Membuat Installasi Windows 7 / Vista dari USB Flashdisk

Biasanya proses meng-install Windows 7 atau Vista dilakukan melalui DVD dengan DVD-ROM / RW. Tetapi kini dengan banyaknya netbook atau laptop yang tidak menyertakan DVD-ROM, orang kadang bingung bagaimana cara menginstallnya. Solusinya adalah membuat Installasi Windows 7 atau Vista ke dalam USB Flashdisk ( USB Drive). Untuk membuatnya kita bisa menggunakan software gratis Setup from USB.

Setup from USB merupakan software gratis (open source) yang ditujukan untuk membuat installasi windows 7 atau Vista ke dalam USB Flash drive. Sehingga Flashdisk menjadi Bootable dan hal ini memudahkan proses installasi bagi pengguna yang mempunyai netbook atau laptop tanpa DVD-ROM / DVD-RW.

Langkah Pembuatan Bootable USB

Untuk membuat bootable USB yang berisi installasi Windows 7 atau Windows Vista, siapkan flashdisk berukuran minimal 4GB. selanjutnya, download dan install terlebih dahulu SetupFromUSB ( 4.8 MB). Setelah di download, extract zip file ini dan jalankan setup.exe. Selanjutnya pembuatannya sebagai berikut :

1. Jalankan program Setup From USB
2. Pilih lokasi installasi windows 7 atau Vista. Biasanya drive dari DVD Rom



3. Langkah selanjutnya adalah memilih lokasi yang akan di jadikan bootable, yaitu USB Flash Drive kita. Pastikan data penting di Flashdisk sudah di pindahkan, karena Flashdisk akan di Format (semua isinya dihapus), termasuk semua partisi di flashdisk jika ada



4. Setelah dipilih, beri tanda chek tulisan warna merah dibawahnya ( I have already backup all data… ), lalu klik Next
5. Akan tampil konfirmasi pilihan kita, jika sudah yakin, klik Finish



6. Tunggu proses pembuatan Bootable USB Windows 7/Vista

Setelah selesai, maka USB Flashdisk ini menjadi bootable dan bisa digunakan untuk menginstall windows 7 atau Vista sesuai dengan sumber yang kita buat. Untuk Bisa booting dari Flashdisk, maka BIOS komputer/laptop/netbook harus diatur agar urutan booting pertama kali adalah USB atau removable media.

vmware 7

http://www.fileserve.com/file/cG9rhZr

Social Engineering Fundamentals, Part I: Hacker Tactics & Social Engineering

http://www.symantec.com


Social Engineering Fundamentals, Part I: Hacker Tactics & Social Engineering Fundamentals, Part I: Hacker Tactics
by Sarah Granger
last updated December 18, 2001

A True Story

One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)

Definitions

Most articles I’ve read on the topic of social engineering begin with some sort of definition like “the art and science of getting people to comply to your wishes” (http://packetstorm.decepticons.org/docs/social-engineering/socialen.txt >Bernz 2), “an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system” (Palumbo), or “getting needed information (for example, a password) from a person rather than breaking into a system” (Berg). In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. Many experienced security experts emphasize this fact. No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured.

Target and Attack

The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.

Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may damaging to the organization’s reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not.

As for why organizations are targeted through social engineering – well, it’s often an easier way to gain illicit access than are many forms of technical hacking. Even for technical people, it’s often much simpler to just pick up the phone and ask someone for his password. And most often, that’s just what a hacker will do.

Social engineering attacks take place on two levels: the physical and the psychological. First, we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample information to exploit the network from home later that night. Another technique to gain authentication information is to just stand there and watch an oblivious employee type in his password.

Social Engineering by Phone

The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the http://www.gocsi.com/soceng.htm >Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’”

And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” (http://www.gocsi.com/soceng.htm >Computer Security Institute).

Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.

The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.

A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and obtain credit card numbers and PINs this way. (It happened to a friend of mine in a large US airport.) People always stand around phone booths at airports, so this is a place to be extra cautious.

Dumpster Diving

Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters. The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.”

These sources can provide a rich vein of information for the hacker. Phone books can give the hackers names and numbers of people to target and impersonate. Organizational charts contain information about people who are in positions of authority within the organization. Memos provide small tidbits of useful information for creating authenticity. Policy manuals show hackers how secure (or insecure) the company really is. Calendars are great – they may tell attackers which employees are out of town at a particular time. System manuals, sensitive data, and other sources of technical information may give hackers the exact keys they need to unlock the network. Finally, outdated hardware, particularly hard drives, can be restored to provide all sorts of useful information. (We’ll discuss how to dispose of all of this in the second installment in this series; suffice it to say, the shredder is a good place to start.)

On-Line Social Engineering

The Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password. These forms can be sent by e-mail or through US Mail. US Mail provides a better appearance that the sweepstakes might be a legitimate enterprise.

Another way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a user’s password. This type of social engineering attack doesn’t generally work, because users are generally more aware of hackers when online, but it is something of which to take note. Furthermore, pop-up windows can be installed by hackers to look like part of the network and request that the user reenter his username and password to fix some sort of problem. At this point in time, most users should know not to send passwords in clear text (if at all), but it never hurts to have an occasional reminder of this simple security measure from the System Administrator. Even better, sys admins might want to warn their users against disclosing their passwords in any fashion other than a face-to-face conversation with a staff member who is known to be authorized and trusted.

E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment ‘with a picture of the car’. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.”

Persuasion

The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.

Impersonation generally means creating some sort of character and playing out the role. The simpler the role, the better. Sometimes this could mean just calling up, saying: “Hi, I’m Joe in MIS and I need your password,” but that doesn’t always work. Other times, the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him over the phone. According to http://packetstorm.decepticons.org/docs/social-engineering/socialen.txt >Bernz, a hacker who has written extensively on the subject, they use little boxes to disguise their voices and study speech patterns and org charts. I’d say it’s the least likely type of impersonation attack because it takes the most preparation, but it does happen.

Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party (for example, the President’s executive assistant who is calling to say that the President okayed her requesting certain information), or a fellow employee. In a huge company, this is not that hard to do. There is no way to know everyone - IDs can be faked. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most employees want to impress the boss, so they will bend over backwards to provide required information to anyone in power.

Conformity is a group-based behavior, but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information now requested, such as if the hacker is impersonating an IT manager. When hackers attack in such a way as to diffuse the responsibility of the employee giving the password away, that alleviates the stress on the employee.

When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”

Reverse Social Engineering

A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.

According to Methods of Hacking: Social Engineering, a paper by Rick Nelson, the three parts of reverse social engineering attacks are sabotage, advertising, and assisting. The hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy.

Conclusion

Of course, no social engineering article is complete without mention of Kevin Mitnick, so I’ll conclude with a quote from him from an article in Security Focus: “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” Stay tuned for Part II: Combat Strategies, which will look at ways of combatting attacks by identifying attacks, and by using preventative technology, training, and policies.

All Access


This is the second part of a two-part series devoted to social engineering. In Part One, we defined social engineering as a hacker’s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. To review: the basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.


My first attempt at social engineering came before I even knew what the term meant. In my junior and senior years of high school, I was the student representative on my school district’s pilot technology committee. The district wanted to test having a district-wide computer network at my school my senior year, before implementing the network across the district the following year. They requested bids and selected the hardware and software for the pilot network, and my job senior year was to help test the network. One day, I noticed that the new machines and peripherals were not locked down, so I grabbed a monitor and mouse and started strolling down the hall to see if anyone noticed. No one did. Then I decided to take them outside. I made it to the back of the parking lot and turned around, then decided that was a good enough test and returned the items.


The fact that no one noticed or stopped me disturbed my sense of what network security ought to mean, so I reported the test to the principal. The following year, all of the new computers and peripherals in the district were physically locked. My experience shows how simple, straightforward and effective social engineering attacks can be. To this day, I wonder how many computers school districts have lost due to nonexistent prevention of social engineering attacks. This article will examine some ways that individuals and organizations can protect themselves against potentially costly social engineering attacks. I refer to these practices as combat strategies.


Where to Begin? Security Policies


Social engineering attacks can have two different aspects: the physical aspect or the location of the attack, such as in the workplace, over the phone, dumpster diving, on-line, and the psychological aspect, which refers to the manner in which the attack is carried out, such as persuasion, impersonation, ingratiation, conformity, and friendliness. Combat strategies, therefore, require action on both the physical and psychological levels. Employee training is essential. The mistake many corporations make is to only plan for attack on the physical side. That leaves them wide open from the social-psychological angle. So to begin, management must understand the importance of developing and implementing well-rounded security policies and procedures. Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without adequate prevention of social engineering and reverse social engineering attacks (Nelson). One of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding a hacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the hacker's request.


