تعداد نشریات | 36 |
تعداد شمارهها | 1,231 |
تعداد مقالات | 8,932 |
تعداد مشاهده مقاله | 7,701,184 |
تعداد دریافت فایل اصل مقاله | 4,593,718 |
بررسی تأثیر روشهای مهندسی اجتماعی بر آسیبپذیری کارکنان (نمونه موردی: کارمندان شهرداری تهران) | ||
پدافند الکترونیکی و سایبری | ||
دوره 11، شماره 1 - شماره پیاپی 41، خرداد 1402، صفحه 31-46 اصل مقاله (1.14 M) | ||
نوع مقاله: مقاله پژوهشی | ||
نویسندگان | ||
سیدحسن حسینی1؛ نسیم مجیدی قهرودی* 2 | ||
1دانشجوی دکترای تخصصی علوم ارتباطات، واحد علوم و تحقیقات، دانشگاه آزاد اسلامی، تهران، ایران | ||
2استادیار، گروه ارتباطات، روزنامهنگاری و رسانه، واحد تهران مرکز، دانشگاه آزاد اسلامی، تهران، ایران | ||
تاریخ دریافت: 14 دی 1400، تاریخ بازنگری: 06 اسفند 1400، تاریخ پذیرش: 03 دی 1401 | ||
چکیده | ||
مهندسیاجتماعی هنر فریب انسانها به گونهای است که بدون استفاده از زور و تهدید، اقدامی را انجام دهند یا اطلاعاتی را ارائه دهند که مورد نظر مهندساجتماعی است. مهندساجتماعی میتواند منافع شخصی،سازمانی یا ملّی را تهدید کند. هکرها، کلاهبرداران، جاسوسان، خرابکاران و ... همگی از مهندسیاجتماعی برای پیشبرد اهدافشان بهره میبرند. مهندساجتماعی از تکنیکهای مختلفی بهره میبرد. در این تحقیق به تأثیر این روشها بر آسیبپذیری کارکنان پرداختیم و از روش ترکیبی(کیفی و کمّی) برای سنجش این تأثیر استفاده شد. ابتدا تکنیکهای مختلف مهندسیاجتماعی با بهرهبرداری از مرور تحقیقات صورتگرفته قبلی و استفاده از نظرات کارشناسان حوزه مهندسیاجتماعی احصاء گردید و تکنیکهای مختلف در انواع فنی،اجتماعی، فیزیکی و فنی-اجتماعی دستهبندی شدند. سپس در مرحله کمّی با ایجاد گویههای مختلف در قالب طیف لیکرت و ارائه پرسشنامه به جامعه هدف(کارمندان شهرداری تهران)، میزان آسیبپذیری افراد نسبت به هرکدام از تکنیکها به دست آمده و در نهایت با میانگینگیری از پاسخهای ارائه شده میزان آسیبپذیری کل افراد نسبت به انواع تکنیکهای مهندسیاجتماعی حاصل شد. مشخص شد آسیبپذیری جامعه هدف به ترتیب نسبت به تکنیکهای فنی، اجتماعی، فنی-اجتماعی و فیزیکی بیشتر است. جهت پیشگیری از وقوع مهندسیاجتماعی نیز راهکارهای انسانمحور و فناوریمحور پیشنهاد شد. | ||
کلیدواژهها | ||
مهندسیاجتماعی؛ آسیبپذیری؛ امنیت ارتباطات؛ فریب | ||
عنوان مقاله [English] | ||
Investigating The Effect of Social Engineering Techniques on Employees Vulnerability (Case study: Tehran Municipality Employees) | ||
نویسندگان [English] | ||
Seyyedhasan Hoseini1؛ nasim majidi gahrodi2 | ||
1PhD student in Communication Sciences, Science and Research Unit, Islamic Azad University, Tehran, Iran | ||
2Assistant Professor, Department of Communication, Journalism and Media, Central Tehran Branch, Islamic Azad University, Tehran, Iran | ||
چکیده [English] | ||
Social engineering is the art of deceiving people in a way that no use of force and threat, something to do or provide that information to social engineer . Social engineering can follow self-interest or organizational or national interest. Hackers, criminals, spies, saboteurs and ... all use social engineering to achieve their goals .social engineer uses Various techniques. In this study, the effect of this techniques on the vulnerability of people looked at the combined method (qualitative and quantitative ) to measure this effect .First, various social engineering techniques as well as their vulnerability conducted by reviewing previous research and the interviewing with the experts in the field of engineering social was obtained and different techniques in a variety of technical, social, physical and technical – social were categorized. Afterwards in quantitative stage, By creating a questionnaire and various Items In the form of Likert scale and Provide the questionnaire to the target community(Employees of Tehran Municipality) The degree of vulnerability of people to a variety of social engineering techniques was obtained. It was found vulnerability of the target population is more than to the techniques of technical, social, technical – social and physical respectively . to prevent social engineering, human –driven and technology –based solutions were proposed that human –centered mainly on training personnel and IT solutions based on the provision of the right equipment, computers and creating a right information access cycle in organizations . | ||
کلیدواژهها [English] | ||
social engineering, vulnerability, communication security, deception, tehran municipality | ||
مراجع | ||
[1] K.Mitnick,W.Simon and S.Wozniak,”The Art of Deception: Controlling the Human Element of Security”, NJ: Wiley, 2002. [2] Social Engineer, “Security though education”, Retrieved March 29, 2016, from The Social Engineering Framework: http://www.social-engineer. org/framework/psychological, 2016. [3] Symantec Corporation,”INTERNET SECURITY THREAT REPORT”,Retrieved 31 03,2016,from http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_v19_21291018.en-us.pdf, 2014. [4] R.Ballagas, M.Rohs, J.Sheridan and J.Borchers, “Byod: Bring your own device”, In Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp, 2004. [5] W.Shen, “Active Social Engineering Defense (ASED)”, Defense Advanced Research Projects Agency Program Information. Accessed February 1, 2019. https://www.darpa.mil/program/active-social engineering-defense, 2019. [6] A.Chantler and R.Broadhurst, “Social Engineering and Crime Prevention in Cyberspace”, Queensland University of Technology, 2006. [7] C.Hadnagy, “Social Engineering: The Art of Human Hacking”, NJ: Wiley, 2011. [8] T.Qin and J.Burgoon, “An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Intelligence and Security Informatics”, IEEE, pp. 152–159, 2007. [9] N.Verma, “Social Engineering: A Means to Violate a Computer System”, Publisher Global Vision Publishing House, 2011. [10] K.D.Mitnick, “The Art of Deception - Controlling the Human Element of Security”, Indiana,Wiley Publishing, p.16, 2003. [11] B.Oosterloo, “Managing Social Engineering Risk”, University of Twente, 2008 [12] N.Pavkovic and L.Perkov, “Social Engineering Toolkit—A systematic approach to social engineering”, 34th IEEE International Convention MIPRO, Opatija, Croatia, pp.1485–1489, 2011. [13] A.V.Grebmer, “Information and IT Risk Management in a Nutshell: A Pragmatic Approach to Information Security”. Publisher. BoD – Books on Demand. pp.58-74, 2008. [14] M.Erbschloe, “Social Engineering-Hacking systems,nations and societies”, Translated by Seyyedhasan Hoseiny, Tehran, Sabah, 1400.(In Persian) [15] H.Kim, D.Yoo, J.Kang and Y.Yeom, “Dynamic ransomware protection using deterministic random bit generator”, In Proceedings of the IEEE Conference on Applications, Information and Network Security, Miri, Malaysia, pp.1–6, 2017. [16] S.Wang, S.Zhu and Y.Zhang, “Blockchain-based mutual authentication security protocol for distributed RFID systems”, In Proceedings of the IEEE Symposium on Computers and Communications, Natal, Brazil, pp.74–77, 2018. [17] L.Segovia, F.Torres, M.Rosillo, E.Tapia, F.Albarado and D.Saltos, “Social engineering as an attack vector for ransomware”, In Proceedings of the Conference on Electrical Engineering and Information Communication Technology, Pucon, Chile, pp.1–6, 2017. [18] D.F.Sittig and H.Singh, “Asocio-technical approach to preventing, mitigating and recovering from ransomware attacks”, Appl. Clin. Inform, pp. 624–632, 2016. [19] B.Arya and K.Chandrasekaran, “A client-side anti-pharming (CSAP) approach”, In Proceedings of the IEEE International Conference on Circuit, Power and Computing Technologies (ICCPCT), Nagercoil, India, pp.1–10, 2016. [20] Kaspersky, “Pharming definition”, https://www.kaspersky.com/resource-center/definitions/pharming, 2021. [21] E.Aharoni, “What is a Watering Hole attack and how to prevent them” https://blog.cymulate.com/watering-hole-attack-dont-drink-water, 2021 [22] N.Pokrovskaia, “Social engineering and digital technologies for the security of the social capital’development”, In Proceedings of the International Conference of Quality Management, Transport and Information Security, Petersburg, Russia, pp.16–19, 2017. [23] K.Krombholz, H.Hobel, M.Huber and E.Weippl, “Advanced social engineering attacks”. J. Inf. Secur. Appl, pp. 113–122, 2014 [24] K.Axelton, “what is shoulder surfing” https://www.experian.com/blogs/ask-experian/what-is-shoulder-surfing/, 2020 [25] L.Xiangyu, L.Qiuyang and S.Chandel, “Social engineering and Insider