راهکنش‎های پدافندی جهت مقابله با فریب روانشناختی در حوزه امنیت اطلاعات

حکیم, حمید; اصفهانی, رضا

راهکنش‎های پدافندی جهت مقابله با فریب روانشناختی در حوزه امنیت اطلاعات

نوع مقاله : مقاله پژوهشی

نویسندگان

¹ استادیار دانشگاه علامه طباطبایی، تهران، ایران

² استادیار دانشگاه جامع امام حسین(ع)، تهران، ایران

چکیده

مهندسی اجتماعی که در حوزه امنیت اطلاعات و سایبر از آن به عنوان فریب روانشناختی افراد یاد می‎شود، مفهومی است که بر پایه بهره‎برداری از آسیب‎پذیری‎های انسانی شکل گرفته و بر همین اساس نوع خاصی از حملات را رقم می‎زند که با نظر به ویژگی‎های انسانی و آسیب‎های موجود بر این مبنا شکل می‎گیرند. این مفهوم با گسترش فناوری اطلاعات و ارتباطات، کاربرد و اهمیت بیشتری یافته است؛ به علاوه حملات مهندسی اجتماعی، حملاتی با هزینه کم و اثربخشی بالا بوده و با توجه به ویژگی انسان محور بودن آنها، در عین سادگی از ظرافت و پیچیدگی‎های خاصی نیز برخوردار می‎باشند. همه این موارد موجب شده که امنیت و پدافند در برابر این حملات نیز چنین ویژگی‎هایی داشته و اهمیتی مضاعف بیابد. لذا نظر به این مهم، این مقاله با هدف یافتن راهکنش‎های مناسب جهت پدافند در برابر حملات مهندسی اجتماعی، ابتدا به این مفهوم و ابعاد مختلف آن پرداخته و سپس در مقام ارائه راهکارهای پدافندی برای آن برآمده است. در این پژوهش با روش دلفی و استفاده از نظر خبرگان جهت تعیین اولویت عوامل موثر در پدافند حملات مهندسی اجتماعی، آموزش به عنوان مهمترین عامل در این مهم شناخته شده و در حوزه آموزش نیز شبیه سازی و تست عملیاتی و تداوم آموزش به عنوان مهم‎ترین و تأثیرگذارترین ارکان آن تعیین شده اند.

کلیدواژه‌ها

20.1001.1.20086849.1403.15.1.2.9

عنوان مقاله [English]

Defensive Tactics to Deal with Psychological Manipulation in the Field of Information Security

نویسندگان [English]

Hamid Hakim ¹
ٍEsfahani Reza ²

¹ Allameh Tabataba'i University

² Scientific Department of Communication

چکیده [English]

Social engineering, which is referred to as the psychological manipulation of people in the field of information and cyber security, is a concept formed based on the exploitation of human vulnerabilities and thus creates a special type of attack which is formed on the basis of human characteristics and existing damages. The concept has become more useful and important due to the development of information and communications technology. Moreover, social engineering attacks are low-cost, highly effective, and, in their simplicity, they have certain elegance and complexities due to their human-centered nature. All these facts have caused security and military to have the same characteristics against these attacks and become more important. Hence, this paper addresses the concept and its different aspects and then, recommends military solutions for it intending to find proper tactics to provide a defense against social engineering attacks.

کلیدواژه‌ها [English]

Training
Defense
Attack
Social Engineering
Human

مراجع

[1] L. Janczewski, “Social engineering based-attacks Model & New Zealand perspective”, Computer science & information technology, 2010.

[2] B. Oosterloo, “Managing social engineering risk”, Atos consulting, p. 27, 2008.

[3] A. A. Taghipour, A. Mashayekhi, and P. Ahmadi Dehrashid, “Assessing Citizen’s Attitudes Toward Security in Cyberspace with a Passive Defense Approach”, Scientific Journal of Passive Defense, no. 52, Winter 2023. (In Persian)

[4] S. Heikkinen, “Social engineering in the world of emerging communication technologies”, Tampere university of technology, 2007.

[5] RSA, “Social engineering & cyber attacks”, RSA, 2011

[6] N. Pavkovic and L. Perkov, “Social engineering toolkit- A systematic approach to social engineering”, Ruder boskovic institute, 2011.

[7] R. Brody, W. Brizzee, and L. Cano, “Flying under the radar: social engineering”, International journal of accounting & information management, 2012.

[8] B. Oosterloo, “Managing social engineering risk”, Atos consulting, p. 18, 2008.