Strong policies can be general or specific, but I recommend somewhere in between. This gives the policy enforcers some flexibility in how procedures will develop in the future, but limits staff from becoming too relaxed in their daily practices. (See Security Focus’s Introduction to Security Policies series.) The security policy should address information access controls, setting up accounts, access approval, and password changes. Modems should never be permitted on the company intranet. Locks, IDs, and shredding should be required. Violations should be posted and enforced.


Preventing Physical Attacks


In theory, good physical security seems like a no-brainer, but in order to truly keep trade secrets from escaping the building, extra caution is required. Anyone who enters the building should have his/her ID checked and verified. No exceptions. Some documents will need to be physically locked in file drawers or other safe storage sites (and their keys not left out in obvious places). Other documents may require shredding – especially if they ever go near the dumpster. Also, all magnetic media should be bulk erased as “data can be retrieved from formatted disks and hard drives.” (Berg). Lock the dumpsters in secure areas that are monitored by security.


Back inside the building, it should go without saying that all machines on the network (including remote systems) need to be well protected by properly implemented passwords. (For some helpful hints, please see SecurityFocus’s article Password Crackers, - Ensuring the Security of Your Password.) Screen saver passwords are also recommended. PGP and other encryption programs can be used to encrypt files on hard drives for further security.


Phone & PBX


One common scam is to illicitly place toll calls through an organization’s PBX, or private branch exchange, a private telephone network used within an organization. Hackers can call in and do their impersonation routine, ask to be transferred to an outside line, and then make multiple calls around the world, charging them to that corporation. This can be prevented by instituting policies that disallow transfers, controlling overseas and long-distance calls, and by tracing suspicious calls. And if anyone calls saying that they are a phone technician who needs a password to gain access, he/she is lying. According to Verizon Communications, phone technicians can conduct tests without customer assistance, therefore requests for passwords or other authentication should be treated with suspicion (Verizon). All employees should be made aware of this so that they are not susceptible to this tactic.


As was stated in the first article in this series, the Help Desk is a major target for social engineering attacks, primarily because their job is to disclose information that will be helpful to users. The best way to protect the Help Desk against social engineering attacks is through training. The Help Desk should absolutely refuse to give out passwords without authorization. (In fact, it should be organizational policy that passwords should never be disclosed over the phone or by e-mail; rather, they should only be disclosed in person to trusted, authorized personnel.) Callbacks, PINs, and passwords are a few recommended ways to increase security. When in doubt, Help Desk workers are encouraged to “withhold support when a call does not feel right” (Berg). In other words, just say no.


Training, Training, Retraining


The importance of training employees extends beyond the Help Desk across the entire organization. According to Naomi Fine, expert in corporate confidentiality and President and CEO of Pro-Tec Data, employees must be trained on “how to identify information which should be considered confidential, and have a clear understanding of their responsibilities to protect it” (Pro-Tec Data). In order to be successful, organizations must make computer security part of all jobs, regardless of whether the employees use computers (Harl). Everyone in the organization needs to understand exactly why it is so crucial for the confidential information to be designated as such, therefore it benefits organizations to give them a sense of responsibility for the security of the network. (Stevens)


All employees should be trained on how to keep confidential data safe. Get them involved in the security policy (Harl). Require all new employees to go through a security orientation. Annual classes provide refreshers and updated information for employees. Another way to increase involvement, recommended by Ms. Fine, is through a monthly newsletter. Pro-Tec Data, for example, provides newsletters with real world examples of security incidents and how those incidents could have been prevented. This keeps employees aware of the risks involved in relaxing security. According to SANS, organizations use “some combination of the following: videos, newsletters, brochures, booklets, signs, posters, coffee mugs, pens and pencils, printed computer mouse pads, screensavers, logon banners, notepads, desktop artifacts, T-shirts and stickers” (Arthurs). Wow, I can just picture Dilbert in his cubicle with all of that stuff. The important point made, however, is that these things be changed regularly, or the employees will lose sight of their meaning.


Spotting a Social Engineering Attack


Obviously, in order to foil an attack, it helps to be able to recognize one. The Computer Security Institute notes several signs of social engineering attacks to recognize: refusal to give contact information, rushing, name-dropping, intimidation, small mistakes (misspellings, misnomers, odd questions), and requesting forbidden information. “Look for things that don’t quite add up.” Try thinking like a hacker. Bernz recommends that people familiarize themselves with works such as the Sherlock Holmes stories, How to Make Friends and Influence People, psychology books, and even Seinfeld (he and George Costanza do have a knack for making-up stories) (Bernz). To understand the enemy, one must think like him.


Companies can help to ensure security by conducting ongoing security awareness programs. Organizational intranets can be a valuable resource for this approach, particularly if on-line newsletters, e-mail reminders, training games, and strict password changing requirements are included. The biggest risk is that employees may become complacent and forget about security. Continued awareness throughout the organization is the key to ongoing protection - some organizations even create security awareness programs, such as the distribution of trinkets mentioned above.


Responding to Social Engineering Attacks


In the event that an employee detects something fishy, he or she will need procedures in place for reporting the incident. It is important for one person to be responsible for tracking these incidents – preferably a member of the Incident Response Team (IRT), if the organization has one. Also, that employee should notify others who serve in similar positions as they may be threatened as well. From there, the IRT or individual in charge of tracking (a member of the security team and/or system administrator) can coordinate an adequate response.


Kevin Mitnick made an interesting point in his article entitled "My First RSA Conference". Mitnick stated that the decision by conference organizers to not hold any social engineering sessions was a mistake, saying: “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” This is important. To increase awareness, more security organizations should make social engineering a priority for their programs and conferences. Also, organizations should routinely conduct security audits so that security doesn’t become stale.


The following table lists some common intrusion tactics and strategies for prevention:





Area of Risk Hacker Tactic Combat Strategy
Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give out passwords or other confidential info by phone
Building entrance Unauthorized physical access Tight badge security, employee training, and security officers present
Office Shoulder surfing Don’t type in passwords with anyone else present (or if you must, do it quickly!)
Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specific to help desk support
Office Wandering through halls looking for open offices Require all guests to be escorted
Mail room Insertion of forged memos Lock & monitor mail room
Machine room/Phone closet Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment
Phone & PBX Stealing phone toll access Control overseas & long-distance calls, trace calls, refuse transfers
Dumpsters Dumpster diving Keep all trash in secured, monitored areas, shred important data, erase magnetic media
Intranet-Internet Creation & insertion of mock software on intranet or internet to snarf passwords Continual awareness of system and network changes, training on password use
Office Stealing sensitive documents Mark documents as confidential & require those documents to be locked
General-Psychological Impersonation & persuasion Keep employees on their toes through continued awareness and training programs

Realistic Prevention


Yes, real prevention is a daunting task. Let’s be realistic, most companies don’t have the financial or human resources to do all of what’s listed above. However, some of the money spent on plugging network holes can be redirected. The threat is as real, if not more real than most network holes; however, we don’t want to create militant help desk staff. Just be smart and reasonable. It is possible to keep morale high and have a fun company culture without sacrificing security. By slightly changing the rules of the game, the intruders no longer take the wheel.







terjemahan bahasa indonesia dari google.
hehehe sori hasil copas mbah google.

A True Story

Suatu pagi beberapa tahun yang lalu, sekelompok orang asing masuk ke sebuah perusahaan pelayaran besar dan berjalan keluar dengan akses ke seluruh jaringan korporat perusahaan. Bagaimana mereka melakukannya? Dengan memperoleh akses sejumlah kecil, sedikit demi sedikit, dari jumlah karyawan yang berbeda dalam perusahaan itu. Pertama, mereka melakukan penelitian tentang perusahaan itu selama dua hari bahkan sebelum mencoba untuk menginjakkan kaki di tempat. Misalnya, mereka belajar nama-nama karyawan kunci 'dengan menelepon HR. Selanjutnya, mereka pura-pura kehilangan kunci mereka ke pintu depan, dan seorang pria membiarkan mereka masuk Lalu mereka "hilang" lencana identitas mereka ketika memasuki wilayah aman lantai tiga, tersenyum, dan karyawan ramah membuka pintu bagi mereka.

Orang asing tahu CFO berada di luar kota, sehingga mereka mampu memasuki kantornya dan memperoleh data keuangan dari itu membuka komputer. Mereka menggali melalui sampah perusahaan, menemukan semua jenis dokumen berguna. Mereka meminta petugas kebersihan untuk sebuah ember sampah di mana untuk menempatkan isi dan membawa semua data ini keluar dari gedung di tangan mereka. Orang-orang asing telah mempelajari suara CFO, sehingga mereka bisa telepon, berpura-pura menjadi CFO, terburu-buru, sangat membutuhkan password jaringannya. Dari sana, mereka menggunakan alat biasa hacking teknis untuk mendapatkan akses super-user ke dalam sistem.