threats”, In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, Nanjing, China, pp.25–34, 2017. [26] Y.Diogenes and E.Ozkaya, “Cybersecurity –Attack and Defense Strategies”, https://www.oreilly.com/library/view/cybersecurity-attack/9781788475297/6a6d16cf-64bb-411e-bba2-ecbd10ad2d88.xhtml, 2021 [27] P.Patil and P.Devale, “A literature survey of phishing attack technique”, Int. J. Adv. Res. Comput. Commun. Eng, pp.198–200, 2016. [28] S.Granger, “Social engineering fundamentals”, www.securityfocus.com/infocus/1527 and 1533, 2006. [29] S.A.Moosavi, “Social Engineering,Art of Psychological War, Human Hacking,Persuation and Deception”, Tehran.Nasleroshan, 2020.(In Persian) [30] S.Aslany and H.Eskandary, “An overview of the Importance of Compassion in Community Security”, Rooyesh-e-Ravanshenasi, vol.7, no.11, Serial no.32, pp.341-354, 2019. (In Persian) [31] G.Seidman, “Why Do We Like People Who Are Similar to Us?”, https://www.psychologytoday.com/us/blog/close-encounters/201812/why-do-we-people-who-are-similar-us, 2021. [32] R.Cialdini, “Influence: The Psychology of Persuasion”, New York,Harper Business, 2006 [33] US Commodity Futures Trading Commission, “Foreign Currency Trading (Forex) Fraud”, https://www.cftc.gov/ConsumerProtection/FraudAwarenessPrevention/CFTCFraudAdvisories/fraudadv_forex.html, 2019 [34] D.Gragg, “A Multi-Level Defense Against Social Engineering”, SANS Institute, InfoSec Reading Room, pp.13-18, 2003. [35] S.Stasiukoni, “ Social Engineering, the USB Way”, http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634, 2013. [36] L.J.Janczewski and A.Colarik, “Cyber Warfare and Cyber Terrorism”, Pennsylvania, Idea Group Inc, 2008. [37] K.Beckers, S.Pape, “A serious game for eliciting social engineering security requirements”, In Proceedings of the International Requirements Engineering Conference, Beijing, China,pp.16–25, 2016. [38] L.Peotta, M.D.Holtz, B.M.David, F.G.Deus and R.T.De Sousa, “A formal classification of internet banking attacks and vulnerabilities”,Int. J. Comput. Sci. Inf. Technol. 3,pp.186–197, 2011. [39] G.Ho, A.Sharma, M.Javed, V.Paxson and D.Wagner, “Detecting credential spearphishing in enterprise settings”, In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, pp.469–485, 2017. [40] Techopedia Dictionary, “Whaling Definition”, https://www.techopedia.com/definition/28643/whaling, 2016. [41] E.O.YeboahBoateng and P.M.Amanor, “Phishing,SMiShing&Vishing:Anassessment of threats against mobile devices” J. Emerg. Trends Comput. Inf. Sci. 5, pp.297–307, 2014 [42] H.Tu, A.Doupé, Z.Zhao and G.J.Ahn, “Everyone hates robocalls: A survey of techniques against telephone spam”, In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA. pp. 320–338, 2016. [43] T.Braun, B.C.Fung, F.Iqbal and B.Shah, “Security and privacy challenges in smart cities”, Sustain. Cities Soc, pp.39,499-507, 2018 [44] Sophos, “Sophos facebook id probe shows 41% of users happy to reveal all to potential identity thieve”. http://www.sophos.com/en-us/press, 2007 [45] I.Ghafir, “Social engineering attack strategies and defence approaches”, In Proceedings of the IEEE International Conference on Future Internet of Things and Cloud, Vienna, Austria,PP.1–5, 2016 [46] G.Costantino, A.La Marra, F.Martinelli, and I.Matteucci, “CANDY: A social engineering attack to leak information from infotainment system”, In Proceedings of the IEEE Vehicular Technology Conference, Porto, Portugal, pp.1– 5, 2018. [47] Federal Financial Institutions Examination Council, “Security Culture”, https://ithandbook.ffiec.gov/it-booklets/information-security/i-governance-of-the-information-security-program/ia-security-culture.aspx, 2019 [48] S.Abraham, “An overview of social engineering malware: Trends, tactics, and implications”, Technology in Society, p.183, 2010. [49] D.Ashenden, “Information Security management: A human challenge?”, Information Security Technical Report, 2008. [50] R.Heartfield and G.Loukas, “ A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks”, ACM Comput, Surv, pp.48, 1–37, 2016. | ||
آمار تعداد مشاهده مقاله: 276 تعداد دریافت فایل اصل مقاله: 292 |