企业社会工程学_保护自己和企业免受社会工程学的影响

企业社会工程学

IT security isn’t just about protection from digital threats. One of the most commonly overlooked aspects of security is protection from social engineering – the art of manipulating people into disclosing sensitive information. In fact, these attacks often are more dangerous than traditional threats, since they often go unnoticed and provide the malicious person with the same access as your internal staff. While social engineering attacks come in many forms, the common thread is that they involve an attacker posing as a legitimate party. Whether it’s a bank, IT company, manager, or even a colleague, these are the types of attacks that are difficult (if not impossible) for software to detect.

IT安全不仅仅是保护免受数字威胁。 安全性最常被忽视的方面之一是免受社会工程的保护，这是一种操纵人们披露敏感信息的艺术。 实际上，这些攻击通常比传统威胁更具危险性，因为它们通常不会被注意到，并为恶意人员提供与内部人员相同的访问权限。 尽管社会工程学攻击有多种形式，但共同点在于它们涉及冒充合法方的攻击者。 无论是银行，IT公司，经理，甚至是同事，这些都是软件难以检测(即使不是不可能)的攻击类型。

常见的攻击形式 (Common Forms of Attacks)

The list below is a brief overview of the most common types of social engineering attacks:

以下列表简要概述了最常见的社会工程攻击类型：

Phishing A malicious party sends a fraudulent email posing as a legitimate one. Common examples include emails containing fake bank login links.

网络钓鱼恶意方发送冒充合法电子邮件的欺诈电子邮件。 常见示例包括包含伪造的银行登录链接的电子邮件。

Spear Phishing Similar to phishing, except these emails target an individual or company. An example is a fake corporate portal login sent to an executive or manager.

鱼叉式网络钓鱼与网络钓鱼类似，不同之处在于，这些电子邮件以个人或公司为目标。 例如，发送给执行人员或经理的虚假公司门户登录信息。

Pretexting One party lies to another to gain access to a system. For example, an employee might receive a call from someone posing as a customer requesting account information.

借用一方向另一方说谎以获取对系统的访问权限。 例如，某位员工可能接到冒充客户的人打来的电话，要求提供帐户信息。

Baiting An attacker leaves a malware infected device (usually a USB drive or CD) where it will be found. When the device is loaded on the computer, it triggers the malware.

诱饵攻击者将受恶意软件感染的设备(通常是USB驱动器或CD)留在可以找到它的位置。 将设备加载到计算机上后，它将触发恶意软件。

Scareware As the name implies, this is software that makes the user think they’ve downloaded malware or are being hacked. Fake anti-virus programs make up the bulk of these attacks.

Scareware顾名思义，这是一种使用户认为自己已经下载了恶意软件或被黑客入侵的软件。 伪造的防病毒程序构成了这些攻击的大部分。

威胁背后的心理学 (The Psychology Behind the Threats)

Successful social engineering attacks are more than a malicious person posing as someone else. There needs to be a trigger that causes the victim to temporarily let their guard down. According to the SANS Institute, the top seven psychological triggers are:

成功的社会工程学攻击不仅仅是恶意冒充他人。 需要有一个触发机制，使受害者暂时放松警惕。 根据SANS研究所的数据 ， 最主要的七个心理触发因素是：

1. The strong affect: triggering a strong emotion such as anger or fear, causing the victim not to be as skeptical

   强烈的影响：引发强烈的情绪，例如愤怒或恐惧，使受害者不那么怀疑

2. Overloading: receiving information so fast that the mind can’t keep pace and goes into a passive mode

   超载：接收信息的速度如此之快，以至于头脑无法跟上步伐并进入被动模式

3. Reciprocation: the human desire to return a favor when someone helps them

   互惠互利：当有人帮助他们时，人类渴望回馈帮助的愿望

4. Deceptive relationships: building a relationship by appearing to have the same goals, interests, or other things in common with their victim

   欺骗性关系：通过与受害者具有相同的目标，兴趣或其他共同点来建立关系

5. Diffusion of responsibility and moral duty: the victim feels they’re not responsible for their actions

   责任与道德义务的扩散：受害者觉得自己对自己的行为不负责任

6. Authority: a victim follows orders because they believe it’s orders from someone above them

   权威：受害者遵循命令，因为他们相信命令是来自他们上方某人的命令

7. Integrity and curiosity: sometimes people will answer questions honestly because they don’t want to lie

   诚实与好奇：有时候人们会因为不想说谎而诚实地回答问题

保护您的业务 (Protecting Your Business)

Here are some practical guidelines for protecting your business from social engineering attacks.

