2012 International Conference on Computer Science and Electronics Engineering

Analysis of influence for Social Engineering in

Information Security Grade Test
Shenchun Sun
Dept. of Weaponry Engineering
Naval University of Engineering
Wuhan, China
Chenghua Yan Jianchuan Feng
Dept. of Information Security Dept. of Information Security
Naval University of Engineering Naval University of Engineering
Wuhan, China Wuhan, China

AbstractWith the development of network security technical channels, particularly emphasis on solving various social
the pivotal factor is not technique but the administrator and
problems step by step in two-ways based on the realities of
management mechanism. In the domain of information security
social engineering can get into information system by using planning and design experience. In information security,
peoples weakness, just not using the computers leak. This social engineering is a clever use of the trust on the
method can be used in many attacking way and turn up a new
tendency of human nature. Intruder's goal is to obtain
important project for its study and protection. In this paper we
discuss the character of social engineering, focus on the threats of valuable information, so that they can access some
information security brought by it, and give an elementary important data unauthorized[1].
discuss on the test item in the Information Security Grade Test. Social engineering is an art and science that is to
Keywords: Social Engineering; Information Security; Grade
make people obey your will and meet your desire. It is not
Test
simply a way to control the will, but it does not help you
I. INTRODUCTION grasp the sense of people other than the non-normal
behavior. Therefore, social engineering is approach
With the development of network security technical
through a victims psychological weakness, instinct,
it becomes more and more difficult to penetrate a network
curiosity, trust, greed and other psychological traps such as
purely with technical weaknesses of the system using
fraud, damage and other hazards means to achieve self-
loopholes in the network. Then the attacker will pay more
interest. Simply, social engineering is the use of
attention to human weakness, through the use of human
psychological weakness, regulations and loopholes in the
factors to prepare for the attack, it is called the use of social
system to attack, the attacker in order to obtain the desired
engineering attacks on the network. As a new way to
information[2]. The basic idea is to use all ways and means,
network intrusion, social engineering brings a grave threat
to collect target data and then use the known data captured
to network security.
each other. Based on social engineering there is a lot of
Currently, the information security level evaluation
attacks, hacking techniques so that these methods will
does not involve network security caused by social
undoubtedly have a new direction of development, such as
engineering. This paper analyzes the social engineering
fishing, password, psychology, and some of the fraudulent
invasion mechanism, puts forward some basic preventive
use of social engineering penetration in a system network
measures, and discusses some evaluation matters for social
management or the corresponding personnel means, is a
engineering in the information security level evaluation.
use of human negligence or psychological weaknesses to
II. PRINCIPLES OF SOCIAL ENGINEERING ATTACK attack.
A. The basic concept of social engineering B. The core idea of social engineering
Social engineering is a corresponding theory of the According to various acts of social engineering
subject through the natural, social and institutional attacks, social engineering attacks can be summed up the

