تعداد نشریات | 39 |
تعداد شمارهها | 1,115 |
تعداد مقالات | 8,121 |
تعداد مشاهده مقاله | 6,013,596 |
تعداد دریافت فایل اصل مقاله | 3,275,753 |
بررسی تأثیر روشهای مهندسی اجتماعی بر آسیبپذیری کارکنان (نمونه موردی: کارمندان شهرداری تهران) | ||
پدافند الکترونیکی و سایبری | ||
دوره 11، شماره 1 - شماره پیاپی 41، خرداد 1402، صفحه 31-46 اصل مقاله (1.07 M) | ||
نوع مقاله: مقاله پژوهشی | ||
نویسندگان | ||
سیدحسن حسینی1؛ نسیم مجیدی قهرودی* 2 | ||
1دانشجوی دکترای تخصصی علوم ارتباطات، واحد علوم و تحقیقات، دانشگاه آزاد اسلامی، تهران، ایران | ||
2استادیار، گروه ارتباطات، روزنامهنگاری و رسانه، واحد تهران مرکز، دانشگاه آزاد اسلامی، تهران، ایران | ||
تاریخ دریافت: 14 دی 1400، تاریخ بازنگری: 06 اسفند 1400، تاریخ پذیرش: 03 دی 1401 | ||
چکیده | ||
مهندسیاجتماعی هنر فریب انسانها به گونهای است که بدون استفاده از زور و تهدید، اقدامی را انجام دهند یا اطلاعاتی را ارائه دهند که مورد نظر مهندساجتماعی است. مهندساجتماعی میتواند منافع شخصی،سازمانی یا ملّی را تهدید کند. هکرها، کلاهبرداران، جاسوسان، خرابکاران و ... همگی از مهندسیاجتماعی برای پیشبرد اهدافشان بهره میبرند. مهندساجتماعی از تکنیکهای مختلفی بهره میبرد. در این تحقیق به تأثیر این روشها بر آسیبپذیری کارکنان پرداختیم و از روش ترکیبی(کیفی و کمّی) برای سنجش این تأثیر استفاده شد. ابتدا تکنیکهای مختلف مهندسیاجتماعی با بهرهبرداری از مرور تحقیقات صورتگرفته قبلی و استفاده از نظرات کارشناسان حوزه مهندسیاجتماعی احصاء گردید و تکنیکهای مختلف در انواع فنی،اجتماعی، فیزیکی و فنی-اجتماعی دستهبندی شدند. سپس در مرحله کمّی با ایجاد گویههای مختلف در قالب طیف لیکرت و ارائه پرسشنامه به جامعه هدف(کارمندان شهرداری تهران)، میزان آسیبپذیری افراد نسبت به هرکدام از تکنیکها به دست آمده و در نهایت با میانگینگیری از پاسخهای ارائه شده میزان آسیبپذیری کل افراد نسبت به انواع تکنیکهای مهندسیاجتماعی حاصل شد. مشخص شد آسیبپذیری جامعه هدف به ترتیب نسبت به تکنیکهای فنی، اجتماعی، فنی-اجتماعی و فیزیکی بیشتر است. جهت پیشگیری از وقوع مهندسیاجتماعی نیز راهکارهای انسانمحور و فناوریمحور پیشنهاد شد. | ||
کلیدواژهها | ||
مهندسیاجتماعی؛ آسیبپذیری؛ امنیت ارتباطات؛ فریب | ||
مراجع | ||
[1] K.Mitnick,W.Simon and S.Wozniak,”The Art of Deception: Controlling the Human Element of Security”, NJ: Wiley, 2002. [2] Social Engineer, “Security though education”, Retrieved March 29, 2016, from The Social Engineering Framework: http://www.social-engineer. org/framework/psychological, 2016. [3] Symantec Corporation,”INTERNET SECURITY THREAT REPORT”,Retrieved 31 03,2016,from http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_v19_21291018.en-us.pdf, 2014. [4] R.Ballagas, M.Rohs, J.Sheridan and J.Borchers, “Byod: Bring your own device”, In Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp, 2004. [5] W.Shen, “Active Social Engineering Defense (ASED)”, Defense Advanced Research Projects Agency Program Information. Accessed February 1, 2019. https://www.darpa.mil/program/active-social engineering-defense, 2019. [6] A.Chantler and R.Broadhurst, “Social Engineering and Crime Prevention in Cyberspace”, Queensland University of Technology, 2006. [7] C.Hadnagy, “Social Engineering: The Art of Human Hacking”, NJ: Wiley, 2011. [8] T.Qin and J.Burgoon, “An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Intelligence and Security Informatics”, IEEE, pp. 152–159, 2007. [9] N.Verma, “Social Engineering: A Means to Violate a Computer System”, Publisher Global Vision Publishing House, 2011. [10] K.D.Mitnick, “The Art of Deception - Controlling the Human Element of Security”, Indiana,Wiley Publishing, p.16, 2003. [11] B.Oosterloo, “Managing Social Engineering Risk”, University of Twente, 2008 [12] N.Pavkovic and L.Perkov, “Social Engineering Toolkit—A systematic approach to social engineering”, 34th IEEE International Convention MIPRO, Opatija, Croatia, pp.1485–1489, 2011. [13] A.V.Grebmer, “Information and IT Risk Management in a Nutshell: A Pragmatic Approach to Information Security”. Publisher. BoD – Books on Demand. pp.58-74, 2008. [14] M.Erbschloe, “Social Engineering-Hacking systems,nations and societies”, Translated by Seyyedhasan Hoseiny, Tehran, Sabah, 1400.(In Persian) [15] H.Kim, D.Yoo, J.Kang and Y.Yeom, “Dynamic ransomware protection using deterministic random bit generator”, In Proceedings of the IEEE Conference on Applications, Information and Network Security, Miri, Malaysia, pp.1–6, 2017. [16] S.Wang, S.Zhu and Y.Zhang, “Blockchain-based mutual authentication security protocol for distributed RFID systems”, In Proceedings of the IEEE Symposium on Computers and Communications, Natal, Brazil, pp.74–77, 2018. [17] L.Segovia, F.Torres, M.Rosillo, E.Tapia, F.Albarado and D.Saltos, “Social engineering as an attack vector for ransomware”, In Proceedings of the Conference on Electrical Engineering and Information Communication Technology, Pucon, Chile, pp.1–6, 2017. [18] D.F.Sittig and H.Singh, “Asocio-technical approach to preventing, mitigating and recovering from ransomware attacks”, Appl. Clin. Inform, pp. 624–632, 2016. [19] B.Arya and K.Chandrasekaran, “A client-side anti-pharming (CSAP) approach”, In Proceedings of the IEEE International Conference on Circuit, Power and Computing Technologies (ICCPCT), Nagercoil, India, pp.1–10, 2016. [20] Kaspersky, “Pharming definition”, https://www.kaspersky.com/resource-center/definitions/pharming, 2021. [21] E.Aharoni, “What is a Watering Hole attack and how to prevent them” https://blog.cymulate.com/watering-hole-attack-dont-drink-water, 2021 [22] N.Pokrovskaia, “Social engineering and digital technologies for the security of the social capital’development”, In Proceedings of the International Conference of Quality Management, Transport and Information Security, Petersburg, Russia, pp.16–19, 2017. [23] K.Krombholz, H.Hobel, M.Huber and E.Weippl, “Advanced social engineering attacks”. J. Inf. Secur. Appl, pp. 113–122, 2014 [24] K.Axelton, “what is shoulder surfing” https://www.experian.com/blogs/ask-experian/what-is-shoulder-surfing/, 2020 [25] L.Xiangyu, L.Qiuyang and S.Chandel, “Social engineering and Insider threats”, In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, Nanjing, China, pp.25–34, 2017. [26] Y.Diogenes and E.Ozkaya, “Cybersecurity –Attack and Defense Strategies”, https://www.oreilly.com/library/view/cybersecurity-attack/9781788475297/6a6d16cf-64bb-411e-bba2-ecbd10ad2d88.xhtml, 2021 [27] P.Patil and P.Devale, “A literature survey of phishing attack technique”, Int. J. Adv. Res. Comput. Commun. Eng, pp.198–200, 2016. [28] S.Granger, “Social engineering fundamentals”, www.securityfocus.com/infocus/1527 and 1533, 2006. [29] S.A.Moosavi, “Social Engineering,Art of Psychological War, Human Hacking,Persuation and Deception”, Tehran.Nasleroshan, 2020.