Professional Documents
Culture Documents
PAGE \* MERGEFORMAT 1
CONTENTS
Introduction 3
Social Engineering 11
Related Studies 11
Social Engineering - Conclusion 12
Report Conclusion 12
References 13-14
I. INTRODUCTION
Computer security is not just about technology and systems. It is also about the people who use
those systems – how their behaviour can be exploited. The Verizon Data Breach Investigations Report
details that 28% of the breaches were from social attacks, with a quarter of those occurred due to
phishing. In a phishing attack, victims are sent a spoofed email that appear amiable notifications from a
bank, service provider or social networking website. Figure 1 shows an example of a phishing email from
PAGE \* MERGEFORMAT 1
the company “1&1 IONOS”. There have been many technological advances towards preventing these
types of attacks, however, none have been able to prevent them completely, and the attack on RSA in
2011 is evidence of this.
Despite the increased awareness of threats to information security, there are still violations that
elude our ability to defend against attacks, leading to millions of pounds loss each year (Bresz, 2004).
Many countermeasures can be automated through the continuous development of technology, this alone
can not solve the problem (Ruighaver, Maynard and Chang, 2007).
Organizational and system security only covers part of ensuring the confidentiality, integrity and
accessibility of data – ensuring the workforce is cyber-aware and educating uses to be cautious of
potential security breaches is, arguably, of greater importance. It is important to consider how the
workforce will respond to a potential breach. If a user receives a phishing email, how would they handle
it? Are the appropriate processes available to protect other users if they report the phishing email, or do
they delete it? Ensuring effective systems are available and having them articulated are essential parts in
minimizing the potential risk caused by people.
This paper will discuss various methods used that exploit the human factor in an organization,
including Phishing tools, USB exploitation and Social Engineering - critically analysing methods to
measure a workforces knowledge of these attacks, and how users can be educated to not fall victim.
II. STUDY 1 - PHISHING TOOL– MEASURING THE HUMAN FACTOR
To conduct this study, IONOS will test user vulnerability by sending out decoy emails; users that
interact with the emails are informed so they can change their behavior in future. Traditionally, users
attend a training session and are informed of the threat that can posed by phishing emails – user
awareness has improved by changing the methods used through demonstrating their vulnerability (“Gone
Phishing”, 2005). Tools have become available that test sending fake phishing emails, but require an
PAGE \* MERGEFORMAT 1
administrator to create and send the email; none of these tools provide statistics for measuring security
within an organization, such as the average amount of users interacting with a phishing email (Core
Security, 2010).
III. RELATED STUDIES
Computer security demands for various techniques to be developed that evaluate and compare the
design of security infrastructure, organizations and processes (S. Stolfo, S. Bellovin and D. Evans, 2011).
Typically, these focus on system security rather than people. The study conducted by IONOS is intended
to educate a portion of its customer base using decoy emails. Whilst there are more traditional methods of
training, such as seminars or articles, the necessary resources to conduct these are not always available (P.
Kumaraguru et al., 2007).
A similar study was conducted at Indiana University Bloomington that focused on social phishing
and spoofing (T. N. Jagatic, N. A. Johnson, M. Jakobsson and F. Menczer, 2007). The study sent
harmless phishing attacks to students aged 18-24, intending to show that effecting phishing can exploit
social desires. However, there was no research on how the results of the testing could be used to
improving organizational security and raising awareness.
IV. ANALYSIS AND RESULTS
The Phishing tool recycles an existing product provided by IONOS to provide the means to create
and send phishing emails, the data can be evaluated within the system and used to measure the
organizations security and educate users. The systems components and process can be evaluated in Figure
2.
a) Email Generator:: The email generator repurposes IONOS’ “email marketing” tool to create
a custom email that looks like an official benign. Within the tool, a list of targets/ address
book can be inputted to send the phishing email to. The tool allows the creation of multiple
phishing emails to be send out to a percentage of the users, and evaluate who interacts
with it as shown in Figure 3.
b) Website:: As all the interaction data will be compiled in the Email Generator, the website, see
Figure 4, will be a page designed to educate users on phishing emails and provide a survey
for them to leave feedback. The form does not require users to identify themselves, only the
time they clicked the link in the email, the department the user belongs to and the role of the
user within the organization, Figure 4 provides a demonstration of the website.
In order to compile sufficient data, 200 emails were sent using 4 different types of decoy emails.
This sample size was significant in measuring different parameters – such as whether a user opens the
email. Another reason for using 200 users was to have a large enough sample to ascertain a significant
solution without being a burden to users or arousing suspicion. With permission from IONOS, all of the
subjects were unaware of the experiment. This experiment has the potential to cause frustration and cost
user’s time, starting with 200 users is a small percentage of the total amount of employee’s and won’t
affect business operation.
PAGE \* MERGEFORMAT 1
Figure 1: System process and components
PAGE \* MERGEFORMAT 1
Figure 2: Phishing Email Generator
The decoy emails are sent using an external mail account from a common webmail provider.
Users that fail to identify the email as a phishing email are presented with the website shown in Figure 4
with the following notification:
“IONOS is conducting an experiment designed to test the security measures of organizations and to
educate users on safe practices to avoid falling victim to malicious emails. The emails are sent to IONOS
employee’s and used to test whether users violate security policies. Whilst these emails are not sent with
any malicious intent, there are many that are intended to trick unsuspecting users to giving up personal
information.
PAGE \* MERGEFORMAT 1
In 2020, it is common for users to be fooled in to installing malicious software following clicking on one
of these malicious emails that exploit a users device – such as Cryptomining”
As seen in Figure 3, all of the emails have a URL that’s written as an external, but point to an internal
address where the results are recorded by our Phishing tool.
Results of experiments
The below table provides the compiled results obtained from 5 sets of the experiment. Each set took place
over a 5 days, and not all users were emailed at the same time to prevent arousing suspicion. Victims
were repeatedly targeted until they stopped interacting with the email. The results show it took several
attempts to train users to be cautious of suspicious looking emails, but most users learned within 3 sets to
not interact with them. Figure 5 and 6 shows the results and additional metrics as seen in our Phishing
tool.
THE NUMBER OF RESPONSES FOR EACH SET, MEASURING THE USER RESPONSE TO THE
PHISHING EMAIL
1ST Set 2nd Set 3rd Set 4th Set 5th Set
161/200 142/200 3/200 1/200 0/200
Figure SEQ Figure \* ARABIC 6: Results as seen in Phishing tool for the first set
V. CHALLENGES FACED
Various challenges occurred during these studies, such as the frustration generated by the participants.
Even though a message was provided describing why the study had occurred, many employees still had
PAGE \* MERGEFORMAT 1
issue. Alongside this, the users who were not fooled by the Phishing emails were not aware of the study
reported it to human resources.
VI. STUDY 1 - CONCLUSION
The results presented in the previous sections suggests that users can be trained using decoy
technology to be wary of potential threats. Applying this measurement across multiple organizations can
be effective in recording an organizations current level of security and educating its users.
VII. STUDY 2 - THUMB DRIVE EXPLOITATION
In a Universal Serial Bus (USB), or thumb drive, drop attack a potential attacker will leave a device
for people to find, then plug in to their computers. There are three primary types of attack (Zenko, 2015):
● Malicious Code – Once inserted into a device, a user will click on one of the files which
automatically launches malicious code, and can potentially begin downloading further
malware from the internet
● Social Engineering – The file can take a user to a phishing site, which tricks them in to
handing over their login credentials, see figure 7.
● Human Interface Device Spoofing – A more sophisticated attack that tricks a computer in to
thinking the device is a Keyboard, which injects keystrokes to give the hacker remote access
to the victims computer, see figure 8.
PAGE \* MERGEFORMAT 1
Figure 5: HID
PAGE \* MERGEFORMAT 1
Table 1: Results of Burzstein’s study (Cluley, 2016).
X. STUDY 2 - CONCLUSION
Similarly to the Phishing email study, this serves to educate users to not access an unknown USB
drive. This study is evidence that less technical attacks remain a threat and performing similar studies in
controlled environments will aid in educating users to not plug in unknown devices. However, there were
no follow up results showing whether or not users fell victim to this same attack again.
X. SOCIAL ENGINEERING
Social engineering, the manipulation of people to provide confidential information, is one of the
most common causes of data breach. Social engineers will attempt to persuade individuals by appealing
to their emotions or establishing interpersonal relationships or a sense of trust (Gao and Kim, 2017).
Promising financial incentive or a potential price, as seen in the Phishing email test, the emotional aspect
will distract victims.
Employees can have the biggest impact on an organizations security with severe consequences. A
GDPR violation can have significant financial impact as a fine is for a percentage of a company rather
than a flat fee. In 2019, IONOS were fined €9.55m for GDPR violations (Spadafora, A., 2019).
PAGE \* MERGEFORMAT 1
will need to apply a different strategy in order to effectively train their staff to not make mistakes when it
comes to ensuring the security of the organization they work for or their customers.
Castedo, L., et al., in 2016 conducted a study in to RFID (Radio Frequency Identification) to
evaluate their security and potential security risk. In recent years, various methods have been invented
that allow the cloning of RFID cards up to 3 metres away. A potential threat can potentially walk around
a building with a hidden device, such as the Proxmark3 as shown in figure 6 that can clone a cards unique
code and once cloned, they will be able to access the building and breach systems physically.
PAGE \* MERGEFORMAT 1
have potential negative effects on the workforce, such as lowering morale or causing them to be
frustrated, they will have greater awareness of potential threats and how to prevent breaches.
XII. REFERENCES
Tischer, M. Durumeric Z. Foster, S. Duan, S. Mori, A. Bursztein, E and Bailey, M., (2016) Users Really
Do Plug in USB Drives They Find. Google: University of Michigan.
Barreto, C. Andersson, D. Reimers, K., (2014) Post-Secondary Education Network Security: Results of
Addressing the End-User Challenge. Spain: INTED 2014 Conference.
Techradar., (2019). 1&1 hit with million-euro GDPR fine [online]. Techradar. [Viewed February 4th
2020]. Available from: https://www.techradar.com/news/1and1-hit-with-million-euro-gdpr-fine
PAGE \* MERGEFORMAT 1
Gao, W. and Kim, J., (2007)., Robbing the cradle is like taking candy from a baby. Proceedings
of the Annual Conference of the Security Policy Institute (GCSPI). 1, 23-37. Netherlands:
Amsterdam.
U. J, Calluzzo and C. J, Cante., (2004). Ethics in Information Technology and Software use.
Journal of Business Ethics, 51(3), 301-312.
J, Leyde., (2004). Clueless office workers help spread computer viruses. The Register, pp. 17-21.
D, Andersson and K, Reimers., (2010). Utilizing software application tools to enhance online
student engagement and achievement [online]. Mount Olive College Focus Groups. [Viewed
February 22 2020]. Available from: https://files.eric.ed.gov/fulltext/EJ1098370.pdf
R, Richmond., (2011). The RSA Attack: How They Did It [online]. Bits. [Viewed February 5
2020]. Available from: https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/
PAGE \* MERGEFORMAT 1