Qayb ka mid ah wararka dhawaanahan ayaa iga dhigay inaan garwaaqsado sida shucuurta bini'aadamka iyo fikradaha ay u noqon karaan (ama,) loogu isticmaali karo faa'iidooyinka kuwa kale. Ku dhawaad ​​qof kasta oo idinka mid ah wuu garanayaa Edward Snowden , oo ah qofka sirta u sheega ee NSA ku dhex dhuumanaya adduunka oo dhan. Reuters ayaa ku warantay in uu helay ilaa 20-25 qof oo NSA ah si ay ugu wareejiyaan furaha sirta ah isaga oo dib u helay xog uu faafiyay markii dambe [1]. Bal qiyaas^(Imagine) sida ay u jilicsan tahay shabakadaada shirkadeed, xitaa iyada oo leh kan ugu xoogan uguna wanaagsan software-ka amniga!

Waa maxay injineernimada bulshada

Daciifnimada aadanaha^(Human) , xiisaha, shucuurta, iyo sifooyin kale ayaa inta badan loo adeegsaday soo saarista xogta si sharci darro ah - ha ahaato warshad kasta. Warshadaha IT^{(IT Industry)} ayaa, si kastaba ha ahaatee, siiyay magaca injineernimada bulshada. Waxaan u qeexay injineernimada bulshada sida:

“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”

Halkan waxaa ah sadar kale oo isla sheekadaas [1] ah oo aan rabo inaan soo qaato - " Hay'adaha ammaanku waxay ku adag tahay fikradda ah in ninka ku jira qolalka soo socda aan la isku halleyn karin^{(Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable)} ". Waxaan wax ka beddelay weedha si aan ugu waafajiyo macnaha guud ee halkan. Waxaad ku akhrin kartaa warka oo dhan adigoo isticmaalaya isku xirka qaybta Tixraaca^(References) .

Si kale haddii loo dhigo, ma haysatid koontarool dhammaystiran oo ku saabsan amniga ururradaada iyadoo injineernimada bulsheed uu u kobcayo si ka dhaqso badan farsamooyinka lagula qabsanayo. Injineernimada bulshadu^(Social) waxa ay noqon kartaa wax la mid ah in aad wacdo qof ku leh waxaad tahay taageero tignoolajiyad oo waydiiso aqoonsigooda gelitaanka. Waa inaad heshay iimaylo phishing ah oo ku saabsan bakhtiyaa-nasiibka, dadka hodanka ah ee Bariga Dhexe^{(Mid East)} iyo Afrika^(Africa) oo doonaya la-hawlgalayaasha ganacsiga, iyo soo jeedinta shaqo si ay ku weydiiyaan faahfaahintaada.

Si ka duwan weerarrada phishing-ka, injineernimada bulshadu waa inta badan isdhexgalka tooska ah ee qof-ka-qof. Kii hore (phishing) wuxuu shaqaaleeyaa sed - taas oo ah, dadka "kalluumeysiga" waxay ku siinayaan wax rajo ah inaad ku dhici doonto. Injineerinka bulshadu^(Social) waa wax badan oo ku saabsan ku guuleysiga kalsoonida shaqaalaha gudaha si ay u sheegaan faahfaahinta shirkadda aad u baahan tahay.

Akhri: ^(Read:) Hababka caanka ah ee injineernimada bulshada .

Farsamooyinka Injineerinka Bulshada ee la yaqaan

Way badan yihiin, oo dhammaantood waxay isticmaalaan rabitaannada aasaasiga ah ee aadanaha si ay u galaan xogta urur kasta. Farsamada injineernimada bulsheed ee aadka loo isticmaalo (malaha duugoobay) waa in la waco oo lala kulmo dadka oo la rumaysto inay ka yimaadeen taageero farsamo oo u baahan inay hubiso kumbuyuutarkaaga. Waxay kaloo abuuri karaan kaarar aqoonsi oo been abuur ah si ay kalsooni u abuuraan. Xaaladaha qaarkood, dambiilayaasha ayaa iska dhigaya mas'uuliyiin dowladeed.

