Professional Documents
Culture Documents
01 GreavuSerban
01 GreavuSerban
net/publication/273708458
CITATIONS READS
13 4,112
2 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Valerică Greavu-Serban on 18 March 2015.
Social engineering is considered to be a taboo subject in nowadays society. It involves the use
of social skills or to obtain usernames, passwords, credit card data, or to compromise or
altering the information and systems of an entity. Social engineering methods are numerous
and people using it are extremely ingenious and adaptable. This technique takes advantage of
the intrinsic nature of mankind, to manipulate and obtain sensitive information, persuading
people into divulge it, using exceptional communication skills. Thus, five models of
persuasion were identified, based on: simplicity, interest, incongruity, confidence and
empathy, exploiting key factors which predispose people to fall victim to attacks of social
engineering such as greed, self-interest, guilt or ignorance. It is well known fact that security
is as strong as the weakest link in its chain (individuals) therefore, beyond technical
measures, staff training is the key to success in defending against such attacks.
Keywords: Social Engineering, Persuasion, Trust, Risk, Sensitive Information, Online
Security, Confidence, Manipulation, Attack, Staff Training
1 Social Engineering
The society of 21st century has been
defined as being based primarily on
methods through which an individual or a
group of individuals are manipulated into
providing access to certain information or
knowledge. Furthermore it has been founded used to induce certain behaviour. [1]
on the exchange of data between all fields of In order to avoid technical security measures
activity. Nowadays, the amount of set to prevent attackers from breaking into
information held is directly proportional to systems, they have developed various
the power that an individual can have on procedures to bypass the software or
others; therefore, a very important aspect is hardware elements utilized. Social
not only acquiring but also protecting it from engineering is based on using psychological
potential attacks. The emergence of stratagems on system’s users, thereby
numerous systems and protection obtaining important data, such as usernames,
mechanisms seemed to have solved the passwords, security codes, access codes,
security problems. However, it has been credit card numbers and additional
discovered that the crucial element as information for immediate benefits or ulterior
remained the individual and not the machine, ones. [2]
that installing the latest applications does not Under the conditions listed above, plus given
guarantee a complete protection of the the fact that despite the automation of the
system as it is not necessary to force it to machines and networks, nowadays, there is
infiltrate yourself, it is easier to get the not a single computerized system that does
information needed using persuasion or not depend on human factor; social
goodwill. Social engineering is a set of engineering is a hot topic in modern society.
methods by which an individual or group of There will always be people responsible for
individuals are manipulated to provide access providing information and maintenance of
to certain information or to print a certain the systems. However social engineering has
behaviour existed since the beginning of all times and
this due to people’s predilection to be polite,
2 Social Engineering from a Non- to help each other and trust each other. It is in
Technological Point of View human nature [3]. This technique takes
Social engineering represents a set of advantage of the intrinsic nature of mankind
DOI: 10.12948/issn14531305/18.2.2014.01
6 Informatica Economică vol. 18, no. 2/2014
to manipulate others and obtain sensitive interest, guilt, likelihood to trust others,
information. In fact, most people who ignorance and so on.
disclose data are aware of that, but they often Successful social engineers are confident and
believe that the information provided is not in control of the conversation. They simply
essential. The goal of social engineers, act as if being part of the system even though
however, is to join pieces of information they should not be and their self-confidence
gathered from various sources. will dispel the doubts of others, with ease.
