In the interconnected digital landscape, the weakest link in cybersecurity is often not flawed software or gaps in firewalls, but susceptible human nature itself. Social engineering exploits this vulnerability by manipulating human psychology and emotions to gain unauthorized access to systems and data. This comprehensive guide aims to empower organizations to safeguard against this prevalent attack vector that no tech solution can fully eliminate.
在互联互通的数字环境中,网络安全中最薄弱的环节往往不是软件有缺陷或防火墙漏洞,而是易受影响的人性本身。社会工程学通过操纵人类心理和情感来利用这一漏洞,获得对系统和数据的未经授权的访问。这份综合指南旨在使组织能够防范这种任何技术解决方案都无法完全消除的流行攻击媒介。
Understanding social engineering
了解社会工程学
Definition and characteristics
定义和特点
Social engineering refers to intentionally manipulating people to divulge confidential information or perform actions against their best interests. Rather than directly breaking cyber defenses, social engineering tactics exploit human vulnerabilities – emotions, psychology, and behavior.
社会工程是指故意操纵人们泄露机密信息或采取违背其最大利益的行动。社会工程策略不是直接破坏网络防御,而是利用人类的弱点——情绪、心理和行为。
Key features 主要特点
- Deception and manipulation: Social engineers use deception, persuasion, and manipulation to exploit people’s tendency to trust.
欺骗和操纵:社会工程师使用欺骗、说服和操纵来利用人们的信任倾向。 - Variety of mediums: Tactics may involve technology like phishing emails or phone calls, but can also be purely offline interpersonal manipulation.
多种媒介:策略可能涉及网络钓鱼电子邮件或电话等技术,但也可能是纯粹的离线人际操纵。 - Relies on open access: Social engineering relies on people’s willingness to share sensitive information or grant access to protected systems.
依赖于开放访问:社会工程依赖于人们共享敏感信息或授予对受保护系统的访问权限的意愿。 - Targets the weakest link: Attackers identify the most vulnerable individuals in an organization to exploit rather than trying to breach the strongest points of cyber defense.
针对最薄弱的环节:攻击者识别组织中最脆弱的个人进行利用,而不是试图突破网络防御的最强项。
The advent of social engineering
社会工程学的出现
The roots of manipulation
操纵的根源
Long before the digital age, the techniques of social engineering have been used throughout human history to exploit vulnerabilities in judgment, trust, and perception. Pre-digital cons, frauds, and deceptions relied on similar psychological weaknesses – greed, fear, desperation, and credulity. Scammers identified and amplified these traits in targets to manipulate for financial gain.
早在数字时代之前,社会工程技术就已经在整个人类历史上被用来利用判断、信任和感知方面的漏洞。前数字骗局、欺诈和欺骗依赖于类似的心理弱点——贪婪、恐惧、绝望和轻信。诈骗者在目标中识别并放大这些特征,以操纵以获取经济利益。
Rise of technology-enabled tactics
技术支持策略的兴起
The integration of communications technology like the telephone and global connectivity brought these isolated manipulation techniques to an industrial scale. Robocalls, for example, enabled automated voicemail cons to blanket millions of recipients efficiently. As technology provided mass reach, human hacking exploded in ubiquity and profitability.
电话和全球连接等通信技术的整合将这些孤立的操纵技术带到了工业规模。例如,Robocalls 使自动语音邮件缺点能够有效地覆盖数百万收件人。随着技术提供了大规模的覆盖面,人类黑客攻击无处不在,盈利能力呈爆炸式增长。
Phishing and scalable deception
网络钓鱼和可扩展的欺骗
The rise of the commercial internet and corporate email particularly revolutionized the potential and practices of social engineers. Before, physical mail scams had limited traction due to postage costs and manual labor. Phishing emails changed the equation by enabling deceitful content to be crafted once and sent to millions for free.
商业互联网和企业电子邮件的兴起尤其彻底改变了社会工程师的潜力和实践。以前,由于邮资成本和体力劳动,实体邮件诈骗的吸引力有限。网络钓鱼电子邮件改变了这一等式,使欺骗性内容能够制作一次并免费发送给数百万人。
Maturing tactics 成熟战术
In the past decade, social engineering techniques have become more refined as the understanding of social media usage, mobile messaging apps, and electronic transactions has improved. For instance, business email compromise scams now integrate deep organizational research through social media to impersonate executives over email convincingly.
