SlideShare a Scribd company logo

ITE516 A3

Download as DOCX, PDF
J
Jon Newson

This document discusses social engineering attacks and countermeasures. It begins by defining social engineering and providing examples of social engineering techniques. It then examines some specific social engineering attacks, such as ransomware attacks and attacks on online social networks. It notes that social engineering is difficult to combat because humans rely on heuristics and biases. The document proposes both technical and social countermeasures, including security awareness training, information security policies, and technical solutions like email security configurations. It concludes by noting that countermeasures require a defense-in-depth approach and should be implemented sensitively.

1 of 22
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
ITE516 Hacking Countermeasures Assessment Three: Social Engineering Jon Newson – Student # 11542153
What is Social Engineering?..............................................................................................................3 Social Engineering Context...............................................................................................................5 Social Engineering Examples ............................................................................................................7 Ransomware: Australia Post Cryptolocker Attack. ..........................................................................7 Online Social Networking Site Attacks .............................................................................................8 Why is combating social engineering hard?...................................................................................11 Social Engineering countermeasures .............................................................................................11 Technical Countermeasures ...........................................................................................................12 Social Countermeasures.................................................................................................................13 Emerging Directions of Social Engineering.....................................................................................15 Conclusion ......................................................................................................................................17 References......................................................................................................................................19 Table 1: Social Engineering Attacks: Characteristics ........................................................................5 Figure 1: Australia Post Cryptolocker Message................................................................................8 Figure 2: Security Awareness Collateral.........................................................................................14
Introduction Technology hackers of both ethical and nefarious intent search for and attack unintended flaws in hardware and software systems. One of the techniques at their disposal is social engineering. Social Engineering attacks exploit weaknesses in people that are generally known and are available and published in psychology literature and to a less rigours extent in popular science books and publications. This essay discusses why social engineering attacks, or what have evolved into “technology- assisted social engineering” (Gold, 2010, p. 11), can often be simple to implement, but difficult to detect and defend against. This essay presents a combined taxonomy and attack characteristic overview. It raises some of the attack vectors involved in social engineering within the overview framework and provides counter measures that can be proactively deployed. Firstly, an overview of what social engineering is, different types of social engineers and some of the psychological tools a social engineer can deploy to execute an attack. An exhaustive study is beyond the scope of this essay. Secondly, an introduction of some countermeasures for the social tools and approaches. Thirdly, the paper discusses new payload vehicles and attack scenarios for social engineering attacks. The essay concludes with a summary of the material presented.
Jon Newson Student #11542153 Page 3 of 22 What is Social Engineering? Social engineering is not a new activity. Some define it as “any act that influences a person to take an action that may or may not be in their best interest” (Social-Engineering Inc., n.d.). Alternatively, it could be viewed as, “the art … of skilfully manoeuvring human beings to take action in some aspect of their lives” (Hadnagy, 2011, p. 9). Whilst some aspects of the media may portal otherwise, social engineering is not necessarily illegal. The types of social engineers comprise a wide cross-section of society. Some that employ social engineering techniques include the most trusted professionals in society, and those we trust with our most personal and intimate details. Doctors and Psychologists use social engineering to infer if a treatment might be effective or coax us towards therapeutic outcomes. State actors such as skilled police detectives can use elements of social engineering against a suspect to elicit evidence of a crime. Spies employ social engineering to carry out the orders of their governments. Social engineering can also be a tactical defense as Logsdon & Patterson observed, “such as when an individual uses an alias identity when participating in a chat room to protect privacy” (2009, p. 537). Conversely, actors that are tacitly hostile towards us and with malicious intent such as identity thieves, scam artists, disgruntled current or former colleagues employ it to assist in committing fraud, identity theft, and other criminal activity. Skilled and renowned hackers such as Kevin Mitnick understand that, within a cybersecurity context, “social engineering is one of the most powerful tools a hacker can utilize as even the most secure systems can be affected” (Krombholz, Hobel, Huber, & Weippl, 2013, p. 28). Regardless of the intent, social engineers
Jon Newson Student #11542153 Page 4 of 22 have a common aim: to have their human target(s) regard their approach as they would a sincere and truthful interaction. To frame the appropriate response, one has to determine if “there is a malicious motivation to harm the receiver of the message” (Logsdon & Patterson, 2009, p. 537). Accordingly this essay employs the term digital deception, defined as “intentional control of information in a technologically mediated message to create a false belief in the receiver of the message” (Logsdon & Patterson, 2009, p. 537).