As for non-technological view, social Social engineers will also use humour and
engineering overlaps to some extent with the compliments in conversation. They may even
policy above all as a social science. Its offer small gifts to employees, establishing a
development made possible the gathering and connection that could be used in the future.
analysis of information about social attitudes These kinds of gestures are often successful
and trends, as it is necessary to establish the manners of winning people’s trust because
initial state of a society and to predict the sympathy and cooperation are great ways in
effects of decisions that might be taken. which people interact naturally, under
Social engineering, however, arose from the suitable conditions. [5]
beginning of all time. "The fall into sin" of If a program cannot be upgraded,
the first two people would not have been downloaded or there are no patches available
possible without the serpent using its power the solution is simple: it can be replaced or
of persuasion on Eve and Eve on Adam. removed. In terms of people decisions are not
Amenhotep III, himself, during Egypt’s so simple. A person who has been victim of a
perhaps most prosperous period has managed social engineering attack cannot be replaced
with his skills as a diplomat to impose and by another version of the same individual;
maintain power on today’s Syria and moreover, hiring a more capable one is not
Palestine, without the need of military necessarily the most feasible solution
control. Even the Greeks used their social because the time used for their training can
skills in order to obtain their goals; see the be a waste of resources, considering that the
well-known story of the Trojan horse built methods of attack are rapidly expanding. [6]
under the command of Ulysses, but brought People are very careful when it comes to
in city by the Trojans themselves. The unauthorized installation of software in order
importance of persuasion and "deception" to extract information from the operating
has been described by Sun Tzu in the "Art of system, but their ability to cope with social
War", stating that it is very important to engineering especially under pressure, lacks.
simulate failure and passivity when you are Individuals tend to trust strangers or partially
active, forcing the enemy to perceive unknown people, accepting to share more or
weaknesses and strengths and contrariwise. less precious information about their work
[4]. In 1979, Kevin Mitnick introduced a new due to either for being ignored or craving to
concept related to the art of persuasion, by be noticed. The solution to this problem is to
taking into consideration the technical notify, educate and inform employees about
aspects of this science. This new domain was the existence of areas and dangerous actions,
called social engineering. Mitnick regardless of their job.
demonstrated that despite the numerous It has been noticed that offering bonuses or
measures of assuring information security favours often creates an obligation of
and the latest technologies, security is as reciprocity to the person who has received
strong as its weakest link, the human factor. them. It has been shown, however, that the
[3] value of these small favours depreciates over
3 The Taxonomy of Vulnerable Users time, so it is vital that the interlocutors
It is said that there are several key factors remember and perceive the importance of the
that prone people to fall victim to social services/goods; so a good social engineer
engineering attacks, for example: greed, self- will always remind the members of staff
DOI: 10.12948/issn14531305/18.2.2014.01
Informatica Economică vol. 18, no. 2/2014 7
about their acts of kindness. [7] response and will and they will passively
Curiosity and the fact that the victims are not witness any events that will threat system’s
well informed are other faults exploited by security.
social engineers. Huge buttons and windows Boredom is also menacing factor
with attractive design promising interesting information’s security being induced by
experiences makes people to access web repetitive tasks. Thus, individuals learn
links without verifying the information shortcuts to ease their tasks’
submitted. accomplishment, using minimal effort. Soon,
Generating the impression of imminence and such persons become lazy and unchallenging
must have service/product leads users to to attack; the social engineer knowing that he
behave correspondingly, regardless of the will receive the necessary information
potential negative effects involved by their without difficulty, due to the attitude adopted
actions. by these people towards their work. [8]
Another characteristic of individuals that is Fear of authority. Many people are reluctant
exploited by social engineers represents in presence of someone perceived or having
kindness to those in need. It is a well-known, an authoritarian attitude, feeling intimidated
classic way to acquire unauthorized access to by them most of the time. Attackers assume
buildings without using any kind of force; similar roles such as lawmen or senior
intruders are helped by employees just officials in companies in order to extract
because they are carrying a huge stack of sensitive information regarding the
folders. organization/entity.
Greed is what makes us susceptible to some
form of bribery or seduction. Thus, people in 4 Persuasion Seen as the Art of
lower positions within companies such as Manipulation
porters, janitors, messengers, dissatisfied “People will do anything for those who
with their remuneration, are more easily encourage their dreams, justify their failures,
persuaded to provide information or access to allay their fears, confirm their suspicions
buildings in exchange of financial benefit, and help them throw rocks at their enemies.”
than those involved in management.