Dalam hal ini, orang-orang asing itu jaringan konsultan melakukan audit keamanan bagi CFO tanpa pengetahuan setiap karyawan lainnya. Mereka tidak pernah diberi informasi istimewa apapun dari CFO namun mampu mendapatkan semua akses yang mereka inginkan melalui rekayasa sosial. (Kisah ini diceritakan oleh Kapil Raina, saat seorang ahli keamanan di Verisign dan co-penulis mCommerce Keamanan:. A Beginner's Guide, berdasarkan pengalaman kerja aktual dengan majikan sebelumnya)

Definisi

Kebanyakan artikel saya baca pada topik social engineering mulai dengan beberapa jenis definisi seperti "seni dan ilmu membuat orang untuk memenuhi keinginan Anda" (http://packetstorm.decepticons.org/docs/social-engineering/ socialen.txt> Bernz 2), "menggunakan hacker luar terhadap trik psikologis pada pengguna yang sah dari suatu sistem komputer, dalam rangka untuk memperoleh informasi yang dibutuhkan untuk mendapatkan akses ke sistem" (Palumbo), atau "mendapatkan informasi yang diperlukan (misalnya , kata sandi) dari seseorang daripada membobol sistem "(Berg). Pada kenyataannya, social engineering dapat setiap dan semua hal ini, tergantung pada di mana Anda duduk. Satu hal yang setiap orang tampaknya setuju atas adalah bahwa social engineering umumnya manipulasi cerdas seorang hacker tentang kecenderungan alami manusia untuk percaya. Tujuan hacker adalah untuk memperoleh informasi yang akan memungkinkan dia untuk mendapatkan akses tidak sah ke sistem dinilai dan informasi yang berada pada sistem tersebut.

Keamanan adalah semua kepercayaan tentang. Kepercayaan dalam perlindungan dan otentisitas. Umumnya disepakati sebagai link terlemah dalam rantai keamanan, kemauan manusia alam untuk menerima seseorang di kata nya meninggalkan banyak dari kita rentan terhadap serangan. Banyak ahli keamanan yang berpengalaman menekankan fakta ini. Tidak peduli berapa banyak artikel yang diterbitkan tentang lubang jaringan, patch, dan firewall, kita hanya bisa mengurangi ancaman begitu banyak ... dan kemudian terserah kepada Maggie di akuntansi atau temannya, Will, panggilan masuk dari sebuah remote site, untuk menjaga jaringan perusahaan aman.

Target dan Serangan

Tujuan dasar dari rekayasa sosial adalah sama seperti hacking pada umumnya: untuk mendapatkan akses tidak sah ke sistem atau informasi untuk melakukan penipuan, intrusi jaringan, spionase industri, pencurian identitas, atau hanya untuk mengganggu sistem atau jaringan. sasaran umum termasuk perusahaan telepon dan layanan menjawab, perusahaan-perusahaan besar-nama dan lembaga keuangan, lembaga militer dan pemerintah, dan rumah sakit. Boom internet memiliki saham serangan rekayasa industri di start-up juga, tetapi serangan umumnya berfokus pada entitas yang lebih besar.

Mencari baik, contoh-contoh kehidupan nyata serangan social engineering adalah sulit. Target organisasi baik tidak mau mengakui bahwa mereka telah menjadi korban (setelah semua, untuk mengakui adanya pelanggaran keamanan fundamental tidak hanya memalukan, mungkin merusak reputasi organisasi) dan / atau serangan tidak terdokumentasi dengan baik sehingga tidak seorang pun benar-benar memastikan apakah ada serangan social engineering atau tidak.

Adapun mengapa organisasi yang ditargetkan melalui rekayasa sosial - baik, sering kali cara yang lebih mudah untuk mendapatkan akses ilegal dari banyak bentuk hacking teknis. Bahkan bagi orang-orang teknis, sering kali lebih sederhana untuk sekedar mengangkat telepon dan meminta password seseorang. Dan yang paling sering, itulah yang akan dilakukan hacker.

serangan Social engineering berlangsung pada dua level: fisik dan psikologis. Pertama, kita akan fokus pada setting fisik untuk serangan ini: tempat kerja, telepon, sampah Anda, dan bahkan on-line. Di tempat kerja, hacker hanya dapat berjalan di pintu, seperti di film-film, dan berpura-pura menjadi seorang pekerja pemeliharaan atau konsultan yang memiliki akses ke organisasi. Kemudian struts penyusup melalui kantor sampai dia menemukan beberapa password berbaring sekitar dan muncul dari bangunan dengan informasi yang cukup untuk mengeksploitasi jaringan dari rumah malam itu. Teknik lain untuk mendapatkan informasi otentikasi untuk hanya berdiri di sana dan menonton menyadari tipe karyawan di password.

Social Engineering by Phone

Jenis yang paling lazim dari serangan social engineering dilakukan dengan telepon. Seorang hacker akan menelepon dan menirukan seseorang dalam posisi otoritas atau relevansi dan secara bertahap menarik informasi dari pengguna. Bantuan meja sangat rentan terhadap jenis serangan. Hacker mampu berpura-pura mereka menelepon dari dalam perusahaan dengan memainkan trik pada PBX atau operator perusahaan, sehingga pemanggil-ID tidak selalu menjadi pertahanan terbaik. Berikut ini adalah trik PBX klasik, menjaga http://www.gocsi.com/soceng.htm> Keamanan Komputer Institute: "'Hai, aku Anda AT & T rep, aku terjebak pada sebuah tiang. Saya membutuhkan Anda untuk pukulan sekelompok tombol untuk saya. "

Dan inilah yang lebih baik satu: "Mereka akan menelepon anda di tengah malam: '? Apakah Anda pernah menelepon Mesir selama enam jam terakhir' 'Tidak' Dan mereka akan berkata, 'baik, kita memiliki panggilan bahwa benar-benar aktif sekarang, itu pada kartu panggil dan itu ke Mesir dan sebagai Sebenarnya, Anda punya sekitar senilai $ 2.000 dari biaya dari seseorang menggunakan kartu Anda. Anda bertanggung jawab atas $ 2.000, Anda harus membayar bahwa ... 'Mereka akan berkata,' Aku meletakkan pekerjaan saya di telepon dengan menyingkirkan dari tuduhan $ 2.000 untuk Anda. Tapi Anda perlu membaca dari bahwa AT & T nomor kartu dan PIN dan kemudian aku akan menyingkirkan biaya untuk Anda 'Orang jatuh untuk itu "(. Http://www.gocsi.com/soceng.htm> Keamanan Komputer Institute. ).

Bantuan meja sangat rentan karena mereka berada di tempat khusus untuk membantu, suatu fakta yang mungkin dieksploitasi oleh orang-orang yang berusaha untuk mendapatkan informasi terlarang. Bantuan meja karyawan dilatih untuk bersikap ramah dan memberikan informasi, jadi ini adalah tambang emas untuk rekayasa sosial. membantu karyawan Kebanyakan meja pemesanan minimal dididik di bidang keamanan dan mendapatkan bayaran kacang tanah, sehingga mereka cenderung hanya menjawab pertanyaan dan melanjutkan ke panggilan telepon berikutnya. Hal ini dapat membuat lubang keamanan yang sangat besar.

Fasilitator dari demonstrasi Keamanan Komputer Institute hidup, rapi menggambarkan kerentanan meja bantuan ketika ia "keluar sebuah perusahaan telepon, mendapat ditransfer sekitar, dan mencapai help desk. 'Siapa supervisor bertugas malam ini?' 'Oh, itu Betty.' 'Biar aku bicara dengan Betty.' [Dia ditransfer.] 'Hai Betty, mengalami hari yang buruk? "" Tidak, mengapa? ... Sistem Anda adalah bawah 'kata Dia,'. sistem saya tidak turun, kami berjalan baik. "Dia berkata," Anda lebih baik sign off. "Dia ditandatangani. Dia berkata, 'sekarang tanda di lagi. "Dia menandatangani lagi. Dia berkata, 'kami bahkan tidak menunjukkan blip, kami menunjukkan tidak ada perubahan. "Dia berkata,' sign off lagi." Dia lakukan. 'Betty, aku akan harus sign pada saat Anda di sini untuk mencari tahu apa yang terjadi dengan ID anda. Biarkan aku memiliki ID pengguna dan password 'Jadi ini supervisor senior di Help Desk. Memberitahu dia ID pengguna dan sandi "Brilliant..

