理简单而存在. 一旦怀疑你的公司容易遭受这样的攻击, 请确保自己的员工都意识到这样可能性的存在.
你遭受过社会工程学攻击吗? 如果经历过的话, 他们又是如何实施攻击的呢?