Self-distrust. People are very reluctant to ask Blair Warren
a foreign person to identify or tend not to The purpose of persuasion is to make the one
watch as passwords or access codes are next to you feel fulfilled even if you
entered; as social engineers are masters when managed to convince him. Persuasion is not
it comes to self-confidence and only a science; persuasion is an art, and
dissimulation, they can easily intimidate their sometimes involving compromise beyond
interlocutors. exceptional communication skills. To be
Thoughtless or frivolity are seen as signs that persuasive involves knowing to ask the right
are indicate failure of attention. It is known questions at the right time, convince people
that most users are not experts in security to accept your opinions, all by themselves,
systems, but it is easy to disguise this small and not by using force. Unlike manipulation,
defect through proper education and the outcome of persuasion is sustainable;
implementing realistic policies. [3] persuasion being nothing but a victory over
Another flaw that undermines the security of the others. [9]
a system is the apathy of employees. This is a The purpose of persuasion is to convince
problem connected with human resources people to support an individual. Subjects are
management including the process of those rather undecided, while limiting the
selecting the staff. Associated with effects that people with strong convictions
indifference and insensitivity, apathy can have on the individuals concerned.
characterizes an individual completely Thus five models of persuasion were
detached from the environment, lack of identified based on: simplicity, self-interest,
DOI: 10.12948/issn14531305/18.2.2014.01
8 Informatica Economică vol. 18, no. 2/2014
mismatch, trust, and empathy. [10] coat. When the supervisor was not wearing
Simplicity refers to the technique of his uniform, the number of those complying
presenting the arguments supporting a cause has been decreased with almost 25 %.
and not the topic itself; the more complex the Empathy. Humans evolved in small
speech will be, the more confused the listener communities and then in societies. Living
will get. If the goal is to determine someone together has been advantageous for survival,
to remember something, then a subtle based on the existence of trust and for
message will be more effective (using simple gaining it one must understand how others
titles- based on the principle “less is more”). think and feel. Empathy is nothing but
Self-interest. Despite the fact that humans are evidence of exaggerated worry towards the
social animals characterized by selfishness, rest of the community. Showing empathy and
after all what motivates them itself- interest. trust increases considerably the chances to
Faced with the fact that others may have as a prevail upon a certain person.
goal taking advantage of others, the All elements mentioned above show signs of
temptation is to be the first to act. It has been being deeply embedded in the human psyche.
proved that helping others, being altruistic, Among all the need for identity comes first
triggers fulfilment which is the ultimate goal. and is supplied largely by interactions
Another important concept when it comes to between individuals. A factor of great social
self-interest is related to perception. People importance is creating connections with other
do things that they consider assumed in their members of the society thus emerging a mix
advantage. Therefore, the individual’s belief of identities.
that an idea is his benefit will determine him Aristotle described three ways of changing
to apprehend it, regardless of the veracity of others’ opinions and imposing one’s own
its accuracy. beliefs. Thereby the ethos uses trust and
Mismatch. Congruent shapes are those that focuses mainly on the speaker, designating
are identical in all aspects; coinciding exactly him/her as a moral person, having good
when superimposed. The incongruous do not character. Reputation and credibility depend
seem to belong together. In an attempt of on the competence and the way they are
understanding their personal universe, people depicted. Self- confidence, according to
will continuously seek for well-known Aristotle, is one of the key factors when it
known models. The main advantage is that comes to persuasion, often coexisting with
the models are reliable and predictable, and mimics, gestures, and eye contact signalling
the brain generates the perception of retrieval self-reliance.
