This was the literature search to the Technical report on Social Engineering previously uploaded named "TR - Social Engineering - Facts, Myths and Countermeasures.pdf".
I would appreciate sincere comments if any.
This was the literature search to the Technical report on Social Engineering previously uploaded named "TR - Social Engineering - Facts, Myths and Countermeasures.pdf".
I would appreciate sincere comments if any.
This was the literature search to the Technical report on Social Engineering previously uploaded named "TR - Social Engineering - Facts, Myths and Countermeasures.pdf".
I would appreciate sincere comments if any.
Social Engineering – Facts, Myths and Countermeasures
Eakan Gopalakrishnan School of Electronics and Computer Science, University of Southampton eg5g09@ecs.soton.ac.uk
Abstract social engineering truly a very good method of
hacking. There are several ways of stealing information; most of them done by exploiting the technical factors of 2. Impacts of Social Engineering security and some by exploiting the non-technical factors. Social Engineering is a hacking technique that Social engineering attacks mostly results in network relies on weaknesses in humans rather than software outage like denial of service, fraud, identity theft and systems. This literary search provides a summary of industrial espionage [12]. If a company gets infiltrated the research that has been done in this field and and confidential information is stolen and this countermeasures that can be taken to deal with it. information goes public, customers or potential The detailed description of the methods and customers of that company lose confidence on the solutions is out of scope of this literary search and will company and this could cause the company to run out be looked into in detail in the technical report. of business in the long run. Many different types of the threats and impacts have been analyzed by R. Gulati in 1. Introduction [43]. In Business Communications Review 2005, p46, it Not many reviewed technical papers or books are has been given that in United States alone the estimated available in the field of Social engineering. This is loss due to phishing attacks resulted in a 1.2 billion probably because it is something which we have started dollars for the year 2003, and 500 million dollars in to put focus on recently. This very fact has been stated consumer losses. This means that small to medium in the paper by M. Dontamsetti, A. Narayanan [5]. sized companies could go bankrupt due to such attacks. According to them threats to information are mainly of three types: technical, physical and human in nature. 3. Methods of Attack Today, we are in the third generation of the information security evolution, which has evolved from its initial Most social engineering techniques involve a lot of focus being on security on technology, to focus on background study of the target organization or process related security and to the current focus on the individual. A lot of the background information can be human element that manages or uses the technologies gathered from the internet itself. Other sources can be and processes in place. “This shift in focus has only done through spying or eavesdropping or dumpster- happened because of the realization that technology diving which means going through trash that includes, and processes are only as good as the humans that use telephone directories, organizational charts, memos, them” [5]. post-its, manuals, calendars, improperly disposed In simple words Social Engineering can be called confidential documents etc to fetch information of an “human hacking”. This particular method of hacking individual or individuals inside an organization. was made famous by Kevin Mitnick. His book [15] Technical expertise can be used along with describes various methods of human hacking through a impersonation or disguise which could very effectively series of anecdotes. Very few researchers like J.M be used in techniques like support staff or voice of Sarriegi, J.J Gonzales have tried to conceptualize social authority. Many of the tactics used by social engineers engineering attacks [2]. can be found in the article by S. Granger [19]. Winkler provides a case study of such an attack on L. Laribee has classified social engineering attacks a large US Corporation [21] and several other case into different categories in her thesis [12]. The different studies on social engineering in [14]. A good amount of methods and strategies can also be found in [13], [1], statistics and information about computer crimes can be [18]. seen in [41] and [42]. All this evidence suggests that 4. Previous Models of Social Engineering countermeasure in [12]. There is no particular security patch that can be applied to prevent social engineering The closest research work associated in this area is attacks, thus educating people about the different types in the area of Trust. Trust is subjective. The decision to of attacks and building a good security policy would be trust someone or not may be intentional, or some of the good countermeasures. Additional methods subconsciously taken. The Click and Whirr approach to safeguard against social engineering has been given [26], [27], [28] is an easy method of manipulating trust. in [16] by C. Rhodes. This has also been elaborated by Laribee in her thesis Mayhorn et-al has also suggested that THERP be [12] and trust and the factors that influence trust have used by security designers in [6]. THERP stands for also been described in detail. A person’s compliance to technique for human error rate prediction. another person’s request can be understood in terms of human tendency to shortcut response [25]. This makes 7. Further Reading humans truly the weakest links. Various other methods of influence and attaining others trust has been Business communication review articles are a good elaborated by Cialdini in [28]. A summary of these read for being aware of the current issues in the field of models is given in information technology. Persuasion, thought systems and argument quality psychological factors that also 5. Why it still works? involves factors that affect decisions and responses have been researched by Petty and Wegener [27]. A social engineer utilizes the psychological The social and cultural aspects of social engineering weaknesses of their victims [17]. Even now have been explored in [7], [8], [9], [10] and [11]. technologies like firewall are given more than required attention while people and processes are being 8. References overlooked partially or completely. Mitnick sums it up nicely as “You could spend a fortune purchasing [1] P. O. Onkeyi, T.J. Owens, “On the Anatomy of Human technology and services...and your network Hacking”, Information Security Systems, Vol. 16, no.6, pp. infrastructure could still remain vulnerable to old- 302-314, Nov 2007 fashioned manipulation.” This vulnerability is mostly [2] Sarriegi, J.M. and Gonzalez, J.J. (2008) ‘Conceptualising due to lack of awareness among employees of social engineering attacks through system archetypes’, Int. J. organization, mainly due to organizations system of Systems Engineering, Vol. 1, Nos. 1/2, pp.111– underestimating social engineering in their employee 127. security awareness programs. Hasler et-al attempted to formulate a method to measure the resistance to social [3] D. S. Carstens, “Human and Social Aspects of Password engineering in [20]. Authentication”, Social and Human Elements of Information The weaknesses in humans that are exploited by Security: Emerging Trends and Countermeasures, social engineers have been analyzed and listed out in Information Science Reference, Section 1, Chapter 1, pp. 1- [4], [3], [5], [6], [8]. Obedience to authority, self 14. preservation and ‘need to be liked’ are some [4] M. Nohlberg, “Why Humans are the Weakest Link”, psychological aspects quoted in [5]. According to Social and Human Elements of Information Security: Mayhorn et-al “humans tend to act or take decisions Emerging Trends and Countermeasures, Information according to three factors, the user, the technology and Science Reference, Section 1, Chapter 1, pp. 15-26. the environment/context in which the interaction takes place [6]. They have also researched into the [5] M. Dontamsetti, A. Narayanan, “Impact of Human psychological factors like credibility, pressure, Element on Information Security”, Social and Human inattention etc. that make a user to become a victim Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 1, Chapter 3, pp. 27-42. 6. Countermeasures [6] R. West, C. Mayhorn, J. Hardee, J. Mendel, “The D. Cragg has developed a multi-level defense Weakest Link: A Psychological Perspective on Why Users mechanism against social engineering attacks in [24]. Make Poor Security”, Social and Human Elements of Recognition is the first step to preventing social Information Security: Emerging Trends and engineering attacks. The importance of creating Countermeasures, Information Science Reference, Section 1, awareness about social engineering is pointed out as a Chapter 4, pp. 43-60. [18] R. Gulati, “Threat of Social Engineering and your [7] R. Kuusisto, T. Kuusisto, “Information Security Culture defense against it”, GIAC Security Essentials Certification as a Social System: Some Notes of Information Availability Practical Assignment, SANS Institute 2003, and Sharing”, Social and Human Elements of Information “http://cnscenter.future.co.kr/resource/security/hacking/1232. Security: Emerging Trends and Countermeasures, pdf” Information Science Reference, Section 2, Chapter 6, pp. 77- 97. [19] Granger, S. (2001) “Social engineering fundamentals, Part I: Hacker tactics”, Cited on 9 November [8] P. Drake, S. Clarke, “Social Aspects of Information 2009, “http://www.securityfocus.com/infocus/1527” Security: An International Perspective”, Social and Human Elements of Information Security: Emerging Trends and [20] H. Hasle, Y. Kristiansen, K. Kintel, E. Snekkenes, Countermeasures, Information Science Reference, Section 2, “Measuring Resistance to Social Engineering”, Information Chapter 7, pp. 98-115. Security Practice and Experience, First International Conference, ISPEC 2005, Singapore, April 2005, [9] M. Carr, “Social and Human Elements of Information Proceedings, pp 132-143. Security: A Case Study”, Social and Human Elements of Information Security: Emerging Trends and [21] IS Winkler, “Case Study of Industrial Espionage Countermeasures, Information Science Reference, Section 2, through Social Engineering”, 19th National Information Chapter 8, pp. 116-132. Systems Security Conference 1996, “http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.3 [10] B. Hoanka, K. Mock, “Effects of Digital Convergence 6.115&rep=rep1&type=pdf” on Social Engineering Attack Channels”, Social and Human Elements of Information Security: Emerging Trends and [22] A. Katz, “Computers: The Changing face of Countermeasures, Information Science Reference, Section 2, Criminality”, Unpublished Dissertation: Michigan State Chapter 9, pp. 133-147. University, 1995, “http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=17 [11] E. Yu, L. Liu, J. Mylopoulos, “A Social Ontology for 3511” Integrating Security and Software Engineering”, Social and Human Elements of Information Security: Emerging Trends [23] K Bagchi, G. Udo, “An Analysis of the Growth of and Countermeasures, Information Science Reference, Computer and Internet Security Breaches”, CAIS Volume 12 Section 2, Chapter 10, pp. 148-177. 2003, “http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1 [12] L. Laribee, “Development of Methodical Social 38.2439&rep=rep1&type=pdf” Engineering Taxonomy Project”, Thesis at Naval Postgraduate School, Monterey, California, June 2006 [24] D. Gragg, “A Multi-Level Defense against Social Engineering”, SANS Reading Room, 2003, [13] J. Baker, B. Lee, “The Impact of Social Engineering “http://southwestans.com/Resources/docs/social/A%20Multi- Attacks on Organizations: A differentiated Study”, Florida Level%20Defense%20Against%20Social%20Engineering.pd Atlantic University, f” http://itom.fau.edu/jgoo/fa05/ISM4320/SocialEng.pdf [25] P. Sztompka, “Trust: A Sociological Theory”, [14] I.S. Winkler, B. Dealy, “Information Security Cambridge University Press, 1999 Technology?...Don’t Rely on It. A Case Study in Social Engineering”, Science Applications International [26] S. Chen, S. Chaiken, K. Duckworth, “Motivated Corporation, 5th USENIX UNIX Security Symposium, Salt Heuristics and Systematic Processing”, Psychological Lake City, Utah, June 1995 Inquiry, Vol 10, No.1, 1999, “http://www.jstor.org/pss/1449522” [15] K. Mitnick, W.L. Simon, “The Art of Deception: Controlling the Human Element of Security”, John Wiley [27] R.E. Petty, D.T. Wegener,”Thought Systems, Argument and Sons, October 2002 Quality and Persuasion”, Advances in Social Cognition : Content, Structure, Operation of Thought Systems, Vol. 4, [16] C. Rhodes, “Safeguarding against Social Engineering”, LEA, Chapter 8, pp. 147-162 East Carolina University, 2007, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83 [28] R.B. Cialdini, “Influence: Science and Practice”, .5142&rep=rep1&type=pdf “http://www.influenceatwork.com/Media/RBC/Influence_SP .pdf”, 2001 [17] M Nohlberg, “Social Engineering: Understanding, Measuring and Protecting Against Attacks”, Thesis Proposal, 9. Bibliography University of Skovde, Sweden, June 2007. [29] C. Pfleeger, S. Pfleeger, Security in Computing, 4th Edition, Pearson Education Inc, 2006.
[30] S. McClure, J. Scambray, G. Kurtz, Hacking Exposed 6
: Network Security Secrets and Solutions, McGraw Hill Publishers, 2009.
[31] K. Mitnick, W. Simon, The Art of Intrusion – The real
stories behind the Exploits of Hackers, Intruders and Deceivers, Wiley Publishing, 2006.
[32] G. Notoatmodjo, “Exploring the Weakest Link: A study
of personal password security”, Thesis submitted at University of Auckland, New Zealand, December 2007
[33] J. Rusch, “The ‘social engineering’ of Internet fraud”,
Paper presented at the 1999 Internet Society's INET'99 conference,“http://www.isoc.org/isoc/conferences/inet/99/pro ceedings/3g/3g_2.htm”
[34] M. Gupta, R. Sharman, Social and Human Elements of
Information Security: Emerging Trends and Countermeasures, Information Science Reference, 2009.