Sebuah variasi pada tema telepon adalah pembayaran telepon atau ATM. Hacker benar-benar surfing bahu dan memperoleh nomor kartu kredit dan PIN dengan cara ini. (Ini terjadi pada seorang teman saya di bandara besar AS.) Orang selalu berdiri di sekitar stan telepon di bandara, jadi ini adalah tempat untuk ekstra hati-hati.

Dumpster Diving

Dumpster diving, juga dikenal sebagai mencemari, adalah metode populer dari rekayasa sosial. Sejumlah besar informasi dapat dikumpulkan melalui dumpsters perusahaan. LAN Times terdaftar hal-hal berikut sebagai potensi kebocoran keamanan di tempat sampah kita: "Buku telepon perusahaan, bagan organisasi, memo, buku pedoman kebijakan perusahaan, kalender pertemuan, peristiwa dan liburan, manual sistem, printout data yang sensitif atau nama login dan password, hasil cetak kode sumber, disk dan kaset, kop surat perusahaan dan formulir memo, dan perangkat keras usang. "

Sumber-sumber ini dapat memberikan vena yang kaya informasi bagi hacker. buku telepon dapat memberikan nama hacker dan jumlah orang untuk target dan meniru. bagan organisasi mengandung informasi tentang orang-orang yang berada di posisi otoritas dalam organisasi. Memo menyediakan tidbits kecil informasi yang berguna untuk membuat keaslian. Kebijakan manual menunjukkan hacker bagaimana aman (atau tidak aman) perusahaan sebenarnya. Kalender yang besar - mereka mungkin memberitahu penyerang yang karyawan berada di luar kota pada waktu tertentu. Sistem manual, data sensitif, dan sumber informasi teknis lainnya mungkin memberikan hacker kunci yang tepat yang mereka butuhkan untuk membuka jaringan. Akhirnya, perangkat keras usang, terutama hard drive, dapat diperbaiki untuk memberikan segala macam informasi berguna. (Kita akan membahas bagaimana membuang semua ini dalam angsuran kedua dalam seri ini, cukup untuk mengatakan, shredder adalah tempat yang baik untuk memulai.)

On-Line Rekayasa Sosial

Internet adalah lahan subur bagi insinyur sosial ingin password panen. Kelemahan utama adalah bahwa banyak pengguna sering mengulang penggunaan satu password sederhana pada setiap account: Yahoo, Travelocity, Gap.com, apa pun. Jadi sekali hacker memiliki satu password, dia mungkin bisa masuk ke beberapa account. Salah satu cara di mana hacker telah dikenal untuk mendapatkan jenis password ini adalah melalui suatu formulir on-line: mereka bisa mengirimkan semacam informasi undian dan meminta pengguna untuk memasukkan nama (termasuk alamat e-mail - dengan cara itu, dia bahkan mungkin mendapatkan account perusahaan orang itu password juga) dan password. Bentuk-bentuk dapat dikirim melalui e-mail atau melalui US Mail. US Mail memberikan penampilan yang lebih baik bahwa undian tersebut mungkin sebuah perusahaan yang sah.

Cara hacker lain dapat memperoleh informasi on-line adalah dengan berpura-pura menjadi administrator jaringan, mengirim e-mail melalui jaringan dan meminta password pengguna. Jenis serangan social engineering umumnya tidak bekerja, karena pengguna umumnya lebih sadar hacker ketika online, tetapi itu adalah sesuatu yang untuk mencatat. Selanjutnya, jendela pop-up dapat diinstal oleh hacker agar terlihat seperti bagian dari jaringan dan meminta bahwa pengguna masuk kembali username dan password untuk memperbaiki beberapa jenis masalah. Pada titik waktu, sebagian besar pengguna harus tahu untuk tidak mengirimkan password dalam teks yang jelas (jika sama sekali), tapi tidak ada salahnya untuk memiliki pengingat sesekali ini tindakan pengamanan yang sederhana dari Administrator Sistem. Bahkan lebih baik, admin sistem mungkin ingin mengingatkan user mereka terhadap mengungkapkan password mereka dalam setiap mode selain percakapan tatap muka dengan anggota staf yang dikenal untuk disahkan dan terpercaya.

E-mail juga dapat digunakan untuk sarana lebih langsung memperoleh akses ke sistem. Sebagai contoh, lampiran mail yang dikirim dari seseorang keaslian dapat membawa virus, worm dan Trojan horse. Sebuah contoh yang baik dari ini adalah AOL hack, didokumentasikan oleh main hakim sendiri: "Dalam hal itu, hacker yang disebut dukungan teknis AOL dan berbicara dengan orang dukungan selama satu jam. Selama percakapan, hacker menyebutkan bahwa mobilnya dijual murah. Teknologi pendukung tertarik, sehingga hacker mengirimkan lampiran e-mail "dengan gambar mobil '. Daripada foto mobil, surat dieksekusi mengeksploitasi backdoor yang membuka koneksi keluar dari AOL melalui firewall. "

Bujukan

Para hacker itu sendiri mengajarkan social engineering dari sudut pandang-psikologis-, menekankan bagaimana menciptakan lingkungan psikologis sempurna bagi serangan. metode dasar persuasi termasuk: penyamaran, ingratiation, kesesuaian, difusi tanggung jawab, dan ramah tua polos. Apapun metode yang digunakan, tujuan utamanya adalah untuk meyakinkan orang yang mengungkapkan informasi bahwa insinyur sosial adalah sebenarnya orang yang mereka dapat percaya dengan informasi sensitif. Kunci penting lainnya adalah jangan pernah meminta terlalu banyak informasi pada satu waktu, tapi untuk meminta sedikit dari setiap orang untuk menjaga penampilan hubungan yang nyaman.

Peniruan umumnya berarti menciptakan beberapa jenis karakter dan bermain-main peran. Peran yang sederhana, semakin baik. Kadang-kadang hal ini bisa berarti hanya menelepon, katanya: "Hai, aku Joe di MIS dan saya membutuhkan password Anda," tapi itu tidak selalu bekerja. Lain kali, hacker akan mempelajari seorang individu nyata dalam sebuah organisasi dan tunggu sampai orang yang berada di luar kota untuk meniru dia melalui telepon. Menurut http://packetstorm.decepticons.org/docs/social-engineering/socialen.txt> Bernz, seorang hacker yang telah banyak menulis tentang subyek, mereka menggunakan kotak-kotak kecil untuk menyamarkan suara mereka dan mempelajari pola bicara dan grafik org. Aku akan mengatakan itu jenis setidaknya kemungkinan serangan peniruan karena dibutuhkan persiapan yang paling, tapi itu tidak terjadi.

Beberapa peran umum yang mungkin dimainkan dalam serangan penyamaran meliputi: reparasi, IT support, manajer, pihak ketiga yang dipercaya (misalnya, Presiden eksekutif asisten yang menelepon untuk mengatakan bahwa Presiden okayed informasi permintaan tertentu nya), atau sesama karyawan. Dalam sebuah perusahaan besar, hal ini tidak sulit untuk dilakukan. Tidak ada cara untuk mengetahui setiap orang - ID bisa dipalsukan. Sebagian besar peran ini jatuh di bawah kategori seseorang yang memiliki otoritas, yang membawa kita pada ingratiation. Sebagian besar karyawan ingin mengesankan bos, sehingga mereka akan membungkuk ke belakang untuk memberikan informasi yang dibutuhkan untuk siapa pun yang berkuasa.

Kesesuaian adalah suatu perilaku berbasis kelompok, tetapi dapat digunakan sesekali dalam setting individual dengan meyakinkan user yang orang lain telah memberikan informasi yang sama hacker saat diminta, seperti jika hacker yang menyamar sebagai manajer TI. Ketika hacker menyerang sedemikian rupa untuk meredakan tanggung jawab karyawan memberikan password pergi, yang meredakan tekanan pada karyawan.

