Detection of vulnerabilities of the computer systems and networks using social engineering techniques

Abstract

Information protection in computer systems and networks is focused on preserving its confidentiality properties of, integrity and availability from various inherently adverse impacts. Potentially possible adverse effects are interpreted as a threat. To prevent or complicate the possibility of realizing threats and reducing potential losses, a system of information protection measures is created and maintained in a healthy state. Such a system includes a computing system, physical environment, staff, and information. One of the most vulnerable elements of such system is staff. Within the framework of the socio-engineering approach, staff vulnerability is interpreted as its weaknesses, needs, mania (passions), hobbies. Manipulating them allows one to gain unauthorized access to information without destroying and distorting its main system-forming qualities. This is reflected in such forms as fraud, deception, scam, intrigue, hoax, provocation. The use of each of these manipulation forms is preceded by the determination of its content by careful planning, organization, and control. These actions are the basis of social engineering methods. Their use is aimed at imitating the actions of the information security violator, which are aimed at staff. This allows to assess the level of staff skills in the information security field and, as a result, to identify information vulnerabilities in computer systems and networks. The methods of social engineering used for this are divided into two groups, in particular, remote social engineering and personal contact. Methods of remote social engineering are implemented by means of modern telecommunications. In addition, the second group of methods involves the establishment of personal contact with the object of influence. In the end, it becomes possible not only to identify, neutralize, but also to prevent information vulnerabilities in computer systems and networks with the introduction of social engineering methods. Therefore, firstly, its protection is ensured taking into account the requirements of the information security policy; secondly, the rules of conduct of the staff are established, regulated by the job descriptions; thirdly, training is held to increase the persistence of employees stereotypes of the organization.