Social engineering as the form of endangering confidential business information

Abstract

In many jobs, especially the ones where you need to get some confidential information in contact with other people, there are some forms of social engineering. Social engineering is the form of oral and gesture manipulation with individuals, aiming to impose them fulfill a kind of demands, made by the attacker. The existing problems in the confidential information protection sphere appear in the fact that behind each computer, there is a human being, as an individual, with own good and bad characteristics. Social engineering is a technique where persuading and/or delusion are used for getting the access to the computer systems. This is usually accomplished by conversation or some other forms of interactive communication. Countermeasures in fighting against social engineering are getting more complicated due to the fact that anyone who has the access to any part of the information system represents a potential risk to information security. Unlike other attacks on computers, social engineering does not refer to technological manipulation or the use of hardware and software vulnerability. Besides that, it does not demand any special technical skills and knowledge. This kind of attack exploits human weaknesses, as negligence or cooperation wish, in order to get an access to the confidential documents existing in the computer. Social engineering can be organized for the sake of profit and cyber terrorism or for the access to internal systems and confidential information. Big organizations that process and save sensitive data are the most often attacked and among them are telephone services providers, multinational companies, financial entities, hospitals Government agencies, military service and others.

U mnogim poslovima, pogotovo tamo gde treba doći do poverljivih informacija u kontaktu sa drugim ljudima, prisutne su pojedine forme socijalnog inženjeringa. Socijalni inženjering je oblik govorne i gestikularne manipulacije pojedincima sa ciljem da se navedu na ispunjenje nekih zahteva postavljenih od strane napadača. Problemi koji se javljaju u oblasti zaštite poverljivih informacija nalaze se u činjenici da iza svakog kompjutera stoji čovek kao jedinka sa svim svojim dobrim i lošim osobinama. Socijalni inženjering je tehnika u kojoj se ubeđivanje i/ili obmana koriste da bi se dobio neovlašćen pristup kompjuterskim sistemima. Ovo se obično postiže razgovorom ili nekim drugim oblicima interaktivne komunikacije. Protivmere u borbi protiv socijalnog inženjeringa su vrlo složene. Usložava ih činjenica da svako ko ima pristup bilo kom delu informacionog sistema predstavlja moguću metu napada socijalnim inženjeringom. Za razliku od ostalih napada na kompjutere, socijalni inženjering se ne odnosi na tehnološku manipulaciju i korišćenje ranjivosti hardvera ili softvera. Pored toga i ne zahteva posebne tehničke veštine i znanja. Ova vrsta napada eksploatiše ljudske slabosti, kao što su nemarnost ili želja za kooperativnošću, kako bi se dobio pristup poverljivim dokumentima koji se nalaze na kompjuteru. Cilj socijalnog inženjeringa može biti sticanje profita, sajber terorizam ili pristup internim sistemima i poverljivim informacijama. Mete napada su najčešće, provajderi telekomunikacionih usluga, multinacionalne kompanije finansijski ustanove, bolnice, vladine agencije, vojska i drugi.