Jika ragu, cara terbaik untuk mendapatkan informasi dalam suatu serangan social engineering adalah hanya untuk bersikap ramah. Idenya di sini adalah bahwa rata-rata pengguna ingin percaya rekan di telepon dan ingin membantu, sehingga hacker benar-benar hanya perlu pada dasarnya dipercaya. Selain itu, sebagian besar karyawan merespon dalam bentuk, terutama bagi perempuan. Sedikit pujian atau godaan bahkan dapat membantu melunakkan target karyawan untuk bekerja sama lebih lanjut, namun hacker yang cerdas tahu kapan harus berhenti menarik informasi, tepat sebelum karyawan tersangka sesuatu yang aneh. Senyum, jika dalam orang, atau sederhana "terima kasih" mengepalkan kesepakatan. Dan kalau itu tidak cukup, rutin user baru seringkali bekerja terlalu: "Aku bingung, (bulu mata batting) dapat Anda membantu saya"

Reverse Rekayasa Sosial

Sebuah metode, akhir yang lebih maju untuk mendapatkan informasi terlarang dikenal sebagai "reverse social engineering". Ini terjadi ketika hacker menciptakan sebuah persona yang muncul berada dalam posisi kewenangan sehingga pekerja akan memintanya untuk informasi, daripada sebaliknya. Jika diteliti, direncanakan dan dilaksanakan dengan baik, serangan reverse social engineering mungkin menawarkan hacker kesempatan yang lebih baik untuk memperoleh data berharga dari para karyawan, namun ini membutuhkan banyak persiapan, penelitian, dan pra-hacking untuk menarik off.

Menurut Metode Hacking: Social Engineering, sebuah makalah oleh Rick Nelson, tiga bagian dari serangan reverse social engineering adalah sabotase, iklan, dan membantu. hacker mensabotase sebuah jaringan, menyebabkan masalah timbul. hacker itu kemudian mengiklankan bahwa dia adalah kontak yang sesuai untuk memperbaiki masalah, dan kemudian, ketika ia datang untuk memperbaiki masalah jaringan, ia meminta bit tertentu informasi dari para karyawan dan mendapatkan apa yang dia benar-benar datang. Mereka tidak pernah tahu itu hacker, karena masalah jaringan mereka pergi dan semua orang bahagia.

Kesimpulan

Tentu saja, ada artikel rekayasa sosial yang lengkap tanpa menyebutkan Kevin Mitnick, jadi saya akan menyimpulkan dengan kutipan dari dia dari sebuah artikel di Security Focus: "Anda bisa menghabiskan banyak uang membeli teknologi dan jasa ... dan infrastruktur jaringan Anda dapat masih tetap rentan terhadap manipulasi kuno "Menantikan untuk Bagian II: Combat Strategi, yang akan melihat cara untuk memerangi serangan oleh serangan mengidentifikasi, dan dengan menggunakan teknologi pencegahan, pelatihan, dan kebijakan..

Akses Semua


Ini adalah bagian kedua dari seri dua bagian yang ditujukan untuk rekayasa sosial. Di Bagian Pertama, kita mendefinisikan social engineering sebagai manipulasi cerdas seorang hacker tentang kecenderungan alami manusia untuk percaya, dengan tujuan untuk memperoleh informasi yang akan memungkinkan dia untuk mendapatkan akses tidak sah ke sistem dinilai dan informasi yang berada pada sistem tersebut. Untuk meninjau: tujuan dasar rekayasa sosial adalah sama seperti hacking pada umumnya: untuk mendapatkan akses tidak sah ke sistem atau informasi untuk melakukan penipuan, intrusi jaringan, spionase industri, pencurian identitas, atau hanya untuk mengganggu sistem atau jaringan.


usaha pertama saya di rekayasa sosial datang bahkan sebelum aku tahu apa istilah berarti. Pada tahun-tahun saya junior dan senior sekolah tinggi, saya adalah wakil mahasiswa pada teknologi komite sekolah percontohan kabupaten saya. kabupaten ingin menguji memiliki jaringan komputer di seluruh kabupaten di sekolah saya tahun senior saya, sebelum menerapkan jaringan di seluruh kabupaten pada tahun berikutnya. Mereka meminta tawaran dan memilih perangkat keras dan perangkat lunak untuk jaringan pilot, dan pekerjaan saya tahun senior adalah untuk membantu menguji jaringan. Suatu hari, saya melihat bahwa mesin-mesin baru dan periferal tidak dikunci, jadi saya mengambil monitor dan mouse dan mulai berjalan ke lorong untuk melihat apakah ada yang melihat. Tidak ada yang melakukannya. Lalu aku memutuskan untuk membawa mereka luar. Saya berhasil mencapai bagian belakang tempat parkir dan berbalik, kemudian memutuskan bahwa adalah tes cukup baik dan mengembalikan item.


Fakta bahwa tidak ada yang memperhatikan atau menghentikan saya terganggu perasaan saya tentang apa keamanan jaringan harus berarti, jadi saya melaporkan tes untuk kepala sekolah. Tahun berikutnya, semua komputer baru dan peripheral di distrik tersebut secara fisik terkunci. Pengalaman saya menunjukkan bagaimana sederhana, langsung dan efektif serangan rekayasa sosial dapat. Sampai hari ini, saya ingin tahu berapa banyak komputer sekolah kabupaten telah hilang karena tidak ada pencegahan serangan rekayasa sosial. Artikel ini akan memeriksa beberapa cara bahwa individu dan organisasi dapat melindungi diri terhadap serangan berpotensi mahal rekayasa sosial. Saya mengacu pada praktek-praktek sebagai strategi tempur.


Dimana Mulai? Kebijakan Keamanan


serangan rekayasa sosial dapat memiliki dua aspek yang berbeda: aspek fisik atau lokasi serangan, seperti di tempat kerja, melalui telepon, tempat sampah menyelam, on-line, dan aspek psikologis, yang mengacu pada cara di mana serangan dilakukan, seperti persuasi, penyamaran, ingratiation, kesesuaian, dan ramah. strategi Combat, oleh karena itu, memerlukan tindakan pada kedua tingkat fisik dan psikologis. pelatihan karyawan adalah penting. Kesalahan banyak perusahaan adalah untuk membuat rencana hanya untuk menyerang di sisi fisik. Itu membuat mereka terbuka lebar dari sudut sosial-psikologis. Jadi untuk memulainya, manajemen harus memahami pentingnya mengembangkan dan mengimplementasikan kebijakan keamanan dengan baik-bulat dan prosedur. Manajemen harus memahami bahwa semua uang yang mereka keluarkan untuk patch perangkat lunak, perangkat keras keamanan, dan audit akan menjadi limbah tanpa pencegahan yang memadai rekayasa sosial dan serangan reverse social engineering (Nelson). Salah satu kelebihan kebijakan adalah bahwa mereka melepas tanggung jawab karyawan untuk membuat penilaian tentang permintaan panggilan seorang hacker. Jika tindakan yang diminta dilarang oleh kebijakan, karyawan tidak memiliki pilihan selain untuk menolak permintaan tersebut hacker.


kebijakan kuat dapat bersifat umum maupun khusus, tetapi saya merekomendasikan suatu tempat di antara keduanya. Hal ini memberikan penegak kebijakan beberapa fleksibelitas dalam bagaimana prosedur akan berkembang di masa depan, tetapi batas staf dari menjadi terlalu santai dalam praktek sehari-hari. (Lihat Pendahuluan Keamanan Fokus untuk seri Kebijakan Keamanan.) Kebijakan keamanan harus alamat kontrol akses informasi, pengaturan account, persetujuan akses, dan perubahan password. Modem tidak boleh diizinkan pada intranet perusahaan. Kunci, ID, dan merobek-robek harus diminta. Pelanggaran harus dipasang dan ditegakkan.


Mencegah Serangan Fisik


Secara teori, keamanan fisik yang baik tampak seperti no-brainer, tetapi untuk benar-benar menjaga rahasia perdagangan dari keluar gedung, ekstra hati-hati diperlukan. Siapapun yang memasuki gedung harus memiliki / nya ID-nya diperiksa dan diverifikasi. Tidak ada pengecualian. Beberapa dokumen perlu fisik terkunci di laci file atau situs penyimpanan yang aman (dan kunci mereka tidak ditinggalkan di tempat-tempat jelas). Dokumen-dokumen lain mungkin memerlukan merobek-robek - terutama jika mereka pernah pergi dekat tempat sampah. Juga, semua media magnetik harus dihapus sebagai curah (Berg) "data dapat diambil dari disk diformat dan hard drive.". Mengunci dumpsters di daerah yang aman yang dipantau oleh keamanan.


Kembali ke dalam gedung, ia harus pergi tanpa mengatakan bahwa semua mesin pada jaringan (termasuk sistem remote) perlu juga dilindungi oleh password benar dilaksanakan. (Untuk beberapa petunjuk berguna, silakan lihat artikel SecurityFocus's Password Crackers, - Memastikan Keamanan Password Anda.) Screen saver password juga dianjurkan. PGP dan program enkripsi lainnya dapat digunakan untuk mengenkripsi file pada hard drive untuk keamanan lebih lanjut.