[9] R. Cialdini, “Influence”, G. Ghasem zadeh, Tehran: Hoormazd, 7 ed., 2022. (In Persian)

[10] R. J. Anderson, “Security engineering: a guide to building dependable distributed systems” (2 ed.), Indianapolis, IN: Wiley. p. 1040. ISBN 978-0-470-06852-6. Chapter 2, p. 17, 2008.

[11] Security Through Education, “Social Engineering Defined”, Security Through Education,

https://www.social-engineer.org/framework/general-discussion/social-engineering-defined.

[12] George Washington university, “Social engineering – GW Information Security”, www.gwu.edu, George Washington university, Washington D.C., 2020.

[13] B. Kirdemir, “Hostile Influence and Emerging Cognitive Threats in Cyberspace”, Centre for Economics and Foreign Policy Studies, 2019.

[14] I. Austen, “On EBay, E-Mail Phishers Find a Well-Stocked Pond”, The New York Times, ISSN 0362-4331, 7 March 2005.

[15] K. Steinmetz, F. Holt, and J. Thomas, “Falling for Social Engineering: A Qualitative Analysis of Social Engineering Policy Recommendations”, Social Science Computer Review: 5 August 2022, doi:10.1177/08944393221117501, ISSN 0894-4393, S2CID 251420893, 2022.

[16] FireEye, “The Real Dangers of Spear-Phishing Attacks”, FireEye Inc, 2016.

[17] F. Davani, “The story of HP pretexting scandal with discussion” is available at Davani, Faraz (14 August 2011), "HP Pretexting Scandal by Faraz Davani”, 2011.

[18] Federal Trade Commission, “Pretexting: Your Personal Information Revealed”, Federal Trade Commission, 2022.

[19] J. Fagone, "The Serial Swatter", The New York Times, 24 November 2015.

[20] Invincea, “Chinese Espionage Campaign Compromises Forbes.com to Target US Defense, Financial Services Companies in Watering Hole Style Attack”, invincea.com, 10 February 2015.

[21] W. Conklin, A. Greg, C. Cothren, R. Davis, and D. Williams, “Principles of Computer Security”, Fourth Edition (Official Comptia Guide), New York: McGraw-Hill Education, pp. 193–194, ISBN 978-0071835978, 2015.

[22] D. Raywood, “#BHUSA Dropped USB Experiment Detailed”, info security, 4 August 2016.

[23] J. Leyden, “Office workers give away passwords”, 18 April 2003.

[24] BBC, “Passwords revealed by sweet deal”, BBC News, 20 April 2014.

[25] F. Mouton, M. Malan, and H. S. Venter, “Social engineering from a normative ethics perspective”, University of petroria, 2013.

[26] A. Podhradsky and C. Casy, “Xbox 360 hoaxes, social engineering and gamer tag exploits”, 2013.

[27] R. Cressey and M. Nayfeh, “Cyber capabilities in the middle east”, Booz Allen Hamilton Inc, 2012.

[28] R. Chapman and C. Hannigan, (n.d.), “Social engineering networks”, 2014.

[29] Trend Micro, “How social engineering works. Trend Micro”, www.trendmicro.com, 2012.

[30] M. Bada and J. Nurse, “The social and psychological impact of cyberattacks”, Academic press, 2019.

[31] T. Bakhshi, M. Papadaki, and S. Furnell, “Social engineering: assessing vulnerabilities in practice”, Information management & computer security, 2009.

[32] T. Thornburgh, “Social engineering: The Dark Art”, Kennesaw state university, 2012.

[33] A. Chantler, “Social engineering & crime prevention in cyberspace”, 2006.

[34] Enisa, “Social engineering: The weakest link”, Enisa Inc, 2008.

[35] B. Oosterloo, “Managing social engineering risk”, Atos consulting, p. 53, 2008.

[36] J. Treglia and M. Delia, “Cyber Security Inoculation”, Presented at NYS Cyber Security Conference, Empire State Plaza Convention Center, Albany, NY, 3–4 June, 2017.

[37] B. Oosterloo, “Managing social engineering risk”, Atos consulting, p. 60, 2008.

[38] Verizon, “Data breach investigation”, Verizon Inc, 2012.

[39] M. Adler and E. Ziglio, “Gazing Into the Oracle: The Delphi Method and Its Application to Social Policy and Public Health”, Jessica Kingsley Publishers, p. 12, 1996.

[40] G. Rowe and G. Right, “Expert Opinions in Forecasting. Role of the Delphi Technique”, Principles of Forecasting: A Handbook of Researchers and Practitioners. International Series in Operations Research & Management Science, Vol. 30, Boston: Kluwer Academic Publishers, pp: 125–144, 2001.

[41] E. Taylor, “We Agree, Don't We? The Delphi Method for Health Environments Research”, HERD, 13 (1), pp: 11–23, 2020