Farsamo kale oo caan ah ayaa ah inaad u shaqaaleysiiso qofkaaga shaqaale ahaan hay'adda bartilmaameedka ah. Hadda, maadaama uu con-kani yahay saaxiibkaaga, waxaa laga yaabaa inaad ku kalsoonaato faahfaahinta shirkadda. Shaqaalaha dibadda ayaa laga yaabaa inay wax kaa caawiyaan, si aad dareento waajib, waana marka ay ogaan karaan inta ugu badan.

Waxaan sidoo kale akhriyay warbixinno ku saabsan dadka isticmaala hadiyadaha elegtarooniga ah. Usha USB^(USB) ee quruxda badan oo lagugu keeno ciwaanka shirkadaada ama qalin ku dhex jiifa gaarigaaga ayaa cadeyn kara masiibooyinka. Xaalad ahaan, qof ayaa uga tagay qaar ka mid ah darawallada USB-ga^(USB) si ula kac ah goobta baarkinka si ay wax uga qabtaan [2].

Haddii shabakadaada shirkadu ay leedahay tillaabooyin ammaan oo wanaagsan oo ku yaal meel kasta, waad barakaysan tahay. Haddii kale, qanjidhadani waxay bixiyaan marin sahlan oo loogu talagalay malware - hadiyaddaas ama "la hilmaamay" qalinleyda - nidaamyada dhexe.

Sidan oo kale ma bixin karno liis dhamaystiran oo hababka injineernimada bulshada. Waa cilmi xudunta u ah, oo lagu daray fanka xagga sare. Oo waxaad ogtahay in midkoodna uusan lahayn xuduud. Wiilasha injineernimada bulshadu^(Social) waxay sii wataan hal-abuurnimada iyagoo horumarinaya software-ka oo sidoo kale si xun u isticmaali kara aaladaha wireless-ka si ay u helaan shirkadda Wi-Fi .

Akhriso: ^(Read:) Waa maxay bulsheed Ingineered Malware .

Kahortagga injineernimada bulshada

Shakhsi ahaan, uma maleynayo inay jirto wax aragti ah oo maamulayaashu u isticmaali karaan si ay uga hortagaan jabsiga injineernimada bulshada. Farsamooyinka injineernimada bulsheed ayaa isbeddelaya, markaa way ku adkaanaysaa maamulayaasha IT-ga inay la socdaan waxa dhacaya.

Dabcan, waxaa loo baahan yahay in la ilaaliyo wararka injineernimada bulshada si qofka loogu wargeliyo ku filan si uu u qaado tallaabooyinka amniga ku habboon. Tusaale ahaan, marka laga hadlayo aaladaha USB , maamulayaashu waxay xannibi karaan darawallada USB-ga^(USB) ee noodhadhka shakhsi ahaaneed iyagoo u oggolaanaya kaliya server-ka leh nidaam ammaan oo wanaagsan. Sidoo kale^(Likewise) , Wi-Fi wuxuu u baahan doonaa sir ka wanaagsan inta badan ISP^(ISPs) -yada maxalliga ah .

Tababbarka shaqaalaha iyo samaynta imtixaannada aan kala sooca lahayn ee kooxaha shaqaalaha ee kala duwan waxay gacan ka geysan karaan in la aqoonsado meelaha daciifka ah ee ururka. Way sahlanaan lahayd in la tababaro oo laga digtoonaado shakhsiyaadka daciifka ah. Feejignaantu^(Alertness) waa difaaca ugu fiican. Cadaadisku waa inuu noqdaa in macluumaadka gelitaanka aan lala wadaagin xitaa hoggaamiyeyaasha kooxda - iyadoon loo eegin cadaadiska. Haddii hogaamiyaha kooxdu u baahan yahay inuu galo xubinta galkiisa, isaga/iyada waxay isticmaali karaan furaha sirta ah. Taasi waa hal talo oo kaliya si aad u badbaado oo aad uga fogaato jabsiga injineernimada bulshada.

Khadka ugu hooseeya ayaa ah, marka laga reebo malware-ka iyo tuugada khadka tooska ah, dadka IT-ga waxay u baahan yihiin inay daryeeshaan injineernimada bulshada sidoo kale. Iyadoo la aqoonsanayo hababka jebinta xogta (sida qorista ereyada sirta ah iwm.), maamulayaashu waa inay sidoo kale hubiyaan in shaqaalahooda ay caqli badan yihiin si ay u aqoonsadaan farsamada injineernimada bulshada si looga fogaado gebi ahaanba. Maxay kula tahay hababka ugu fiican ee looga hortagi karo injineernimada bulshada? Haddii aad la kulanto arrin xiiso leh, fadlan nala wadaag.

Soo deji buuggan ebook-ka ah ee weerarrada injineernimada bulshada ee ay soo saartay Microsoft oo baro sida aad u ogaan karto ugana hortagi karto weerarradan oo kale ee ururkaaga.^{(Download this ebook on Social Engineering Attacks released by Microsoft and learn how you can detect and prevent such attacks in your organization.)}

Tixraacyo^(References)

[1] Reuters , Snowden wuxuu ku^(Snowden) qanciyay shaqaalaha NSA inay ^{(NSA Employees Into)}helaan^(Info) macluumaadka galitaanka

[2] Boing Net , Qalinleyda^(Pen) loo isticmaalo in lagu faafiyo Malware^{(Spread Malware)} .

Understand Social Engineering - Protection against Human Hacking

A piece of recеnt news made me rеalize how human emotions and thoυghts can be (оr, are) used for others’ benefit. Almost every one of you knows Edward Snowden, the whistleblower of NЅA snooping the world over. Reuters reported that he got around 20-25 NSA рeoрlе to hand over their рasswords to him for reсоvеring some data he leaked later [1]. Imagine how fragile your corporatе network can be, evеn with thе strongеst and best of sеcurity software!

What is Social Engineering

Human weakness, curiosity, emotions, and other characteristics have often been used in extracting data illegally – be it any industry. The IT Industry has, however, given it the name of social engineering. I define social engineering as:

“The method whereby an external person gains control over one or more employees of any organization by any means with intention to obtain the organization’s data illegally”

Here is another line from the same news story [1] that I want to quote – “Security agencies are having a hard time with the idea that the guy in the next cubicle may not be reliable“. I modified the statement a bit to fit it into the context here. You can read the full news piece using the link in the References section.

In other words, you do not have complete control over the security of your organizations with social engineering evolving much faster than techniques to cope with it. Social engineering can be anything like calling up someone saying you are tech support and ask them for their login credentials. You must have been receiving phishing emails about lotteries, rich people in Mid East and Africa wanting business partners, and job offers to ask you your details.

Unlike phishing attacks, social engineering is much of direct person-to-person interaction. The former (phishing) employs a bait – that is, the people “fishing” is offering you something hoping that you will fall for it. Social engineering is more about winning the confidence of internal employees so that they divulge the company details you need.

Read: Popular methods of Social Engineering.

Known Social Engineering Techniques

There are many, and all of them use basic human tendencies for getting into the database of any organization. The most used (probably outdated) social engineering technique is to call and meet people and making them believe they are from technical support who need to check your computer. They can also create fake ID cards to establish confidence. In some cases, the culprits pose as state officials.

Another famous technique is to employ your person as an employee in the target organization. Now, since this con is your colleague, you might trust him with company details. The external employee might help you with something, so you feel obliged, and that is when they can make out the maximum.