in their harmony. The reverse is feeling Pathos often appeals to listener’s emotions
uncomfortable when things cannot be and aims to stimulate his interest. An
assigned to existing models. If things are effective way to arouse passion is to appeal
different than the pattern imagined, to one’s moral and spiritual values; ethos
confusion may occur, and the subjects often facilitating then the process of displaying
resort to self-deception and predisposition to individual’s values and juggling with
see what people want to see, not reality. objectives, interests, and even opinions of
Confidence will cover a lot of shortcomings. others. [11]
The ability to present things as an expert Language has also a significant effect on
guarantees success. This goes for people emotions, keywords being able to prompt
granted with authority; symbols of power are sensations and feelings.
accepted and followed unconditionally. For Logos focuses on arguments using logic and
example, in the famous Milgram rational explanations or conclusive
experiments, about 65 % of people involved evidences. The latter, together with science
were persuaded to administer lethal doses of are based on the use of empirical evidence.
electricity to strangers just because they have Providing evidence makes it difficult to
been ordered to do so by a man in a white pledge a negative response in the context of
DOI: 10.12948/issn14531305/18.2.2014.01
Informatica Economică vol. 18, no. 2/2014 9
DOI: 10.12948/issn14531305/18.2.2014.01
10 Informatica Economică vol. 18, no. 2/2014
DOI: 10.12948/issn14531305/18.2.2014.01
Informatica Economică vol. 18, no. 2/2014 11
Fig. 1. Safeguards
Source: Meghantan, N., Network and Information Security Principles, Policies, and models,
Jacksson State University, 2011, p 12.
Thus, switching to sophisticated architectures and they could always store important files
of information systems, automated processes on them. Moreover, 25 % of companies said
within the company involves an increased that along with the departure of employees,
risk exposure of information. When sensitive they had experienced significant losses of
information about the activity of the entity sensitive information. [22]
or its employees are compromised as a result Considering all these aspects, it is essential
of viruses or other persons entering the that companies protect their data, by using
system, it appears a delay in the production both classical methods: antivirus, firewall,
cycle and economic losses, affecting the anti-malware, etc. and customized solutions
company's ability to operate. that fully meet the users’ requirements.
The same study, conducted by Symantec Above all, the most effective method of
showed that often the companies, although combating social engineering remains staff’s
they are aware of the importance of training.
information’s security, they are not willing to
invest in projects that could protect them. 7 Case Study
Thus, the research revealed that 20 % of the In order to support the facts stated in the
systems administered mail boxes of present paper, we applied an anonymous
employees but they were not secured questionnaire (used for research purposes
properly, and 60 % of their wireless networks only) containing 20 questions on 131
were unreliable. Additionally, most small students of the Faculty of Economics and
businesses (75 %) did not take any action in Business Administration distributed during
order to secure their systems. [20] an exam.
Security breaches together with the fines Some of the main objectives of this survey
received for non-compliance with were:
international standards, result in loss of • To identify the frequency of use of social
competitiveness, investor confidence and networks and e-mail platforms;
even their support. [21] • If the subjects use the same passwords
However, it must be considered that and same user-name in multiple accounts;
unrealized gains and loss of customer • To determine the subjects’ willingness to
databases, theft or loss of capital prototype reveal their passwords and their
image and the time needed to regain significance;
customer confidence, market position, • To determine whether students have
implementing security solutions can also be provided passwords to others;
considered as being negative aspects of • To determine students’ readiness to offer
social engineering. their passwords for various benefits
In Romania, 90 % of IT managers are (exam promotion, money);
unaware that their systems may store • To identify whether the subjects were
confidential data, while 75 % of them stated resistant to disclose they credentials
that employees have portable storage devices under teachers’ pressure;
DOI: 10.12948/issn14531305/18.2.2014.01
12 Informatica Economică vol. 18, no. 2/2014
DOI: 10.12948/issn14531305/18.2.2014.01
Informatica Economică vol. 18, no. 2/2014 13
DOI: 10.12948/issn14531305/18.2.2014.01
14 Informatica Economică vol. 18, no. 2/2014
DOI: 10.12948/issn14531305/18.2.2014.01