原始连接:
http://www.sans.org/rr/whitepapers/engineering/529.php
文章作者:Malcolm Allen
Version of Assignment: GSEC Practical Assignment version 1.2f (amended August 13, 2001)
Introduction:
'Social Engineering' is an practice that can be used to exploit what has long
been considered the 'weakest link' in the security chain of an organisation -
the 'human factor'.
As a security professional, it is important to be familiar with this threat, the
techniques that could be used and the countermeasures that can be
implemented to protect against it. By having this understanding, a security
professional can ensure that appropriate protective measures are undertaken.
The following topics are covered in this paper to provide a guide to 'Social
Engineering' as a means of violate a computer system(s):
· Definition;
· Commonly used techniques;
· Key traits to consider;
· Countermeasures;
· Auditing countermeasures.
Definition:
What is 'Social Engineering'? Various authors have provided definitions, such
as:
"Social engineering can be regarded as 'people hacking', basically
its hacker jargon for soliciting unwitting participation from a person
inside a company rather than breaking into the system
independently"
- Vigilante. "Social Engineering". Internet Security.
"Social engineering is a hack that uses brains instead of computer
brawn. Hackers call data centres and pretend to be customers who
have lost their password or show up at a site and simply wait for
someone to hold a door open for them. Other forms of social
engineering are not so obvious. Hackers have been known to create
phoney web sites, sweepstakes or questionnaires that ask users to
enter a password."
- Karen J Bannan. Internet World. Jan 1, 2001.
"Term used among crackers and samurai for cracking techniques
that rely on weaknesses in the wetware rather than software. The
aim is to trick people into revealing passwords or other information
that compromises a target systems security. Classic scams include
