Detection of vulnerabilities of the computer systems and networks using social engineering techniques
Keywords:Vulnerabilities, computer systems and networks, behavioural model, social engineering, social engineering techniques.
Information protection in computer systems and networks is focused on preserving its confidentiality properties of, integrity and availability from various inherently adverse impacts. Potentially possible adverse effects are interpreted as a threat. To prevent or complicate the possibility of realizing threats and reducing potential losses, a system of information protection measures is created and maintained in a healthy state. Such a system includes a computing system, physical environment, staff, and information. One of the most vulnerable elements of such system is staff. Within the framework of the socio-engineering approach, staff vulnerability is interpreted as its weaknesses, needs, mania (passions), hobbies. Manipulating them allows one to gain unauthorized access to information without destroying and distorting its main system-forming qualities. This is reflected in such forms as fraud, deception, scam, intrigue, hoax, provocation. The use of each of these manipulation forms is preceded by the determination of its content by careful planning, organization, and control. These actions are the basis of social engineering methods. Their use is aimed at imitating the actions of the information security violator, which are aimed at staff. This allows to assess the level of staff skills in the information security field and, as a result, to identify information vulnerabilities in computer systems and networks. The methods of social engineering used for this are divided into two groups, in particular, remote social engineering and personal contact. Methods of remote social engineering are implemented by means of modern telecommunications. In addition, the second group of methods involves the establishment of personal contact with the object of influence. In the end, it becomes possible not only to identify, neutralize, but also to prevent information vulnerabilities in computer systems and networks with the introduction of social engineering methods. Therefore, firstly, its protection is ensured taking into account the requirements of the information security policy; secondly, the rules of conduct of the staff are established, regulated by the job descriptions; thirdly, training is held to increase the persistence of employees stereotypes of the organization.
International Standards Office. ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems. Requirements [Online]. Available: https://www.iso.org/standard/54534.html.
International Standards Office. ISO/IEC 27032:2012. Information technology. Security techniques. Guidelines for cybersecurity [Online]. Available: https://www.iso.org/standard/ 44375.html.
P. Singh, “Robust Security System for Critical Computers”, International Journal of Computer Network and Information Security, vol. 4, no. 6, pp. 24-29, 2012. doi: 10.5815/ijitcs.2012.06.04.
V. Mokhor, O. Tsurkan, V. Tsurkan, and R. Herasymov, “Information Security Assessment of the Computer Systems by Socioengineering Approach”, Selected Papers of the XVIІ International Scientific and Practical Conference “Information Technologies and Security”. Kyiv, 2017, pp. 1-6 [Online]. Available: http://ceur-ws.org/Vol-2067/paper13.pdf.
S. Hasani, and N. Modiri, “Criteria Specifications for the Comparison and Evaluation of Access Control Models”, International Journal of Computer Network and Information Security, vol. 5, no. 5, pp. 19-29, 2013. doi: 10.5815/ijcnis.2013.05.03.
O. Tsurkan, and V. Mokhor, “Analysis of social engineering attacks on a person in cyberspace”, in Proc. 14th International conference: information technologies and security: principles of information security. Kyiv, 2014, pp. 100-102.
K. Krombholz, H. Hobel, M. Huber, and E. Weippl, “Advanced social engineering attacks”, Journal of information security and applications, vol. 22, pp. 113-122, 2015. doi: 10.1016/j.jisa.2014.09.005.
F. Mouton, L. Leenen, and H.Venter, “Social engineering attack examples, templates and scenarios”, Computers & Security, vol. 59, pp. 186-209, 2016. doi: 10.1016/j.cose.2016.03.004
W. Fan, K. Lwakatare, and R. Rong, “Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations”, International Journal of Computer Network and Information Security, vol. 9, no.1, pp. 1-11, 2017. doi: 10.5815/ijcnis.2017.01.01.
How to Cite
Copyright (c) 2020 Collection "Information technology and security"
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).