在过去十年中,随着对社交媒体使用、移动消息应用程序和电子交易的理解不断提高,社会工程技术变得更加精细。例如,商业电子邮件泄露骗局现在通过社交媒体整合了深入的组织研究,以令人信服地通过电子邮件冒充高管。
An ever-growing menace 日益增长的威胁
As digital transformation continues accelerating across industries globally, human dependence on technology for communication and transactions has widened the attack landscape for social engineers exponentially. More employees access critical systems routinely, customers readily share data through apps, and individuals rely on digital payments for convenience. With abundantly increasing targets, innovating attack techniques, and minimal barriers to entry, social engineering threats will foreseeably continue rising.
随着全球各行各业的数字化转型不断加速,人类对通信和交易技术的依赖使社会工程师的攻击环境呈指数级扩大。越来越多的员工定期访问关键系统,客户很容易通过应用程序共享数据,个人依靠数字支付来获得便利。随着目标的大量增加、创新的攻击技术和最小的进入壁垒,可以预见,社会工程威胁将继续上升。
Global impact of social engineering on cybersecurity
社会工程对网络安全的全球影响
Escalating data breaches 不断升级的数据泄露
High-profile data breaches enabled by social engineering underline that even robust cybersecurity defenses can be rendered ineffective when the human element is vulnerable. Major breaches at organizations like LinkedIn, MySpace, and LastPass all involved social engineering, highlighting its risks.
由社会工程学引发的高调数据泄露事件强调,当人为因素易受攻击时,即使是强大的网络安全防御也可能变得无效。LinkedIn、MySpace和LastPass等组织的重大违规行为都涉及社会工程,凸显了其风险。
A paradigm shift in strategies
战略范式转变
Recognizing the inherent vulnerability of people, security leaders have been re-evaluating defenses to address the human factor. New initiatives like regular cybersecurity awareness training, simulated phishing email tests for employees, and the principle of least privilege access promote resilience against social engineering.
认识到人与生俱来的脆弱性,安全领导者一直在重新评估防御措施,以解决人为因素。定期网络安全意识培训、对员工进行模拟网络钓鱼电子邮件测试以及最小特权访问原则等新举措可提高对社会工程的抵御能力。
Undermining trust in digital economy
破坏对数字经济的信任
For the digital economy and electronic transactions to thrive, participants must trust companies to protect their data and transactions. Yet large-scale personal data breaches enabled by social engineering occur frequently, eroding consumer and business confidence. Social engineering threatens the sustainable adoption and integration of technologies across industries by undercutting this digital trust.
为了使数字经济和电子交易蓬勃发展,参与者必须信任公司来保护他们的数据和交易。然而,由社会工程导致的大规模个人数据泄露事件经常发生,侵蚀了消费者和企业的信心。社会工程通过削弱这种数字信任,威胁到跨行业技术的可持续采用和整合。
Financial fraud on the rise
金融欺诈呈上升趋势
Alongside data theft, social engineering scams tricking victims into fraudulent money transfers have exploded globally. Business email compromise scams alone resulted in $43 billion in losses between 2019-2022, evidencing the scale of financial fraud centered on manipulating human psychology and emotions.
除了数据盗窃外,诱骗受害者进行欺诈性汇款的社会工程骗局也在全球范围内呈爆炸式增长。2019 年至 2022 年期间,仅商业电子邮件泄露诈骗就造成了 430 亿美元的损失,证明了以操纵人类心理和情绪为中心的金融欺诈的规模。
Worsening cybercrime busts
日益恶化的网络犯罪猖獗
Global law enforcement is struggling with the recent surge in technology-enabled financial fraud and cybercrime, with recovery rates for funds significantly decreasing. Social engineering tactics make fraud investigation harder, allowing perpetrators to better evade authorities.
全球执法部门正在努力应对最近由技术驱动的金融欺诈和网络犯罪的激增,资金追回率大幅下降。社会工程策略使欺诈调查变得更加困难,使肇事者能够更好地逃避当局的追捕。
Attack vectors and techniques
攻击途径和技术
Email phishing 电子邮件网络钓鱼
The most ubiquitous tactic, phishing, uses emails pretending to be from trusted sources to manipulate recipients. Common techniques include links to fake login pages to harvest credentials or attachments with malware. With natural language AI advancing spear-phishing authenticity, human discernment faces rising challenges.
最普遍的策略是网络钓鱼,它使用假装来自受信任来源的电子邮件来操纵收件人。常见的技术包括指向虚假登录页面的链接,以收集带有恶意软件的凭据或附件。随着自然语言 AI 不断提高鱼叉式网络钓鱼的真实性,人类的辨别力面临着越来越大的挑战。
Vishing – phone-based manipulation
网络钓鱼 – 基于电话的操纵
Combining telephones with phishing, “vishing” calls impersonate banks, tech support etc. to obtain sensitive user information through manipulation only with verbal cues. With no visual identifiers possible over calls, vishing presents a unique social engineering challenge.