I also read some reports about people using electronic gifts. A fancy USB stick delivered to you at your company address or a pen drive lying in your car can prove disasters. In a case, someone left some USB drives deliberately in the parking lot as baits [2].

If your company network has good security measures at each node, you are blessed. Otherwise, these nodes provide an easy passage for malware – in that gift or “forgotten” pen drives – to the central systems.

As such we cannot provide a comprehensive list of social engineering methods. It is a science at the core, combined with art on the top. And you know that neither of them has any boundaries. Social engineering guys keep on getting creative while developing software that can also misuse wireless devices gaining access to company Wi-Fi.

Read: What is Socially Engineered Malware.

Prevent Social Engineering

Personally, I do not think there is any theorem that admins can use to prevent social engineering hacks. The social engineering techniques keep on changing, and hence it becomes difficult for IT admins to keep track on what is happens.

Of course, there is a need to keep a tab on social engineering news so that one is informed enough to take appropriate security measures. For example, in the case of USB devices, admins can block USB drives on individual nodes allowing them only on the server that has a better security system. Likewise, Wi-Fi would need better encryption than most of the local ISPs provide.

Training employees and conducting random tests on different employee groups can help identify weak points in the organization. It would be easy to train and caution the weaker individuals. Alertness is the best defense. The stress should be that login information should not be shared even with the team leaders – irrespective of the pressure. If a team leader needs to access a member’s login, s/he can use a master password. That is just one suggestion to stay safe and avoid social engineering hacks.

The bottom line is, apart from the malware and online hackers, the IT people need to take care of social engineering too. While identifying methods of a data breach (like writing down passwords etc.), the admins should also ensure their staff is smart enough to identify a social engineering technique to avoid it altogether. What do you think are the best methods to prevent social engineering? If you have come across any interesting case, please share with us.

Download this ebook on Social Engineering Attacks released by Microsoft and learn how you can detect and prevent such attacks in your organization.

References

[1] Reuters, Snowden Persuaded NSA Employees Into Obtaining Their Login Info

[2] Boing Net, Pen Drives Used to Spread Malware.

Related posts

• Laqabsiga Internetka iyo Baraha Bulshada

• Mareegaha wararka been abuurka ah: Dhibaato sii kordheysa & waxa ay ka dhigan tahay aduunka maanta

• Sida loo dejiyo, loo duubo, wax looga beddelo, loo daabaco Instagram Reels

• Sida loo suurtageliyo aqoonsiga laba-factor ee koontada Reddit

• Ku xidh Naadiga Daaqadaha

• Maxaa la sameeyaa marka Facebook Account la jabsado?

• Sida loo badbaadiyo Instagram Reels-kaaga Qabyo qoraalka oo hadhow wax ka beddel

• Tilmaamaha Yammer & Halka aad ka isticmaali karto

• Sida loo isticmaalo Facebook si aad u noqoto mid saameeya warbaahinta bulshada

• Blockchain ku salaysan Shabakadaha Bulshada ee Baahsan oo aad xogtaada ku leedahay

• Talooyinka Yammer-ka ugu Fiican iyo tabaha loogu talagalay isticmaaliyaha awoodda

• Ka noqo gelitaanka qolo saddexaad Facebook, Google, Microsoft, Twitter

• Sida si joogto ah loo tirtiro ama si ku meel gaar ah loo joojiyo akoontiga Instagram

• Sida loo noqdo Saamayn ku leh Twitterka

• Sida loogu daro Muusiga, Saamaynta, Horumarka Instagram Reels

• Sida loo damiyo akoonka Reddit si joogto ah PC

• Khatarta iyo Cawaaqib xumada ka dhalan karta wadaagga badan ee Baraha Bulshada

• Sideed uga raadisaa fariimaha Instagram-ka?

• Sida loo noqdo Saamaynle YouTube ah

• Sida loo sameeyo Instagram Carousel gudaha Photoshop: Cashar-saaxiibtinimo bilow ah