RE: Is there such thing as hacking? 03-17-2018, 04:05 AM
#3
Provided your questions are on-topic and In compliance with forum rules, there's absolutely nothing wrong with asking for assistance.
I've taken the a key element from your post as follows.
In response to your question, anyone and any entity can be compromised via a combination of technical and social engineering attacks. I've come across (and still do), countless users who focus on having the very best network security systems In place (IDS/IPS, WAFs, 2FA, OTP etc) and believe they're secure from all attack vectors. What about the user operating a given system? How well Is he/she trained In Identifying malicious links via email transmission? All It takes Is a click of the mouse to execute a payload.
How well Is the user trained against social engineering? For example, there's no point In having password policies Implemented (must be changed every 45 days, cannot reuse old passwords, cannot be based on anything that's commonly-used, easy to guess, familiarization, must contain an uppercase, lowercase, special character, minimum length of 10 chars etc) when the user simply hands the password over to (seemingly) a person on the other end of the phone assuming the role of an employee In the HR department.
There's no point In having security cameras In place, when the company's carrier (example UPS) Is not authenticated entry ( building entry code or otherwise) Into the complex. Anyone can slip on a UPS uniform with a UPS parcel, arrive 30 minutes earlier than the real guy and simply walk In- all because the "camera" (seemingly) Identified the carrier.
I've always applied my motto pertaining to social engineering as follows:
T.A.S.K
* Training.
* Awareness.
* Skill Set.
* Know-how.
In closing, from a security standpoint you need to Identify every possible flaw, loophole, misconfiguration, vulnerability and so forth and exhaust all avenues In securing both the technical side of It, and the human firewall (social engineering). From an attacker's perspective, you only need ONE gateway and you're In.
I've taken the a key element from your post as follows.
Quote:a company for example, can fortify their networks, servers etc. to prevent such attacks
In response to your question, anyone and any entity can be compromised via a combination of technical and social engineering attacks. I've come across (and still do), countless users who focus on having the very best network security systems In place (IDS/IPS, WAFs, 2FA, OTP etc) and believe they're secure from all attack vectors. What about the user operating a given system? How well Is he/she trained In Identifying malicious links via email transmission? All It takes Is a click of the mouse to execute a payload.
How well Is the user trained against social engineering? For example, there's no point In having password policies Implemented (must be changed every 45 days, cannot reuse old passwords, cannot be based on anything that's commonly-used, easy to guess, familiarization, must contain an uppercase, lowercase, special character, minimum length of 10 chars etc) when the user simply hands the password over to (seemingly) a person on the other end of the phone assuming the role of an employee In the HR department.
There's no point In having security cameras In place, when the company's carrier (example UPS) Is not authenticated entry ( building entry code or otherwise) Into the complex. Anyone can slip on a UPS uniform with a UPS parcel, arrive 30 minutes earlier than the real guy and simply walk In- all because the "camera" (seemingly) Identified the carrier.
I've always applied my motto pertaining to social engineering as follows:
T.A.S.K
* Training.
* Awareness.
* Skill Set.
* Know-how.
In closing, from a security standpoint you need to Identify every possible flaw, loophole, misconfiguration, vulnerability and so forth and exhaust all avenues In securing both the technical side of It, and the human firewall (social engineering). From an attacker's perspective, you only need ONE gateway and you're In.
![[Image: AD83g1A.png]](http://i.imgur.com/AD83g1A.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)