Detection of vulnerabilities of the computer systems and networks using social engineering techniques
Information protection in computer systems and networks is focused on preserving its confidentiality properties of, integrity and availability from various inherently adverse impacts. Potentially possible adverse effects are interpreted as a threat. To prevent or complicate the possibility of realizing threats and reducing potential losses, a system of information protection measures is created and maintained in a healthy state. Such a system includes a computing system, physical environment, staff, and information. One of the most vulnerable elements of such system is staff. Within the framework of the socio-engineering approach, staff vulnerability is interpreted as its weaknesses, needs, mania (passions), hobbies. Manipulating them allows one to gain unauthorized access to information without destroying and distorting its main system-forming qualities. This is reflected in such forms as fraud, deception, scam, intrigue, hoax, provocation. The use of each of these manipulation forms is preceded by the determination of its content by careful planning, organization, and control. These actions are the basis of social engineering methods. Their use is aimed at imitating the actions of the information security violator, which are aimed at staff. This allows to assess the level of staff skills in the information security field and, as a result, to identify information vulnerabilities in computer systems and networks. The methods of social engineering used for this are divided into two groups, in particular, remote social engineering and personal contact. Methods of remote social engineering are implemented by means of modern telecommunications. In addition, the second group of methods involves the establishment of personal contact with the object of influence. In the end, it becomes possible not only to identify, neutralize, but also to prevent information vulnerabilities in computer systems and networks with the introduction of social engineering methods. Therefore, firstly, its protection is ensured taking into account the requirements of the information security policy; secondly, the rules of conduct of the staff are established, regulated by the job descriptions; thirdly, training is held to increase the persistence of employees stereotypes of the organization.
International Standards Office. ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems. Requirements [Online]. Available: https://www.iso.org/standard/54534.html.
International Standards Office. ISO/IEC 27032:2012. Information technology. Security techniques. Guidelines for cybersecurity [Online]. Available: https://www.iso.org/standard/ 44375.html.
P. Singh, “Robust Security System for Critical Computers”, International Journal of Computer Network and Information Security, vol. 4, no. 6, pp. 24-29, 2012. doi: 10.5815/ijitcs.2012.06.04.
V. Mokhor, O. Tsurkan, V. Tsurkan, and R. Herasymov, “Information Security Assessment of the Computer Systems by Socioengineering Approach”, Selected Papers of the XVIІ International Scientific and Practical Conference “Information Technologies and Security”. Kyiv, 2017, pp. 1-6 [Online]. Available: http://ceur-ws.org/Vol-2067/paper13.pdf.
S. Hasani, and N. Modiri, “Criteria Specifications for the Comparison and Evaluation of Access Control Models”, International Journal of Computer Network and Information Security, vol. 5, no. 5, pp. 19-29, 2013. doi: 10.5815/ijcnis.2013.05.03.
O. Tsurkan, and V. Mokhor, “Analysis of social engineering attacks on a person in cyberspace”, in Proc. 14th International conference: information technologies and security: principles of information security. Kyiv, 2014, pp. 100-102.
K. Krombholz, H. Hobel, M. Huber, and E. Weippl, “Advanced social engineering attacks”, Journal of information security and applications, vol. 22, pp. 113-122, 2015. doi: 10.1016/j.jisa.2014.09.005.
F. Mouton, L. Leenen, and H.Venter, “Social engineering attack examples, templates and scenarios”, Computers & Security, vol. 59, pp. 186-209, 2016. doi: 10.1016/j.cose.2016.03.004
W. Fan, K. Lwakatare, and R. Rong, “Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations”, International Journal of Computer Network and Information Security, vol. 9, no.1, pp. 1-11, 2017. doi: 10.5815/ijcnis.2017.01.01.
ISSN 2411-1031 (Print), ISSN 2518-1033 (Online)