Jon Newson Student #11542153 Page 5 of 22 Social Engineering Context To assist the understanding of social engineering attacks, and to assist in developing a threat model, a social engineering attack can be usually be categorised as to having characteristics similar to the table below, adapted from (Krombholz et al., 2013, p. 32): Table 1: Social Engineering Attacks: Characteristics Phishing Clickjacking Malware SpoofedContent Piggybacking Tailgating Farcing DumpsterDiving Persuasion ReverseSocialEngineering Trojans AdvancedPersistentThreats Baiting Channel Cloud X Social Network X X X X Telephone X X X E-mail X X X X Website X X X X X X X Physical X X X X X X X X Operator Human X X X X X X X X X X Software X X X X X X Type Physical X X X X X Technical X X X X X Social X X
Jon Newson Student #11542153 Page 6 of 22 Socio- technical X X X X What is common for many social engineering attacks is the most effective involve a human operator and the telephone. As stated by renowned and reformed hacker Kevin Mitnick “the greatest misconception about security is that a computer is the hacker's most dangerous tool. Not so. It's the phone (Mitnick, 2011, p. 18). Now that the focus of social engineering is set, it is useful to understand some examples of psychological techniques that social engineering attacks utilise. As authors such as Logsdon & Patterson note, social engineering attacks exploit the “asymmetric emotional relationship” (2009) between the attacker and target. This can be in the form of one or more psycho- emotional techniques that can be used to persuade human targets, summarised by Tarkington that augments the six tools of persuasion researched by Cialdini (Kenrick et al., 2012) as: Referential Association, Sensationalism, Scarcity, Acting, Question Overloading, Confusion, Claiming of Authority, Aggressive Posturing, Pattern Interrupts, Reciprocity, Time Splitting, and Rapport.
Jon Newson Student #11542153 Page 7 of 22 Social Engineering Examples In the Australian Cyber Security Centre’s (ACSC) 2015 Cyber Security survey, the most prevalent incident is ransomware (2015, p. 17). The ACSC define ransomware as “extortion through the use of malware that typically locks a computer’s content and requires victims to pay a ransom to regain access” (2015, p. 25). The ACSC reports that “the number of ransomware incidents reported has increased … four times that of 2013” (2015, p. 23). Attacks that use social networking sites such as Facebook are also becoming more common. Following is a brief examination of how social engineering is used to perform such attacks. Ransomware: Australia Post Cryptolocker Attack. During October 2014 Australian businesses, institutions and organisations were targeted with the Cryptolocker ransomware attack (ABC, 2014; Craggs, 2014; UNSW IT, 2014). The attackers pretext or background story is an html formatted email message that refers to a package that could be delivered. The message would be similar to the figure below (Australia Post Cryptolocker Email, n.d.). The attack employs several of the psycho-emotional techniques as the figure’s annotations show.
Jon Newson Student #11542153 Page 8 of 22 Figure 1: Australia Post Cryptolocker Message Online Social Networking Site Attacks The popularity of online social networks (OSN) such as Facebook and LinkedIn has provided an attractive attack vector for social engineering techniques. According to Irani, “attacks on social
Jon Newson Student #11542153 Page 9 of 22 networks are usually variants of traditional security threats (such as malware, worms, spam, and phishing)” (Irani, Balduzzi, Balzarotti, Kirda, & Pu, 2011, p. 56). The term farcing has been coined (Vishwanath, 2014) to refer to attacks involving fake online social network accounts on sites such as Facebook. Farcing attacks exploit the compelling social force of conformity. As Bullée citing the key study by Asch, “conformity, or social proof, is imitating the behaviour of other people. Members of the in-group have a stronger feeling of group-safety compared with members of the out-group (Asch 1951)” (Bullée, Montoya, Pieters, Junger, & Hartel, 2015). Vishwanath observed that farcing attacks have two stages. “A first stage where phishers use a phony profile to friend victims, and a second stage, where phishers solicit personal information directly from victims” (2014, p. 1353). OSNs calibrate the potential target, and whilst in one respect providing a forum for contact and arguably presents a significant pretext. The first stage of farcing attacks can be automated (Boshmaf, Muslukhov, & Beznosov, 2011; Huber, Kowalski, Nohlberg, & Tjoa, 2009). The ease of creating new accounts is a vital measure that contributes towards the OSN future success. Particularly for sites where “the service itself is free of charge and profit is made by selling online advertising services to third parties” (Huber, Mulazzani, & Weippl, 2010, p. 81). The creation of fake OSN accounts or sybils (Slonka, 2014; Yang, Wilson, Wang, Gao, & Zhao, 2014) is a wide-spread problem. Sybils can be used as a home socialbots. “A socialbot is an automation software that controls an OSN account and has the ability to execute basic social activities such as posting a message or sending a friendship request” (Boshmaf, Muslukhov, & Beznosov, 2012, p. 1).
Jon Newson Student #11542153 Page 10 of 22 The second stage of OSN attacks can have consequences ranging from harvesting new user recruitment via affiliate referrals: “One site pays affiliates up to $6 for every user who signs up for an account and up to $60 if a user signs up for a premium service, which typically involves paying for a subscription using a credit card” (Symantec Corporation, 2015, p. 49). To identity harvesting and theft, where researchers such as Bilge and others have demonstrated attacks that “clone an already existing profile in a social network and … send friend requests to the contacts of the victim” (2009, p. 552). The market for such activity is not as lucrative as it once was but may still present a worthwhile return on investment. As recently as 2013 “1 MB of email addresses is worth $0.3–$40 in IRC underground markets when bought in bulk, with an average of $20.15 per MB” (Boshmaf, Muslukhov, Beznosov, & Ripeanu, 2013, p. 570). Whilst such commercial reward provide incentives to social engineers, responding to these attacks is difficult.
Jon Newson Student #11542153 Page 11 of 22 Why is combating social engineering hard? Humans are social creatures, but also lazy ones with cognitive limitations that impair the detection or more rigorous examination of social engineering attacks. Much literature reports that “pattern matching” or “heuristics” (Chaiken, 1980; Qin & Burgoon, 2007; Vrij, 2007) present the greatest challenge when combating social engineering. “When presented with information online, individuals have the tendency to utilize heuristics, or mental shortcuts and judgment rules, to make quick inferences” (Harrison, Vishwanath, Ng, & Rao, 2015, p. 3483). “Rather than carefully scrutinising someone’s responses when attempting to detect deceit, observers may instead rely on general decision rules” (Vrij, 2007, p. 400). Effective social engineers understand that people will unknowingly resort to mental shortcuts when pressured. As Vrij observed “… this is the most effective way for observers with limited time and attention resources to deal with complex environments (Macrae & Bodenhausen, 2001)” (2007, p. 400). Social engineers can thus calibrate the emotional and psychological backdrop with the psychosocial techniques raised previously. These heuristics are set against a general tendency towards optimism. “In daily life, people encounter more truthful than deceptive messages, and they therefore assume that the behaviour they observe is usually honest” (Vrij, 2007, p. 400). Social Engineering countermeasures The countermeasures to social engineering require both social and technology. This section will examine the most common countermeasures that could address the attack examples discussed previously and address social engineering attacks generally. “If resources were unlimited, or
Jon Newson Student #11542153 Page 12 of 22 countermeasures were costless, then of course we could take action against every possible scenario we could think of” (Herley & Pieters, 2015, p. 113). Hence, these countermeasures are certainly not exhaustive, and should not be misinterpreted as a substitute for controls recommended in standards such as ISO27000 and PCI-DSS. SEE: (Boshmaf et al., 2012) (Fire, Goldschmidt, & Elovici, 2014) Technical Countermeasures Given the prevalence of e-mail delivered phishing attacks and malware, the following countermeasures should be employed. There is no single countermeasure that will address the spread of attack vectors. Hence, a defense-in-depth and defense-in-breadth response is necessary. i. Email client software should employ a standard configuration that blocks the loading of or at least only allows remote content such as JavaScript from whitelisted sources. ii. