近年來,隨著Web 2.0概念的全面普及,促使網頁上呈現的影音與多媒體效果更加多元、互動與豐富。當前,社群網站正夯,諸如Facebook、Plurk、Twitter、無名小站、Xuite、Yam天空部落等社群網站及MSN、Yahoo!奇摩即時通、Skype、手機、Email等虛擬社群工具影響不可小噓,依據ComScore 公司截至2011年底的統計數據指出,每個月約有7.94億人造訪臉書(Facebook),每人平均花377分鐘,也就是超過6小時在使用社群網站。近來,警政署165防詐專線發現近期接續發生數起社群網站社交工程攻擊案件。有鑑於網際網路的興起,促使以往多為電子郵件類社交工程攻擊演進成現今以社群網站為主的社交工程攻擊案件正不斷翻新,若這類型的攻擊手法我們未能加以正視且強化資訊安全管理的配套作為,則類似的資安事件將不停上演,影響所及將不斷擴大,衍生的損失及傷害將難以計數。 本研究將探討有關社群網站相關的社交工程攻擊型態,將針對這類的資安事件依案例分析法做一探究與比較,並探討國際ISO/IEC 27001資訊安全管理標準中與社交工程攻擊相關之管控措施結合ISO/IEC TR 18044資訊安全事件管理標準作業流程,藉AS/NZS ISO 31000風險管理準則及指引,衡量風險發生的衝擊與機會、建置完善的評估與處理步驟等,期使相關資安事件的發生能逐漸降低,遏止相關社交工程攻擊事件一再發生。
In recent years, as Web 2.0 gains its popularity, the audio and multimedia effects on the web pages are more diverse, interactive, and abundant. Now, the social networks are hot, such as Facebook, Plurk, Twitter, Free Blog, Xuite, and Yam Blog, and MSN, Yahoo! Messenger, Skype, mobile phones, and emails have their tremendous influences which cannot be neglected. According to the statistic of ComScore company to the end of 2011, there were 794 million people visited Facebook monthly; each person spend 377 minutes, that is more than 6 hours, on social networks. Recently, 165 anti-fraud hotline of National Police Agency has found there were consecutive social network attacking cases. In view of the prosperous of the Internet, the social engineering attacking is derived from the former emails to social networks today. If we do not pay attention to and strengthen the information security management, the information security cases will repeat itself. The influences will be broadened, and the lost and damage is beyond calculation. This research discusses the social engineering attacking related to social networks and compare these information security cases according to case analysis method. Also, we discuss the social engineering attack control measures in international ISO/IEC 27001 information security management standard and combine the standard operation procedure of ISO/IEC TR 18044 information security matters management. By the risk management regulations and guideline of AS/NZS ISO/IEC 31000, we measure the impact and chances of rick, establish complete evaluation and handling procedures, and etc. We hope that the related information security matters can be reduced and stop related social engineering attacking from happening.