企业安全实战 社交工程渗透测试4个技巧（Enterprise security actual social engineering penetration testing 4 skills）.doc

企业安全实战 社交工程渗透测试4个技巧（Enterprise security actual social engineering penetration testing 4 skills） Social engineering has become one of the most popular forms of attack, and in some cases of larger data leakage. For example, in 2011, RSA breach encountered directional fishing and loaded Excel files. Therefore, social penetration testing should be a mandatory strategy for each penetration test toolkit for an enterprise capable of simulating real attacks. Social worker behavior is very dependent on psychology, and there are a lot of very suspicious bait that allows social workers to persuade people to engage in an operation. Robert Cialdini, for example, describes six motivations for stimulating peoples behavior in their book Influence: The Psychology of Persuasion: 1, mutual help: because someone you feel guilty; 2, social identity: learn how to conduct actions to other people; 3, commitment / consistency: develop a behavioral model and make it a habit; 4, preferences: people are more likely to be favorable to persuade people; 5, authority: the authority of the claims made by the tacit consent; 6 shortage: demand for this item will increase when the supply of something is limited or dedicated only. Penetration testers can take advantage of these stimuli when performing social work evaluations. There are four kinds of social skills for enterprise information security penetration testers, respectively, on the pretext of fishing, put on the medium and rear end. Social worker penetration security test: phishing attacks Fishing involves sending mail to a user to convince a user to do something. In penetration testing, most phishing emails simply induce users to click on something, then record this behavior, or install a program for a later large-scale penetration test. After that, you can take advantage of a specific vulnerability in client software, such as browsers and dynamic content / media plug-ins and software. The key to successful phishing attacks is personalization!