Professional Documents
Culture Documents
Analysis of Influence For Social Engineering in Information Security Grade Test
Analysis of Influence For Social Engineering in Information Security Grade Test
AbstractWith the development of network security technical channels, particularly emphasis on solving various social
the pivotal factor is not technique but the administrator and
problems step by step in two-ways based on the realities of
management mechanism. In the domain of information security
social engineering can get into information system by using planning and design experience. In information security,
peoples weakness, just not using the computers leak. This social engineering is a clever use of the trust on the
method can be used in many attacking way and turn up a new
tendency of human nature. Intruder's goal is to obtain
important project for its study and protection. In this paper we
discuss the character of social engineering, focus on the threats of valuable information, so that they can access some
information security brought by it, and give an elementary important data unauthorized[1].
discuss on the test item in the Information Security Grade Test. Social engineering is an art and science that is to
Keywords: Social Engineering; Information Security; Grade
make people obey your will and meet your desire. It is not
Test
simply a way to control the will, but it does not help you
I. INTRODUCTION grasp the sense of people other than the non-normal
behavior. Therefore, social engineering is approach
With the development of network security technical
through a victims psychological weakness, instinct,
it becomes more and more difficult to penetrate a network
curiosity, trust, greed and other psychological traps such as
purely with technical weaknesses of the system using
fraud, damage and other hazards means to achieve self-
loopholes in the network. Then the attacker will pay more
interest. Simply, social engineering is the use of
attention to human weakness, through the use of human
psychological weakness, regulations and loopholes in the
factors to prepare for the attack, it is called the use of social
system to attack, the attacker in order to obtain the desired
engineering attacks on the network. As a new way to
information[2]. The basic idea is to use all ways and means,
network intrusion, social engineering brings a grave threat
to collect target data and then use the known data captured
to network security.
each other. Based on social engineering there is a lot of
Currently, the information security level evaluation
attacks, hacking techniques so that these methods will
does not involve network security caused by social
undoubtedly have a new direction of development, such as
engineering. This paper analyzes the social engineering
fishing, password, psychology, and some of the fraudulent
invasion mechanism, puts forward some basic preventive
use of social engineering penetration in a system network
measures, and discusses some evaluation matters for social
management or the corresponding personnel means, is a
engineering in the information security level evaluation.
use of human negligence or psychological weaknesses to
II. PRINCIPLES OF SOCIAL ENGINEERING ATTACK attack.
A. The basic concept of social engineering B. The core idea of social engineering
Social engineering is a corresponding theory of the According to various acts of social engineering
subject through the natural, social and institutional attacks, social engineering attacks can be summed up the
283
developing training programs to determine what is various means to record the process of attacking for future
sensitive information and improving safety awareness. related basis.
Particularly, in order to strengthen the awareness of
V. CONCLUSION
password protection, we should not use birthdays, phone
number, ID number as a password; use ordinal number as Hacker social engineering techniques have become a
the password[5]. "people" issues from a purely technical issue. For the use
of social engineering attacks seems just some deception
D. Establish emergency response team for security incident
and is not complex, but its effect was terrible attack, the
Security Incident Response Team should be harm is amazing, and there are worse. The reason is that it
experienced by the higher authority personnel, the group contains a complex of psychological factors, the terrible
responsible for security incident response drills, effective extent of the technology than direct invasion. For this
means of attack for different purposes and analyze the reason, evaluation of information security level in response
intrusion and weaknesses. At the same time, through to social engineering should be given sufficient attention.
simulating attacking on the environment and conduct self-
test analysis, we can effectively evaluate the safety control REFERENCES
measures are appropriate or not, and to develop appropriate [1] Kevin MitnickThe art of deception [M]Beijing:
strategies and solutions. China Railway Publishing Press20081325.
[2] WilliamL.Simon. The art of penetation [M]. Beijing:
E. Establish early warning mechanisms drill
Tsinghua University Press20073842.
Simulated invasion process, the use of simulations and
[3] Yan BingInformation security research in the social
tests, can effectively evaluate security controls and
engineering attack[J]. Office Automation Magazine
develop appropriate strategies and solutions.
200840-41.
IV. NEW REQUIREMENTS FOR INFORMATION SECURITY [4] Fan Jianzhong Hacker social engineering
EVALUATION BROUGHT BY SOCIAL ENGINEERING attacks[M] Jinan: Qilu electronic audio-visual
publishing2008:2-5.
Evaluation of the existing level of information
[5] Zhi, Fan Yu, Wang Wei. Information security research
security standards does not specifically propose social
in the field of social engineering [J]. Information
engineering-related content. According to our analysis, the
security and communication security,2005 (7)
use of social engineering attacks mainly include two items,
5962.
"safety management evaluation" and "personnel
[6] Security Assessment Center of Information Security
management evaluation". Existing "staff assessment" and
Protection. Evaluation of information security level of
"safety education and training" mainly depend on
teacher training course [M]. Beijing: Electronic
interviewing security officers, psychological evaluation for
Industry Press2010195204.
security person is not included in the evaluation criteria.
Psychological safety is dynamic, social engineering attacks
are mostly launched in the user lacks sufficient
psychological preparedness premise, and the traditional
level measurement units are tested prior notice after
evaluation and interviews with security managers. Of
course the effect is naturally far from ideal[6].
In view of this, we propose that before evaluation with
no advance notice of its security director, we can directly
implement the use of social engineering attacks, and use
284