978-0-7695-4647-6/12 $26.00 2012 IEEE 282

DOI 10.1109/ICCSEE.2012.163
general model (Figure 1). In this model, including
gathering information, building a trap, getting confidence,
obtaining target information, and several other processes.
Firstly, the attacker should collect relevant information
about the target. Secondly, we use the victim's weakness to
build traps to obtain the victim's trust, and then obtain the
relevant target information. Of course although we may use
computer-related technology, but during the attack the core
is non-technical applications such as structural weaknesses
in the use of psychological traps and pretending to cheat
trust[3].
Figure 1 Model of social engineering attacks
Thus, the core idea of social engineering attack is:
find the system administration staff negligence or
psychological weaknesses of more than a simple search for
vulnerabilities. Based on this idea, the attacker through the
collection of information, the invasion of the system to be
relevant personnel vulnerability analysis, vulnerability
analysis in the implementation of effective social
engineering attack strategy.
C. Means of social engineering attacks
There is a variety of ways to make use of social
engineering attacks (Figure 2).
Sneak i nto t he work area
Obtai n i nf ormati on by tel ephone
Physi cal
Turn waste
means
Set up Net work raps
The use of mal i ci ous e-mai l
Means
Advantage of peopl e' s curi osi t y
Easy to bel i eve peopl e' s f ri ends
Psychol ogi cal Advantage of peopl e superst i ti ous
means
Easy to veri f y t he use of soci ety
Advantage of peopl e' s greed
Peopl e want reward
Figure 2 Means of social engineering attacks
Figure 2 shows the means of social engineering
283
attacks, especially the use of psychological tools makes
network security management present unprecedented
complexity, which brings up new higher requirements to
make the defense of the social engineering[4].
III. THE DEFENSE STRATEGY OF SOCIAL ENGINEERING
Through analysis the principle of social engineering
attacks, we know that prevention and detection of social
engineering attack, makes equally important to maintain
operating system security. Corresponding to two different
aspects of physical and psychological in social engineering
attack, it has action on two levels to prevent physical and
psychological strategies.
A. Understanding social engineering attacks and enhance
awareness of prevention
As the saying goes: "Know themself can only know
yourself." In the past people pay more attention to the
technical precautions, and few will care about the social
engineering aspects of the attack. For computer users,
understanding the principles of social engineering attacks,
tools, case and damage, thus enhancing the safety
awareness of self protection is the most basic means of
prevention.
B. The establishment of a sound information security
management strategy
Information security management strategy is the
overall system security issues on the principles adopted,
the requirements for security products, how to protect
important data, and the safe operation of critical systems.
Information security policy for each resource management
authority to determine who is also necessary to set up a
safety supervisor. If the security supervisor who did not
authorize the operation of resource management review,
you can not make legitimate use of resources and
regulatory constraints. Critical data for the system
resources, it should be as small as possible operational
range, the smaller the range, the easier management,
relatively more secure.
C. Establish information system security training
Information security management strategy combined
with training on system administration staff training,
developing training programs to determine what is
sensitive information and improving safety awareness.
Particularly, in order to strengthen the awareness of
password protection, we should not use birthdays, phone
number, ID number as a password; use ordinal number as
the password[5].
D. Establish emergency response team for security incident
Security Incident Response Team should be
experienced by the higher authority personnel, the group
responsible for security incident response drills, effective
means of attack for different purposes and analyze the
intrusion and weaknesses. At the same time, through
simulating attacking on the environment and conduct self-
test analysis, we can effectively evaluate the safety control
various means to record the process of attacking for future
related basis.
V. CONCLUSION
Hacker social engineering techniques have become a
"people" issues from a purely technical issue. For the use
of social engineering attacks seems just some deception
and is not complex, but its effect was terrible attack, the
harm is amazing, and there are worse. The reason is that it
contains a complex of psychological factors, the terrible
extent of the technology than direct invasion. For this
reason, evaluation of information security level in response
to social engineering should be given sufficient attention.
REFERENCES

measures are appropriate or not, and to develop appropriate [1] Kevin MitnickThe art of deception [M]Beijing:
strategies and solutions. China Railway Publishing Press20081325.
[2] WilliamL.Simon. The art of penetation [M]. Beijing:
E. Establish early warning mechanisms drill
Tsinghua University Press20073842.
Simulated invasion process, the use of simulations and
[3] Yan BingInformation security research in the social
tests, can effectively evaluate security controls and
engineering attack[J]. Office Automation Magazine
develop appropriate strategies and solutions.
200840-41.
IV. NEW REQUIREMENTS FOR INFORMATION SECURITY [4] Fan Jianzhong Hacker social engineering
EVALUATION BROUGHT BY SOCIAL ENGINEERING attacks[M] Jinan: Qilu electronic audio-visual
publishing2008:2-5.
Evaluation of the existing level of information
[5] Zhi, Fan Yu, Wang Wei. Information security research
security standards does not specifically propose social
in the field of social engineering [J]. Information
engineering-related content. According to our analysis, the
security and communication security,2005 (7)
use of social engineering attacks mainly include two items,
5962.
"safety management evaluation" and "personnel
[6] Security Assessment Center of Information Security
management evaluation". Existing "staff assessment" and
Protection. Evaluation of information security level of
"safety education and training" mainly depend on
teacher training course [M]. Beijing: Electronic
interviewing security officers, psychological evaluation for
Industry Press2010195204.
security person is not included in the evaluation criteria.
Psychological safety is dynamic, social engineering attacks
are mostly launched in the user lacks sufficient
psychological preparedness premise, and the traditional
level measurement units are tested prior notice after
evaluation and interviews with security managers. Of
course the effect is naturally far from ideal[6].
In view of this, we propose that before evaluation with
no advance notice of its security director, we can directly
implement the use of social engineering attacks, and use

284