将电话与网络钓鱼相结合,“电话钓鱼”电话冒充银行、技术支持等,仅通过口头暗示进行操纵来获取敏感的用户信息。由于无法通过呼叫进行视觉标识符,网络钓鱼带来了独特的社会工程挑战。
Baiting – exploit human temptation
诱饵——利用人类的诱惑
Baiting tricks people into inserting malware-laden storage devices like USB flash drives into corporate systems by appealing to universal human curiosity or temptation impulses. The malware then compromises networks and data that defensive cybersecurity tools may not catch from an approved inserted device.
诱饵通过吸引人类普遍的好奇心或诱惑冲动,诱骗人们将带有恶意软件的存储设备(如 USB 闪存驱动器)插入公司系统。然后,恶意软件会破坏防御性网络安全工具可能无法从批准的插入设备中捕获的网络和数据。
Pretexting – establishing false context
借口 – 建立虚假的上下文
Pretexting aims to establish a false story, identity or situation as a pretext to natural conversation where the attacker can extract privileged information conversationally from a trusting employee. These false personas like external consultants, investigators or auditors appear credible excuses for sensitive data queries.
借口旨在建立一个虚假的故事、身份或情况,作为自然对话的借口,攻击者可以通过对话方式从信任的员工那里提取特权信息。这些虚假角色,如外部顾问、调查员或审计师,似乎是敏感数据查询的可靠借口。
Quid pro quo – opportunistic exchange
交换条件 – 机会主义交换
Quid pro quo is a common tactic is to offer a service, product or benefit of interest to the victim in exchange for something the attacker wants to gain nefariously. For example, scam conversion therapy organizations would offer to “cure” someone’s loved one in exchange for health records or insurance data.
交换条件是一种常见的策略,即向受害者提供感兴趣的服务、产品或利益,以换取攻击者想要恶意获得的东西。例如,诈骗转化治疗组织会提出“治愈”某人的亲人,以换取健康记录或保险数据。
Tailgating – exploiting physical spaces
尾随 – 利用物理空间
The attacker physically follows an authorized person through secured entry points like doors without proper physical credentials. Tailgating does not utilize digital deception but rather exploits natural human hesitation to re-verify individuals already granted entry.
攻击者在没有适当物理凭据的情况下通过门等安全入口点跟踪授权人员。尾随不利用数字欺骗,而是利用人类自然的犹豫来重新验证已经获准进入的个人。
Securing against social engineering
防止社会工程
Keep software updated 保持软件更新
Having updated software minimizes security vulnerabilities in organizational systems, making follow-on exploitation harder even if an initial social engineering attack succeeds in gaining a foothold. Modern operating systems integrate features to block common social engineering vectors, increasing protection.
更新软件可以最大限度地减少组织系统中的安全漏洞,即使最初的社会工程攻击成功站稳脚跟,也使后续利用变得更加困难。现代操作系统集成了阻止常见社会工程向量的功能,从而增强了保护。
Implement the least privilege principle
实现最小特权原则
Restricting unnecessary employee access to confidential organizational data or critical IT systems limits damage potential in case their credentials are compromised via social engineering relative to personnel with excessive privileges. Minimization of access aids resilience.
限制员工对机密组织数据或关键 IT 系统的不必要访问,可以限制其凭据因社会工程而受损的可能性,相对于具有过多权限的人员而言。最小化访问有助于恢复。
Conduct training exercises
进行培训练习
Running realistic simulated phishing and phone scam experiments makes personnel more cognizant and resilient against emerging real-world social engineering tactics. Exposing employees to deception examples develops instincts.
运行逼真的模拟网络钓鱼和电话诈骗实验,使人员能够更深入地了解和抵御新兴的现实世界社会工程策略。让员工接触欺骗的例子会培养本能。
Develop communication guidelines
制定沟通准则
Establishing policies dictating communications over channels like phone, email and messaging applications promotes caution when faced with abnormal or urgent requests for data sharing or transactions. Official guidance assists judgment in ambiguous high-risk situations.
制定政策,规定通过电话、电子邮件和消息传递应用程序等渠道进行通信,有助于在面对异常或紧急的数据共享或交易请求时保持谨慎。官方指南有助于在模棱两可的高风险情况下做出判断。
Promote a vigilant culture
促进警惕文化
Beyond formal policies and processes, foster a workplace culture where personnel proactively notice and scrutinize unusual behaviors or communications potentially indicative of social engineering manipulation. Cultural attitudes profoundly influence attack resilience.