Telepon & PBX


Satu penipuan yang umum adalah dengan sah melakukan panggilan tol melalui PBX organisasi, atau pertukaran cabang pribadi, jaringan telepon pribadi yang digunakan dalam sebuah organisasi. Hacker dapat menelepon dan melakukan rutinitas penyamaran mereka, meminta untuk dipindahkan ke saluran luar, dan kemudian membuat beberapa panggilan di seluruh dunia, pengisian mereka untuk perusahaan itu. Hal ini dapat dicegah dengan melembagakan kebijakan yang melarang transfer, mengendalikan interlokal ke luar negeri dan jarak jauh, dan dengan melacak panggilan mencurigakan. Dan jika ada panggilan yang mengatakan bahwa mereka adalah teknisi ponsel yang membutuhkan password untuk mendapatkan akses, dia adalah berbohong. Menurut Verizon Communications, teknisi telepon dapat melakukan tes tanpa bantuan pelanggan, sehingga permintaan untuk password atau otentikasi lain harus ditangani dengan kecurigaan (Verizon). Semua karyawan harus dibuat menyadari hal ini sehingga mereka tidak rentan terhadap taktik ini.


Sebagaimana dinyatakan dalam artikel pertama dalam seri ini, Help Desk adalah target utama untuk serangan social engineering, terutama karena tugas mereka adalah untuk mengungkapkan informasi yang akan membantu pengguna. Cara terbaik untuk melindungi Help Desk terhadap serangan social engineering adalah melalui pelatihan. The Help Desk mutlak harus menolak untuk memberikan password tanpa otorisasi. (Bahkan, harus kebijakan organisasi bahwa password tidak harus diungkapkan melalui telepon atau melalui e-mail. Sebaliknya, mereka hanya harus diungkapkan secara langsung untuk dipercaya, berwenang personil) Callback, PIN, dan password adalah beberapa direkomendasikan cara-cara untuk meningkatkan keamanan. Jika ragu, Help Desk pekerja didorong untuk "menahan dukungan ketika panggilan tidak merasa benar" (Berg). Dengan kata lain, hanya mengatakan tidak.


Pelatihan, Pelatihan, pelatihan ulang


Pentingnya pelatihan karyawan melampaui Help Desk seluruh organisasi. Menurut Naomi Fine, ahli dalam kerahasiaan perusahaan dan Presiden dan CEO dari Pro-Tec Data, karyawan harus dilatih mengenai "bagaimana mengidentifikasi informasi yang harus dianggap rahasia, dan memiliki pemahaman yang jelas tentang tanggung jawab mereka untuk melindungi hal itu" (Pro- Tec Data). Agar dapat berhasil, organisasi harus membuat bagian keamanan komputer dari semua pekerjaan, terlepas dari apakah karyawan menggunakan komputer (Harl). Setiap orang dalam organisasi perlu memahami persis mengapa sangat penting bagi informasi rahasia yang akan ditunjuk sebagai demikian, oleh karena itu manfaat organisasi untuk memberi mereka rasa tanggung jawab untuk keamanan jaringan. (Stevens)


Semua karyawan harus dilatih bagaimana untuk menjaga data rahasia aman. Dapatkan mereka terlibat dalam kebijakan keamanan (Harl). Mengharuskan semua karyawan baru untuk pergi melalui orientasi keamanan. Tahunan kelas memberikan penyegaran dan informasi terkini untuk karyawan. Cara lain untuk meningkatkan keterlibatan, direkomendasikan oleh Ms Fine, adalah melalui sebuah newsletter bulanan. Pro-Tec Data, misalnya, menyediakan newsletter dengan contoh-contoh dunia nyata dari insiden keamanan dan bagaimana insiden tersebut dapat dicegah. Hal ini membuat karyawan sadar akan risiko yang terlibat dalam santai keamanan. Menurut SANS, organisasi menggunakan "beberapa kombinasi berikut: video, newsletter, brosur, booklet, tanda, poster, mug kopi, pena dan pensil, dicetak alas mouse komputer, screensaver, spanduk logon, notes, artefak desktop, T-shirt dan stiker "(Arthur). Wow, saya bisa hanya gambar Dilbert di bilik dengan semua barang itu. Titik penting yang dibuat, bagaimanapun, adalah bahwa hal-hal ini akan berubah secara teratur, atau karyawan akan kehilangan makna mereka.


Bercak Serangan Rekayasa Sosial


Jelas, dalam rangka untuk menggagalkan serangan, hal ini membantu untuk dapat mengenali satu. Keamanan Komputer Institut catatan beberapa tanda-tanda serangan rekayasa sosial untuk mengenali: penolakan untuk memberikan informasi kontak, bergegas, nama-menjatuhkan, intimidasi, kesalahan kecil (salah ejaan, misnomers, pertanyaan aneh), dan meminta informasi terlarang. "Carilah hal-hal yang tidak cukup menambahkan." Cobalah berpikir seperti hacker. Bernz merekomendasikan bahwa orang-orang membiasakan diri dengan karya-karya seperti cerita Sherlock Holmes, Cara Membuat Teman dan Orang Pengaruh, buku-buku psikologi, dan bahkan Seinfeld (dia dan George Costanza memiliki bakat untuk membuat cerita-up) (Bernz). Untuk memahami musuh, kita harus berpikir seperti dia.


Perusahaan dapat membantu menjamin keamanan dengan melakukan program keamanan kesadaran yang sedang berlangsung. intranet organisasi dapat menjadi sumber daya berharga untuk pendekatan ini, terutama jika on-line newsletter, pengingat e-mail, permainan pelatihan, dan persyaratan yang ketat mengubah sandi dimasukkan. Resiko terbesar adalah bahwa karyawan dapat menjadi puas dan melupakan keamanan. kesadaran Lanjutan seluruh organisasi adalah perlindungan berlangsung kunci untuk - beberapa organisasi bahkan membuat program kesadaran keamanan, seperti distribusi pernak-pernik yang disebutkan di atas.


Menanggapi Serangan Rekayasa Sosial


Dalam hal karyawan amis mendeteksi sesuatu, ia akan memerlukan prosedur untuk melaporkan kejadian tersebut. Hal ini penting bagi satu orang untuk bertanggung jawab untuk melacak insiden-insiden ini - lebih disukai anggota Insiden Response Team (IRT), jika organisasi memiliki satu. Selain itu, karyawan yang harus memberitahu orang lain yang melayani dalam posisi yang sama karena mungkin akan terancam juga. Dari sana, IRT atau individu yang bertanggung jawab untuk melacak (anggota tim keamanan dan / atau administrator sistem) dapat mengkoordinasikan respon yang memadai.


Kevin Mitnick membuat hal yang menarik dalam artikel yang berjudul "My First RSA Conference". Mitnick menyatakan bahwa keputusan penyelenggara konferensi untuk tidak menerima sesi social engineering adalah sebuah kesalahan, mengatakan: "Anda bisa menghabiskan banyak uang untuk membeli teknologi dan jasa dari setiap pembicara, peserta pameran dan sponsor pada Konferensi RSA, dan infrastruktur jaringan Anda masih bisa tetap rentan terhadap manipulasi kuno. "Ini penting. Untuk meningkatkan kesadaran, organisasi keamanan lebih harus melakukan rekayasa sosial sebagai prioritas untuk program-program mereka dan konferensi. Selain itu, organisasi harus rutin melakukan audit keamanan sehingga keamanan yang tidak menjadi basi.


Tabel berikut ini berisi beberapa taktik penyusupan yang umum dan strategi untuk pencegahan:





Luas Strategi Taktik Hacker Risiko Combat
Phone (Help Desk) Penyamaran dan persuasi karyawan Kereta / help desk untuk tidak pernah memberikan password atau informasi rahasia lainnya melalui telepon
Bangunan tanpa izin akses masuk Ketat fisik lencana keamanan, pelatihan karyawan, dan petugas keamanan hadir
Kantor Shoulder surfing Jangan mengetikkan password dengan orang lain saat ini (atau jika Anda harus, melakukannya dengan cepat!)
Phone (Help Desk) Penyamaran di meja bantuan panggilan Semua karyawan harus diberi PIN khusus untuk membantu mendukung meja
Kantor Berkelana melalui aula mencari kantor buka Mengharuskan semua tamu harus dikawal
Mail kamar Penyisipan memo palsu Lock & monitor ruang surat
Kamar mesin / Telepon lemari Mencoba untuk mendapatkan akses, mencabut peralatan, dan / atau melampirkan analyzer protokol untuk mengambil data rahasia Jauhkan lemari telepon, ruang server, dll dikunci pada setiap saat dan terus diperbarui pada peralatan persediaan
Telepon & Mencuri telepon PBX tol akses Control interlokal ke luar negeri & jarak jauh, jejak panggilan, menolak transfer
Dumpster diving dumpsters Jauhkan sampah semua dijamin, daerah dimonitor, rusak data penting, menghapus media magnetik
Intranet-Internet Penciptaan & penyisipan perangkat lunak tiruan pada intranet atau internet untuk snarf password kesadaran terus menerus perubahan sistem dan jaringan, pelatihan menggunakan password
Kantor Mencuri sensitif dokumen Mark dokumen sebagai rahasia & memerlukan dokumen tersebut harus dikunci
Umum-Psikologis Penyamaran & persuasi Jauhkan karyawan pada kaki mereka melalui kesadaran lanjutan dan program pelatihan

