📄 rfc2504.txt
字号:
- Some programs are downloaded automatically when accessing web
pages. While there are some safeguards to make sure that these
programs may be used safely, there have been security flaws
discovered in the past. For this reason, some centrally-
administered sites require that certain web browser capabilities
be turned off.
4. Paranoia is Good
Many people do not realize it, but social engineering is a tool which
many intruders use to gain access to computer systems. The general
impression that people have of computer break-ins is that they are
the result of technical flaws in computer systems which the intruders
have exploited. People also tend to think that break-ins are purely
technical. However, the truth is that social engineering plays a big
Guttman, et. al. Informational [Page 11]
RFC 2504 Users' Security Handbook February 1999
part in helping an attacker slip through security barriers. This
often proves to be an easy stepping-stone onto the protected system
if the attacker has no authorized access to the system at all.
Social engineering may be defined, in this context, as the act of
gaining the trust of legitimate computer users to the point where
they reveal system secrets or help someone, unintentionally, to gain
unauthorized access to their system(s). Using social engineering, an
attacker may gain valuable information and/or assistance that could
help break through security barriers with ease. Skillful social
engineers can appear to be genuine but are really full of deceit.
Most of the time, attackers using social enginering work via
telephone. This not only provides a shield for the attacker by
protecting his or her identity, it also makes the job easier because
the attacker can claim to be a particular someone with more chances
of getting away with it.
There are several types of social engineering. Here are a few
examples of the more commonly-used ones:
- An attacker may pretend to be a legitimate end-user who is new to
the system or is simply not very good with computers. This
attacker may approach systems administrators and other end-users
for help. This "user" may have lost his password, or simply can't
get logged into the system and needs to access the system
urgently. Attackers have also been known to identify themselves
as some VIP in the company, screaming at administrators to get
what they want. In such cases, the administrator (or it could be
an end-user) may feel threatened by the caller's authority and
give in to the demands.
- Attackers who operate via telephone calls may never even have seen
the screen display on your system before. In such cases, the
trick attackers use is to make details vague, and get the user to
reveal more information on the system. The attacker may sound
really lost so as to make the user feel that he is helping a
damsel in distress. Often, this makes people go out their way to
help. The user may then reveal secrets when he is off-guard.
- An attacker may also take advantage of system problems that have
come to his attention. Offering help to a user is an effective
way to gain the user's trust. A user who is frustrated with
problems he is facing will be more than happy when someone comes
to offer some help. The attacker may come disguised as the
systems administrator or maintenance technician. This attacker
will often gain valuable information because the user thinks that
it is alright to reveal secrets to technicians. Site visits may
Guttman, et. al. Informational [Page 12]
RFC 2504 Users' Security Handbook February 1999
pose a greater risk to the attacker as he may not be able to make
an easy and quick get-away, but the risk may bring fruitful
returns if the attacker is allowed direct access to the system by
the naive user.
- Sometimes, attackers can gain access into a system without prior
knowledge of any system secret nor terminal access. In the same way
that one should not carry someone else's bags through Customs, no user
should key in commands on someone's behalf. Beware of attackers who
use users as their own remotely-controlled fingers to type commands on
the user's keyboard that the user does not understand, commands which
may harm the system. These attackers will exploit system software
bugs and loopholes even without direct access to the system. The
commands keyed in by the end-user may bring harm to the system, open
his own account up for access to the attacker or create a hole to
allow the attacker entry (at some later time) into the system. If you
are not sure of the commands you have been asked to key in, do not
simply follow instructions. You never know what and where these could
lead to...
To guard against becoming a victim of social engineering, one
important thing to remember is that passwords are secret. A password
for your personal account should be known ONLY to you. The systems
administrators who need to do something to your account will not
require your password. As administrators, the privileges they have
will allow them to carry out work on your account without the need
for you to reveal your password. An administrator should not have to
ask you for your password.
Users should guard the use of their accounts, and keep them for their
own use. Accounts should not be shared, not even temporarily with
systems administrators or systems maintenance techinicians. Most
maintenance work will require special privileges which end-users are
not given. Systems administrators will have their own accounts to
work with and will not need to access computer systems via an
end-user's account.
Systems maintenance technicians who come on site should be
accompanied by the local site administrator (who should be known to
you). If the site administrator is not familiar to you, or if the
technician comes alone, it is wise to give a call to your known site
administrator to check if the technician should be there. Yet, many
people will not do this because it makes them look paranoid and it is
embarrassing to show that they have no, or little trust in these
visitors.
Guttman, et. al. Informational [Page 13]
RFC 2504 Users' Security Handbook February 1999
Unless you are very sure that the person you are speaking to is who he
or she claims to be, no secret information should ever be revealed to
such people. Sometimes, attackers may even be good enough to make
themselves sound like someone whose voice you know over the phone. It
is always good to double check the identity of the person. If you are
unable to do so, the wisest thing to do is not to reveal any secrets.