除了正式的政策和流程之外,还要培养一种工作场所文化,让员工主动注意到并仔细检查可能表明社会工程操纵的异常行为或沟通。文化态度深刻地影响着攻击的恢复力。
Enable multi-factor authentication
启用多重身份验证
Adding factors like biometrics or hardware tokens protects against singular credential compromise via social engineering, preventing system access by stolen login information alone even if obtained by hackers. Multi-factor authentication frustrates attacks.
添加生物识别或硬件令牌等因素可以防止通过社会工程泄露单一凭据,即使黑客获得,也可以防止仅通过窃取的登录信息访问系统。多因素身份验证可阻止攻击。
Limit personal information access
限制个人信息访问
Restricting employee access to customer, partner or organizational personal details like addresses reduces the ability of compromised personnel to enable potential identity fraud through social engineered data theft. Limiting background data access impedes abuse.
限制员工访问客户、合作伙伴或组织的个人详细信息(如地址)会降低受感染人员通过社会工程数据盗窃实现潜在身份欺诈的能力。限制后台数据访问可防止滥用。
Audit and penalize violations
审核和处罚违规行为
Periodically auditing personnel compliance on policies related to communication security, data access and system permissions promotes adherence. Coupled with accountability measures like warnings or firings, audits reinforce secure behavioral norms.
定期审核人员对通信安全、数据访问和系统权限相关策略的遵守情况,可促进遵守。再加上警告或解雇等问责措施,审计加强了安全的行为规范。
Key figures in social engineering
社会工程学的关键人物
Frank Abagnale 弗兰克·阿巴格内尔
Frank Abagnale’s early experience as a conman inspired his current career consulting institutions on fraud prevention. Many of his former tactics are now used for social engineering.
弗兰克·阿巴格内尔(Frank Abagnale)早期作为骗子的经历激发了他目前的职业,为欺诈预防机构提供咨询。他以前的许多策略现在都用于社会工程。
Christopher Hadnagy 克里斯托弗·哈德纳吉
Hadnagy authored several books on the topic, founded the Social-Engineer professional certification and consults governments/companies on human hacking defense.
Hadnagy 撰写了几本关于该主题的书籍,创立了 Social-Engineer 专业认证,并就人类黑客防御向政府/公司提供咨询。
Kevin Mitnick 凯文·米特尼克
Formerly known as a hacker using social engineering methods to access corporate networks, Kevin Mitnick now ran a security firm and spoke extensively on defending against the same kinds of manipulation until his death in July of 2023.
凯文·米特尼克 (Kevin Mitnick) 以前被称为使用社会工程方法访问公司网络的黑客,现在经营着一家安全公司,并在 2023 年 7 月去世之前广泛谈论如何防御此类操纵。
The future landscape 未来格局
AI-enabled attacks 支持 AI 的攻击
Advances in AI like generative writing to craft better spear-phishing content or voice synthesis for vishing automation indicate rising social engineering sophistication.
人工智能的进步,如生成式写作,以制作更好的鱼叉式网络钓鱼内容,或用于网络钓鱼自动化的语音合成,表明社会工程的复杂性正在提高。
Shorter cyberattack lifecycles
缩短网络攻击生命周期
Lower barriers to entry accelerate innovations in attack techniques, shrinking timeframes organizations have to prepare between new attack vector emergence and exploitation.
较低的进入门槛加速了攻击技术的创新,缩短了组织在新的攻击媒介出现和利用之间必须准备的时间框架。
Persistent gaps in human vulnerability
人类脆弱性方面持续存在的差距
While technology and awareness can impede specific tactics, fundamental human emotional/psychological vulnerabilities are persistent, requiring equally persistent efforts to promote cyber hygiene.
虽然技术和意识可以阻碍特定的策略,但人类基本的情感/心理脆弱性是持续存在的,需要同样坚持不懈地努力促进网络卫生。
Key takeaways 关键要点
In closing, with social engineering having taken manipulation to industrial scales, organizations require comprehensive awareness and training alongside cybersecurity tools. Just as advanced persistent threats (APTs) highlighted shortcomings in technological defenses, the prevalence of social engineering underscores the need for human-centric protections to secure the people within an organization. Because regardless of how advanced cyber defenses may become, human nature provides an ever-present vulnerability to be exploited.
最后,随着社会工程学将操纵带到工业规模,组织需要全面的意识和培训以及网络安全工具。正如高级持续性威胁 (APT) 凸显了技术防御的缺陷一样,社会工程学的盛行也凸显了以人为本的保护措施以保护组织内人员的必要性。因为无论网络防御变得多么先进,人性都提供了一个随时存在的漏洞。
原文始发于OffSec:Social Engineering: The Art of Human Hacking
相关文章