Pencegahan Realistis


Ya, pencegahan yang nyata adalah tugas yang menakutkan. Mari kita bersikap realistis, kebanyakan perusahaan tidak memiliki sumber daya keuangan atau manusia untuk melakukan semua apa yang tercantum di atas. Namun, sebagian uang yang dihabiskan pada penyumbatan lubang jaringan dapat diarahkan. ancaman adalah sebagai nyata, jika tidak lebih nyata dari lubang jaringan yang paling, namun kami tidak ingin membuat staf bantuan meja militan. Hanya cerdas dan masuk akal. Hal ini dimungkinkan untuk menjaga moral yang tinggi dan memiliki budaya perusahaan yang menyenangkan tanpa mengorbankan keamanan. Dengan sedikit mengubah aturan permainan, para penyusup tidak lagi mengambil kemudi.

Tactics of Social Engineering

In Social Engineering there are many many different methods with many different objectives. I will give you a few.




Password finding tactics:

1. Shoulder Surfing - This is an art. The art of watching someone type a password, knowing every key they press, in order, and have them be unaware of you watching. It is very difficult but I would suggest not moving you head (just move eyes) or turn head in the general direction of the typer and then move eyes to watch them type.

2. Dumpster Diving - Sometimes medium-sized companies will discard old servers or HDD's without formatting. Dumpster diving is the act of retrieving those. This can help you get anything from passwords to info on CC's or just general info or whatever.

3. Using the password hint - This isn't too advanced. If there's a password hint, go look at it. Let's say it says "First dog"; then you'd go and ask the person (after a medium long intermission) a couple questions with "What was your first dog's name?" included. Other questions including dogs would help here.
4. Phishing - There are many different types of phishing. Using phisher tools on a free host to find logins of a specific site, sending emails to get passwords, etc etc.

Manipulation Tactics:

1. Befriending - This is an art as well. You have to get someone to trust you enough to give you sensitive information, usually in a short amount of time. There are tutorials here on L-S that can help you with that.

2. Convincing - For this one should first find out if the person being convinced is more emotional or logical. If they're logical, use a rational reason, i.e. if convincing a girl to flash you or something you'd say:

Quote

Why wouldn't you? It'll make me really frickin' happy and it won't even affect you. Why not do something charitable?


If they are more emotional, it can be trickier. Often you must befriend them before you can convince them. But try something along the lines of:

Quote

I've just been so depressed lately... I thought maybe seeing something that makes me happy would help me realize I have an ok life... it was a stupid thought... sorry.


Physical Manipulation:

1. Getting to know what you want to know - Pay attention to body language. That's crucial. Through that you can determine whether they're caving as well as much other useful information.

2. Tailgating/Piggybacking - This is where you follow closely behind a prson of authority in order top get into a secure area. Alternatively, you cansay something like:

Quote

Hey, can you open the door for me? I can't reach my ID with this box in my hands.


This is taking advantage of human kindness. (Ofc you have to be carrying a box. :P)

3. Getting someone to do something (physically) - e.g. a dare or something. I use this to get a quick boner. :D

Anywho, there are many different tactics for this. Here's a couple:

a. "I don't believe you" - Those four simple words could be the difference between getting someone to show you something or not. For example, those words helped me to get a girl to show me that she had her bellybutton pierced.

b. Name calling - Names such as "chicken" or if they are male you could comment on their lack of testicles :P . This goes hand in hand with C. People got me to delete all of my school's files on one server with this tactic once when I was younger. :P

c. Peer pressure - Everyone knows how to do this. No need to explain.

Those are only a couple of methods. But my introduction to SEing Tactics is over. Hope you enjoyed it! :D


Translate Google;

Taktik

Dalam Social Engineering ada banyak metode yang berbeda banyak dengan tujuan yang berbeda. Saya akan memberikan beberapa. : D

Password menemukan taktik:

1. Shoulder Surfing - Ini adalah seni. Seni tipe seseorang menonton password, mengetahui setiap kunci yang mereka tekan, dalam rangka, dan mereka tidak menyadari dari Anda menonton. Hal ini sangat sulit, tapi saya akan menyarankan tidak bergerak Anda kepala (mata hanya memindahkan) atau putar kepala ke arah umum typer dan kemudian pindah mata untuk melihat mereka tipe.

2. Dumpster Diving - Kadang-kadang perusahaan menengah akan membuang server lama atau HDD tanpa format. Dumpster diving adalah tindakan mengambil mereka. Hal ini dapat membantu Anda mendapatkan apa-apa dari password ke info di CC atau sekedar info umum atau apapun.

3. Menggunakan petunjuk sandi - ini tidak terlalu maju. Jika ada petunjuk password, pergi melihatnya. Katakanlah ia mengatakan "anjing Pertama"; maka Anda akan pergi dan minta orang (setelah istirahat panjang menengah) beberapa pertanyaan dengan "Siapa nama anjing pertama Anda?" disertakan. Pertanyaan lain termasuk anjing akan membantu di sini.
4. Phishing - Ada berbagai jenis phishing. Menggunakan alat phisher pada host gratis untuk mencari login sebuah situs tertentu, mengirim email untuk mendapatkan password, dll dll

Manipulasi Taktik:

1. Berteman - Ini adalah seni juga. Anda harus mendapatkan seseorang untuk percaya Anda cukup untuk memberikan Anda informasi sensitif, biasanya dalam waktu singkat. Ada tutorial di sini pada LS yang dapat membantu Anda dengan itu.

2. Meyakinkan - Untuk yang satu ini pertama-tama harus mengetahui apakah orang yang yakin lebih emosional atau logis. Jika mereka logis, gunakan alasan yang rasional, yaitu jika meyakinkan seorang gadis untuk flash Anda atau sesuatu yang akan mengatakan:

Kutipan

Mengapa tidak? Itu akan membuat saya benar-benar frickin 'bahagia dan bahkan tidak akan mempengaruhi Anda. Mengapa tidak melakukan sesuatu amal?


Jika mereka lebih emosional, bisa rumit. Seringkali Anda harus berteman dengan mereka sebelum Anda dapat meyakinkan mereka. Tapi mencoba sesuatu di sepanjang baris:

Kutipan

Saya baru saja begitu tertekan akhir-akhir ini ... Saya pikir mungkin melihat sesuatu yang membuat saya senang akan membantu saya menyadari bahwa saya memiliki kehidupan ok ... itu pikiran bodoh ... Maaf.


Manipulasi Fisik:

1. Mendapatkan untuk mengetahui apa yang Anda ingin tahu - Perhatikan bahasa tubuh. Itu penting. Melalui bahwa Anda dapat menentukan apakah mereka caving serta informasi yang bermanfaat lainnya.

2. Tailgating / membonceng - Ini adalah di mana Anda mengikuti dekat di belakang prson otoritas di atas agar masuk ke dalam area aman. Atau, Anda sesuatu cansay seperti:

Hacking Tools & Techniques and How to Protect Your Network from Them

Boyd Aaron Sigmon
Dr. Phil Lunsford
ICTN 4040 Section 601
19 April 2009

Hacking Tools & Techniques and How to Protect Your Network from Them

Hackers today use a wide variety of tools and techniques to gain entry into
networks across the globe, stealing and destroying confidential data, as well as defacing
public websites, writing malicious code, and bringing systems and networks to their
knees. These attacks can sometimes cost companies thousands of dollars in downtime,
resources, and manpower, not to mention the possibility of having secret data stolen and
leaked. The purpose of this paper is to discuss some of the most common tools and
techniques hackers use today, and how you and your company can protect your
infrastructure from these attacks, as well as broaden your knowledge on hacking as a
whole.
The true meaning of hacking is to increase the capabilities of an electronic device,
and use it beyond the original intentions of the vendor. Hacking began in the 1960's,
when a group of students at MIT were tweaking electric trains to go faster and be more
efficient. Then, it wasn’t long before a group of these guys started using their skills in
the mainframes at MIT. In the 1970’s a new type of hacker emerged, called a
“phreaker”, who could hack telephone systems and make phone calls for free. By the
1980’s, hackers were starting to use computers more and more, and started using Bulletin
Sigmon 2
Board Systems to share stolen computer passwords & credit card numbers, which led to
the Computer Fraud and Abuse Act being passed by Congress in 1986. Once the internet
had its surge of users in the 90’s, hacking was becoming more main-stream and the
number of hackers around the world started growing rapidly (Hackingalert.com).
As hacking has become more and more popular over the years, experienced
hackers and security professionals have written programs that have enabled less
experienced hackers, also called “script kiddies”, to easily achieve attacks on systems and
networks. Most of these tools were originally designed for use by security professionals
to test their networks for vulnerabilities, but have since become a double-edged sword.
Identified below, are 6 of the most popular hacking tools and techniques currently used
today.
1. Port Scanners – Port scanning, also called “Port knocking” is
technique used by hackers to find an opening in to a remote system.
There are over 65535 TCP and UDP ports in the TCP/IP suite that a
host can use to communicate with the Internet. A remote attacker can
use a tool such as Nmap to scan for open ports and try to connect to
that system using it’s IP address and open port numbers by using telnet
or ssh. Tools like Nmap can also detect running processes and the
Operating System (OS) version that the system is using, so they could
exploit vulnerabilities associated with that process or OS. Also,
experienced attackers can use port scanning techniques that can easily
go undetected by most Network Intrusion Detection Systems.
Sigmon 3
2. Vulnerability Scanners – Vulnerability scanning is a tool & technique
that can have a use that is both good and bad. It was originally
designed by security professionals to find weaknesses in their network,
but has since then, been used by attackers to detect those same
weaknesses. Attackers can exploit a vulnerability to gain entry to a
system, and obtain user to administrator level access, as well as cause
the system to crash maliciously. Nessus is one of the most popular
vulnerability scanners used today, and is an open source product that is
available to download for free over the internet. This scanner is
capable of testing services running on non-standard ports, and multiple
instances of a service, as well as detecting patches and updates that
have not been applied to systems.
3. Packet Sniffers – A packet sniffer is a network analyzer that can either
be used rightfully by a network administrator to monitor traffic on their
network, or can used by an attacker to sniff out packets on a network
that could contain valuable information passed in plain-text, such as
usernames and passwords (Bradley). A Packet sniffer can only be used
to sniff out packets on the subnet that the attacker is on, but it can also
be hard to detect because of their passive nature. There are about a
dozen of popular packet sniffers available today for free on the internet
like Wireshark, TCPDump, and Cain & Abel, as well as wireless
sniffers such as Kismet and Netstumbler, which sniff out packets on
wireless networks and even look for open access points. Also, one of
Sigmon 4
the most popular Network-Based Intrusion Detection tools, called Snort
can even be used as a packet sniffer.
4. Rootkits – Rootkits are a tool or program that can give an attacker
administrator-level access on a system, as well as give them the ability
to hide their intrusion by altering log files
(SearchMidmarketSecurity.com). Rootkits can also contain spyware,
and can be hard to detect by hiding themselves in files and directories
that cannot be seen by simply browsing through a folder structure, or
even by using a Host Based Intrusion Detection System.
5. Password Crackers – A password cracker is a tool that an attacker can
use to gain access to system by using different combinations of
sequences to guess usernames and passwords. There are many popular
password cracking tools out there today, like Cain & Abel, John the
Ripper, and THC Hydra that can perform several password cracking
techniques, such as Dictionary, Brute Force, and Crytoanalysis attacks.
Also, there are wireless crackers like Airsnort & Aircrack that can
recover encryption keys and crack wireless protocols like WEP &
WPA (Insecure.org).
6. Social Engineering – One of the most important and common attacks
to protect your network from is a social engineering attack. Social
Engineering is the process of using social skills to convince people to
reveal access credentials or other valuable information to an attacker
(Whitman & Mattord 69). Basically, an attacker could gain access to
Sigmon 5
locked area by telling another employee that they have lost their key, or
forgot their ID badge. Another scenario could be that a person calls in
to the helpdesk, pretending to be an employee of the company that has
lost their password, and asks the help desk to give them the password
over the phone. Attackers could also go through trash or other areas
that important documents could be stored or disposed of. It is
extremely important to educate employees on security awareness, so
that social engineering attacks cannot occur.
Some other very common attacks that hackers use today are against web servers
and online databases. Web-servers are usually placed in a small sub-network between the
internal network (LAN) and the internet called a DMZ, or Demilitarized Zone, so that
everyone is able to access its web pages over the internet. One of the most commonly
used attacks against web servers is called, “cross-site scripting”, which is a web
application software vulnerability where hackers can inject malicious code into a web
page, and can also be used to bypass access controls to gain access to network resources
(Cross Site Scripting).
Another common attack used in web hacking is the SQL injection, where
attackers can inject a SQL query or command as an input through a web page. A lot of
web pages will take certain parameters from a web user, and then make a SQL query to
the database. SQL Injections attack web applications, such as ASP, JSP, PHP, and CGI,
and can be done over port 80 by just using a web browser. With SQL injections,
attackers can send a modified user name and password field that can change the SQL
query and then grant them access to other resources (SK).
Sigmon 6
Not only can hackers attack web applications, but they can also attack other
applications programmed in various languages, such as C, using a “buffer overflow”
attack. This causes the program to write more information into the buffer than the space
has set aside in memory. Once this is done, an attacker can overwrite the data that
controls the program and hijack control of the program to execute the hacker’s code
instead of the original source code (WindowSecurity.com).
Defending your systems and networks from these attacks can be sufficiently
achieved by using a number of tools, equipment, and industry best practices. Some of
those tools include using a firewall to protect your network from outside traffic. A
firewall is a device that selectively denies or accepts data flowing into or out of the
company network, and protects resources on the internal network from the outside
(Whitman & Mattord 204). Firewalls can be hardware appliances or server-based, and
should be placed between your border internet router and internal network. An ideal
solution is to place two firewalls in your infrastructure, having one as a perimeter firewall
behind the border internet router, and placing another between the perimeter firewall and
the internal network, isolating the DMZ.
Another critical piece of equipment and best practice for securing your network is
to use Network and Host-Based Intrusion Detection Systems, such as Snort and AIDE.
Snort is an open source industry leading Network Intrusion Detection System (NIDS) that
uses rules to combine the advantages of signature, protocol and anomaly based
examination methods (Snort.org). By using an NIDS, you can monitor traffic trying to
enter your network, and based on the rule-set will be able to detect threats and suspicious
activity, like scanning, sniffing, and password cracking, as well as other threats and
Sigmon 7
vulnerabilities, much like how an antivirus software works. An ideal location to place
your NIDS would be between the border internet router and the firewall that blocks off
the internal network, as well as behind your firewall to monitor your internal network
incase of intrusion. If you have two firewalls that isolate your DMZ, then place the NIDS
in your DMZ between the two firewalls to effectively protect and monitor your DNS,
HTTP, FTP, and SMTP servers. In addition to using an NIDS, it would also be a good
idea to use a Host-Based Intrusion Detection System (HIDS), such as AIDE, to be able to
detect modified files or directories and rootkits on servers, in case they have been
compromised.
The next defense from keeping an attacker from accessing critical data is to use
encryption. All confidential data should be encrypted using at least Data Encryption
Standard (DES) cryptography, as well as having access controls in place to prevent
unauthorized user accounts from accessing files or directories. Also, only secure
encrypted connections should be used, like SSH, when remotely accessing network
equipment. This will prevent passwords from being passed in plain-text, in case the
attacker is using a sniffer on that subnet. If users must connect to the network remotely
from the outside, they should use a Virtual Private Network (VPN) connection to create a
secure tunnel to transmit data.
To protect your applications and web applications from buffer overflow, crossscripting
attacks, and SQL injections you must implement application layer security, by
securing the applications through input validation, session management, authentication,
authorization, exception management, parameter manipulation, as well as auditing and
Sigmon 8
logging. Failure to do so can result in exploits in your applications, and cause systems to
be compromised.
The last and one of the most important defense mechanisms to handling attacks
on your network is to effectively train users to be aware of social engineering attacks and
other forms security measures. Whether it is in the form of weekly email memos or
training courses, users must be trained to prevent unauthorized users from accessing
restricted areas, obtain confidential information, or give out sensitive data. User should
also create strong passwords consisting of at least 8 characters, as well as change those
passwords every 90 days.
In conclusion I feel that these are some of the most common hacking tools and
techniques used in the computing world today. I also feel that the defense tools and best
practices listed in this paper, along with properly educating other users and employees in
security awareness, should adequately help you defend your systems and network from
intrusion and attack.