(In Persian) [30] S.Aslany and H.Eskandary, “An overview of the Importance of Compassion in Community Security”, Rooyesh-e-Ravanshenasi, vol.7, no.11, Serial no.32, pp.341-354, 2019. (In Persian) [31] G.Seidman, “Why Do We Like People Who Are Similar to Us?”, https://www.psychologytoday.com/us/blog/close-encounters/201812/why-do-we-people-who-are-similar-us, 2021. [32] R.Cialdini, “Influence: The Psychology of Persuasion”, New York,Harper Business, 2006 [33] US Commodity Futures Trading Commission, “Foreign Currency Trading (Forex) Fraud”, https://www.cftc.gov/ConsumerProtection/FraudAwarenessPrevention/CFTCFraudAdvisories/fraudadv_forex.html, 2019 [34] D.Gragg, “A Multi-Level Defense Against Social Engineering”, SANS Institute, InfoSec Reading Room, pp.13-18, 2003. [35] S.Stasiukoni, “ Social Engineering, the USB Way”, http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634, 2013. [36] L.J.Janczewski and A.Colarik, “Cyber Warfare and Cyber Terrorism”, Pennsylvania, Idea Group Inc, 2008. [37] K.Beckers, S.Pape, “A serious game for eliciting social engineering security requirements”, In Proceedings of the International Requirements Engineering Conference, Beijing, China,pp.16–25, 2016. [38] L.Peotta, M.D.Holtz, B.M.David, F.G.Deus and R.T.De Sousa, “A formal classification of internet banking attacks and vulnerabilities”,Int. J. Comput. Sci. Inf. Technol. 3,pp.186–197, 2011. [39] G.Ho, A.Sharma, M.Javed, V.Paxson and D.Wagner, “Detecting credential spearphishing in enterprise settings”, In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, pp.469–485, 2017. [40] Techopedia Dictionary, “Whaling Definition”, https://www.techopedia.com/definition/28643/whaling, 2016. [41] E.O.YeboahBoateng and P.M.Amanor, “Phishing,SMiShing&Vishing:Anassessment of threats against mobile devices” J. Emerg. Trends Comput. Inf. Sci. 5, pp.297–307, 2014 [42] H.Tu, A.Doupé, Z.Zhao and G.J.Ahn, “Everyone hates robocalls: A survey of techniques against telephone spam”, In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA. pp. 320–338, 2016. [43] T.Braun, B.C.Fung, F.Iqbal and B.Shah, “Security and privacy challenges in smart cities”, Sustain. Cities Soc, pp.39,499-507, 2018 [44] Sophos, “Sophos facebook id probe shows 41% of users happy to reveal all to potential identity thieve”. http://www.sophos.com/en-us/press, 2007 [45] I.Ghafir, “Social engineering attack strategies and defence approaches”, In Proceedings of the IEEE International Conference on Future Internet of Things and Cloud, Vienna, Austria,PP.1–5, 2016 [46] G.Costantino, A.La Marra, F.Martinelli, and I.Matteucci, “CANDY: A social engineering attack to leak information from infotainment system”, In Proceedings of the IEEE Vehicular Technology Conference, Porto, Portugal, pp.1– 5, 2018. [47] Federal Financial Institutions Examination Council, “Security Culture”, https://ithandbook.ffiec.gov/it-booklets/information-security/i-governance-of-the-information-security-program/ia-security-culture.aspx, 2019 [48] S.Abraham, “An overview of social engineering malware: Trends, tactics, and implications”, Technology in Society, p.183, 2010. [49] D.Ashenden, “Information Security management: A human challenge?”, Information Security Technical Report, 2008. [50] R.Heartfield and G.Loukas, “ A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks”, ACM Comput, Surv, pp.48, 1–37, 2016. | ||
آمار تعداد مشاهده مقاله: 71 تعداد دریافت فایل اصل مقاله: 126 |