If you are a systems administrator, there should be security
procedures for assignment and reassignment of passwords to users, and
you should follow such procedures. If you are an end-user, there
should not be any need for you to have to reveal system secrets to
anyone else. Some companies assign a common account to multiple
users. If you happen to be in such a group, make sure you know
everyone in that group so you can tell if someone who claims to be in
the group is genuine.
Part Three: End-users self administering a networked computer
The home user or the user who administers his own network has many of
the same concerns as a centrally-administered user. The following is
a summary of additional advice given in Part Three:
- Read manuals to learn how to turn on security features, then turn
them on.
- Consider how private your data and Email need to be. Have you
invested in privacy software and learned how to use it yet?
- Prepare for the worst in advance.
- Keep yourself informed about what the newest threats are.
5. Make Your Own Security Policy
You should decide ahead of time what risks are acceptable and then
stick to this decision. It is also wise to review your decision at
regular intervals and whenever the need to do so arises. It may be
wise to simply avoid downloading any software from the network which
comes from an unknown source to a computer storing business records,
other valuable data and data which is potentially damaging if the
information was lost or stolen.
If the system has a mixed purpose, say recreation, correspondence
and some home accounting, perhaps you will hazard some downloading of
software. You unavoidably take some risk of acquiring stuff
which is not exactly what it seems to be.
It may be worthwhile installing privacy software on a computer if it
is shared by multiple users. That way, a friend of a room mate won't
have access to your private data, and so on.
Guttman, et. al. Informational [Page 14]
RFC 2504 Users' Security Handbook February 1999
6. Bad Things Happen
If you notice that your files have been modified or ascertain somehow
that your account has been used without your consent, you should
inform your security point-of-contact immediately. When you do
not know who your security point-of-contact is, try calling
your Internet service provider's help desk as a first step.
6.1 How to Prepare for the Worst in Advance
- Read all user documentation carefully. Make sure that it is clear
when services are being run on your computer. If network services
are activated, make sure they are properly configured (set all
permissions so as to prevent anonymous or guest logins, and so
on). Increasingly, many programs have networking capabilities
built in to them. Learn how to properly configure and safely use
these features.
- Back up user data. This is always important. Backups are
normally thought of as a way of ensuring you will not lose your
work if a hard disk fails or if you make a mistake and delete a
file. Backing up is also critical to insure that data cannot be
lost due to a computer security incident. One of the most vicious
and unfortunately common threats posed by computer viruses and
Trojan Horse programs is erasing a computer's hard disk.
- Obtain virus checking software or security auditing tools. Learn
how to use them and install them before connecting to a public
network. Many security tools require that they be run on a
"clean" system, so that comparisons can be made between the
present and pristine states. Thus, it is necessary for some work
to be done ahead of time.
- Upgrade networking software regularly. As new versions of
programs come out, it is prudent to upgrade. Security
vulnerabilities will likely have been fixed. The longer you wait
to do this, the greater the risk that security vulnerabilities of
the products will be become known and be exploited by some network
assailant. Keep up to date!
- Find out who to contact if you suspect trouble. Does your
Internet Service Provider have a security contact or Help Desk?
Investigate this before trouble happens so you won't lose time
trying to figure it out should trouble occur. Keep the contact
information both online and offline for easy retrieval.
Guttman, et. al. Informational [Page 15]
RFC 2504 Users' Security Handbook February 1999
There are 3 ways to avoid problems with viruses:
1. Don't be promiscuous
If at all possible, be cautious about what software you install on
your system. If you are unaware of or unsure of the origin of a
program, it is wise not to run it. Obtain software from trusted
sources. Do not execute programs or reboot using old diskettes
unless you have reformatted them, especially if the old diskettes
have been used to bring software home from a trade show and other
potentially security-vulnerable places.
Nearly all risk of getting infected by viruses can be eliminated
if you are extremely cautious about what files are stored on your
computer. See "The Dangers of Downloading" for more details.
2. Scan regularly.
Give your system a regular check-up. There are excellent
virus checking and security audit tools for most computer
platforms available today. Use them, and if possible, set them to
run automatically and regularly. Also, install updates of these
tools regularly and keep yourself informed of new virus threats.
3. Notice the unusual.
It's not true that a difference you cannot detect is no difference
at all, but it is a good rule of thumb. You should get used to
the way your system works. If there is an unexplainable change
(for instance, files you believe should exist are gone, or strange
new files are appearing and disk space is 'vanishing'), you should
check for the presense of viruses.
You should take some time to be familiar with computer virus
detection tools available for your type of computer. You should use
an up-to-date tool (i.e. not older than three months). It is very
important to test your computer if you have been using shared
software of dubious origin, someone else's used floppy disks to
transfer files, and so on.
6.2 What To Do if You Suspect Trouble
If you suspect that your home computer has a virus, that a malicious
program has been run, or that a system has been broken into, the
wisest course of action is to first disconnect the system from all
networks. If available, virus detection or system auditing software
should be used.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -