Should employees talk about social engineering?
Yes, I know that the term “social engineering” has been around for many years, that Kevin has long been released, that there are a lot of materials about how to defend against these “engineers”. I'm not going to kick a dead mare, I want to find out from whom the same mare also died, and from whom it lives perfectly. In other words, we in the enterprise teach users the basics of information security, send them information on various types of attacks and ways to deal with them. I want to share with you an example of such a mailing about social engineering.
Social engineering is a method of managing human actions without the use of technical means. The essence of the method lies in the use of human weaknesses, mental characteristics of a person.
The easiest way to understand the meaning of this term is by examples:
1. One bank employee, let's call him Mark, goes to work in the morning. I went through the turnstile at the entrance, climbed the stairs, opened the door to the floor with my pass and met a man in the corridor. This person says that he went out to pour coffee, but left the pass in the office and now cannot get inside. Stupid situation, which got, probably everyone. Mark graciously opens the door to the office of the stranger with his pass and goes further on his business.
')
At first glance, nothing terrible happened. It doesn’t matter that Mark saw this person for the first time - you don’t remember all the employees. Or maybe this person is working the first day. But in fact, a stranger may be a fraudster who jumped over the turnstile when the guard turned away. Then he went to the floor with other employees. And on the floor he took advantage of the gullibility of kind Mark, who let him into the necessary office.
This man is not a hacker, he did not use a computer. He may not know how to use it at all. He is just masterfully "rubbed into trust."
2. Another example. Already familiar to us, Mark went to the dining room for lunch. And only he took a knife with a fork in his hands, as he noticed that at the next table, from which dirty dishes had not yet been removed, someone had forgotten the flash drive. Our Mark decided that the owner of the flash drive would be very upset upon learning that he had lost it. And I decided to return the flash drive to the owner. To do this, you must first find out whose it is. This can help files stored on it. Returning to the office, Mark inserted the media into the USB port and ... got infected with a computer virus. Because the flash drive was specially planted by scammers. Until that day, they had no access to the corporate network of the bank. And anyone can get into the dining room. So it turns out that leaving a USB flash drive with a virus in the dining room is easier than hacking into a secure network.
From these examples it is clear that for the successful implementation of the attack on the bank, the attackers used the employees, used their integrity and credulity. In order not to become a Mark, one must always be vigilant and follow a few rules:
1. Never believe a word on the phone. If they call you on an internal office phone and are represented by a technical support officer, the head of an adjacent division, an accountant, an investigative committee employee, an ambulance doctor, your colleague's wife or someone else, check this number in the telephone directory or in any other available way - true whether this person is who he claims to be.
2. Never tell anyone your password. Neither by telephone nor in writing. Neither colleagues nor boss. Even if the urgent task depends on it.
3. Do not insert into your computer storage media, except those that should be used in accordance with the business processes.
4. Do not open emails from unknown addresses. Moreover, do not open attachments from such letters. Do not open letters that are not explicitly addressed to you. For example, the allegedly erroneous mailing from a corporate mailbox with the heading “compromising evidence on employees” or “salary list of the management team” will contain a virus, not the promised information. Do not be tempted.
5. Use different passwords in different systems. It is very important that passwords do not match. And they were not even alike. If you cannot memorize several complex passwords, use special programs - password managers. But just use different managers - one for passwords from systems at work, the other for passwords from entertainment sites.
6. Do not open the door to strangers. When the visitor must always be accompanying from among the staff of the company.
7. And to familiar people, too, do not open the door. A person whom you have known for five years as an employee of an adjacent division could have been fired yesterday. If someone has forgotten a pass in his office, then he should call his boss to resolve this situation.
8. In any incomprehensible situation, call the security service at (xxx) -xxxx.
Found another flash drive? Give it to the security service. Saw an unaccompanied stranger who walks down the corridor and tries to get into at least some office? Call the security service. Is someone asking for your personal password? Call the security service.
These simple rules will help to catch the crook.
Do not be Mark, be careful.
Social engineering is a method of managing human actions without the use of technical means. The essence of the method lies in the use of human weaknesses, mental characteristics of a person.
The easiest way to understand the meaning of this term is by examples:
1. One bank employee, let's call him Mark, goes to work in the morning. I went through the turnstile at the entrance, climbed the stairs, opened the door to the floor with my pass and met a man in the corridor. This person says that he went out to pour coffee, but left the pass in the office and now cannot get inside. Stupid situation, which got, probably everyone. Mark graciously opens the door to the office of the stranger with his pass and goes further on his business.
')
At first glance, nothing terrible happened. It doesn’t matter that Mark saw this person for the first time - you don’t remember all the employees. Or maybe this person is working the first day. But in fact, a stranger may be a fraudster who jumped over the turnstile when the guard turned away. Then he went to the floor with other employees. And on the floor he took advantage of the gullibility of kind Mark, who let him into the necessary office.
This man is not a hacker, he did not use a computer. He may not know how to use it at all. He is just masterfully "rubbed into trust."
2. Another example. Already familiar to us, Mark went to the dining room for lunch. And only he took a knife with a fork in his hands, as he noticed that at the next table, from which dirty dishes had not yet been removed, someone had forgotten the flash drive. Our Mark decided that the owner of the flash drive would be very upset upon learning that he had lost it. And I decided to return the flash drive to the owner. To do this, you must first find out whose it is. This can help files stored on it. Returning to the office, Mark inserted the media into the USB port and ... got infected with a computer virus. Because the flash drive was specially planted by scammers. Until that day, they had no access to the corporate network of the bank. And anyone can get into the dining room. So it turns out that leaving a USB flash drive with a virus in the dining room is easier than hacking into a secure network.
From these examples it is clear that for the successful implementation of the attack on the bank, the attackers used the employees, used their integrity and credulity. In order not to become a Mark, one must always be vigilant and follow a few rules:
1. Never believe a word on the phone. If they call you on an internal office phone and are represented by a technical support officer, the head of an adjacent division, an accountant, an investigative committee employee, an ambulance doctor, your colleague's wife or someone else, check this number in the telephone directory or in any other available way - true whether this person is who he claims to be.
2. Never tell anyone your password. Neither by telephone nor in writing. Neither colleagues nor boss. Even if the urgent task depends on it.
3. Do not insert into your computer storage media, except those that should be used in accordance with the business processes.
4. Do not open emails from unknown addresses. Moreover, do not open attachments from such letters. Do not open letters that are not explicitly addressed to you. For example, the allegedly erroneous mailing from a corporate mailbox with the heading “compromising evidence on employees” or “salary list of the management team” will contain a virus, not the promised information. Do not be tempted.
5. Use different passwords in different systems. It is very important that passwords do not match. And they were not even alike. If you cannot memorize several complex passwords, use special programs - password managers. But just use different managers - one for passwords from systems at work, the other for passwords from entertainment sites.
6. Do not open the door to strangers. When the visitor must always be accompanying from among the staff of the company.
7. And to familiar people, too, do not open the door. A person whom you have known for five years as an employee of an adjacent division could have been fired yesterday. If someone has forgotten a pass in his office, then he should call his boss to resolve this situation.
8. In any incomprehensible situation, call the security service at (xxx) -xxxx.
Found another flash drive? Give it to the security service. Saw an unaccompanied stranger who walks down the corridor and tries to get into at least some office? Call the security service. Is someone asking for your personal password? Call the security service.
These simple rules will help to catch the crook.
Do not be Mark, be careful.
Source: https://habr.com/ru/post/357412/
All Articles