以下是一些实用指南，可保护您的企业免受社会工程攻击。

创建明确的政策 (Create Clear Policies)

Whether your business is large or small, you need to set clear guidelines on the types of information staff can access and who they can share it with. Ideally, you could assign a specific person to handle communications with outside vendors and contractors. As mentioned earlier, anyone can fall victim to a social engineering attack. By minimizing the amount of information a single person can access, it becomes much more difficult for an attacker to do serious amounts of damage.

无论您的企业规模大小，您都需要针对员工可以访问的信息类型以及可以与谁共享的信息制定明确的准则。 理想情况下，您可以分配一个特定的人来处理与外部供应商和承包商的通信。 如前所述，任何人都可能成为社会工程攻击的受害者。 通过最小化一个人可以访问的信息量，攻击者进行严重的破坏变得更加困难。

人身安全 (Physical Security)

As a rule of thumb, you should assume that anyone who can access your computer has access to all your information. While data centers require extensive precautions such as closed server racks, biometric access controls, and 24×7 security, most freelancers and small businesses don’t have those resources. More practical measures you can take include encrypting your files, using two-factor authentication, locking your BIOS, and installing remote wipe/tracking software on all your equipment.

根据经验，您应该假定可以访问您的计算机的任何人都可以访问您的所有信息。 尽管数据中心需要采取广泛的预防措施，例如封闭的服务器机架，生物特征访问控制和24×7的安全性，但大多数自由职业者和小型企业却没有这些资源。 您可以采取的更实际的措施包括加密文件，使用两因素身份验证，锁定BIOS以及在所有设备上安装远程擦除/跟踪软件。

行业最佳实践 (Industry Best Practices)

Although not specific to social engineering attacks, you should always follow security best practices to avoid threats and mitigate breaches should they occur. Aside from the previously mentioned tips, you’ll also want to consider evaluating the network security of your web host.

尽管并非特定于社会工程攻击，但您应始终遵循安全最佳实践，以避免威胁并在发生威胁时减轻破坏。 除了前面提到的技巧外，您还需要考虑评估Web主机的网络安全性 。

Overall, the key thing to remember is that all your team members, staff, and employees need to be educated on these threats. Ultimately, the best security measures are only as good as the weakest link in the chain. While your IT teams devote their time to security, most other professionals have to focus on their jobs. This is why you should have some level of checks and balances to reduce the burden on any one person.

总体而言，要记住的关键是，必须对所有团队成员，员工和员工进行有关这些威胁的教育。 最终，最好的安全措施与链中最薄弱的环节一样好。 当您的IT团队将时间用于安全性时，大多数其他专业人员必须专注于他们的工作。 这就是为什么您应该进行一定程度的制衡，以减轻任何人的负担。

不只是商业威胁 (Not Just a Business Threat)

Even if you’re not a key employee, you still need to stay alert for potential social engineering attacks. Identity theft is one of the biggest threats to consumers today, yet many individuals aren’t aware of the potential damage. Aside from the typical cases of losing money, victims even have had their medical and criminal records affected.

即使您不是关键员工，您仍然需要保持警惕，以防潜在的社会工程攻击。 身份盗用是当今消费者面临的最大威胁之一，但许多人尚未意识到潜在的损害。 除了典型的赔钱案例外，受害者甚至还受到了医疗和犯罪记录的影响。

医学身份盗窃 (Medical Identity Theft)

As data breaches continue to become more frequent, identity thieves are now filing false claims with insurance companies, and even getting medical procedures for treatments under other people’s names. This type of theft is becoming more popular due to medical providers moving to electronic records, and standard retailers tightening their security procedures. Health data also sells at a premium on the black market compared to credit card numbers and other types of personal information. It’s a fairly specialized type of social engineering, but Forbes has a clear overview of the topic and ways to mitigate the threat.

随着数据泄露事件继续变得越来越频繁，身份盗用者现在正向保险公司提出虚假索赔，甚至以他人的名义获得医疗程序进行治疗。 由于医疗提供者使用电子记录，并且标准零售商加强了他们的安全程序，因此这种盗窃行为变得越来越普遍。 与信用卡号和其他类型的个人信息相比，健康数据在黑市上的价格也高。 这是一种相当专业的社会工程类型，但是《福布斯》对主题和缓解威胁的方法有清晰的概述。

犯罪身份盗窃 (Criminal Identity Theft)

This is the worst-case scenario anyone can face in their life. Criminal identity theft occurs when an imposter provides a victim’s name and personal information (birthdate, social security number, or driver’s license number) to the police during an investigation or an arrest. In most cases, the fake identity is used during a traffic stop or something mundane where a citation is issued. While the malicious person signs the paper promising to appear in court, they never show up. This can result in a bench warrant on the victim for not making the appearance. Even if arrests aren’t made, the false citations can show up in background checks and even driving records.

这是任何人一生都可能面对的最坏情况。 当冒名顶替者在调查或逮捕期间向警察提供受害者的姓名和个人信息(出生日期，社会保险号或驾照编号)时，就会发生犯罪身份盗窃 。 在大多数情况下，伪造的身份会在交通停站或发布世俗事物的过程中使用。 当恶意软件的人签署承诺要出庭的文件时，他们却从未露面。 这可能会导致受害者出庭作证，因为他们没有出庭。 即使不进行逮捕，虚假的引用也会在背景调查甚至行车记录中显示出来。

保护您的身份 (Protecting Your Identity)

A simple search on identity theft topics shows dozens of so-called identity protection services which promise to protect your credit, usually for $10-$30 per month. Many of the services claim to monitor your credit and bank accounts for suspicious activities. Additional services commonly include court record monitoring, data breach notifications, sex offender registry requests, and complimentary copies of your credit reports.

一个关于身份盗用主题的简单搜索显示了数十种所谓的身份保护服务，它们保证保护您的信用，通常每月10至30美元。 许多服务声称监视您的信用和银行帐户中的可疑活动。 其他服务通常包括法院记录监视，数据泄露通知，性犯罪者注册表请求以及您的信用报告的免费副本。

值得这个价吗？ (Is It Worth the Money?)

The short answer here is no, identity theft monitoring services typically are not worth the money. Most of these services simply automate stuff you can do yourself. Checking your financial statements every month, shredding sensitive papers, opting out of pre-approved credit offers, and checking your credit score once a quarter should be enough to spot the most common attacks.

简短的答案是“不”，身份盗窃监视服务通常不值钱。 这些服务大多数只是将您自己可以做的事情自动化。 每月检查您的财务报表，撕碎敏感文件， 选择不使用预先批准的信用额度以及每季度检查一次信用评分就足以发现最常见的攻击。

If you’re still thinking of signing up for one of these services, you also should note that governments have been investigating many of the protection companies for false marketing. Lifelock, for example, had to pay $100 million back to consumers as part of a court order from the US government. If you ever feel you are the victim of identity theft, you should check if your government has resources dedicated to the issue. The Unites States, for example, has IdentityTheft.gov.

如果您仍在考虑注册其中一项服务，则还应注意，政府一直在调查许多保护公司的虚假营销。 例如，作为美国政府法院命令的一部分，Lifelock必须向消费者支付1亿美元。 如果您觉得自己是身份盗用的受害者，则应检查您的政府是否有专门用于此问题的资源。 例如，美国拥有IdentityTheft.gov 。

结论 (Conclusion)

The main thing to remember with any type of social engineering is that it impacts children, adults, and corporations. As we continue to move towards an increasingly computerized world, it’s essential for everyone to have a handle on their physical and digital identities. As with most security concerns, education is crucial to preventing issues down the road.

任何类型的社会工程都要记住的主要事情是，它会影响儿童，成年人和公司。 随着我们继续朝着日益计算机化的世界发展，每个人都必须掌握其物理和数字身份。 与大多数安全问题一样，教育对于防止将来的问题至关重要。

If you have any experiences to share regarding social engineering – such as pitfalls to avoid – please share them in the comments below.

如果您有任何关于社会工程的经验可以分享，例如避免陷阱，请在下面的评论中分享。

翻译自: https://www.sitepoint.com/protect-yourself-and-your-business-from-social-engineering/

企业社会工程学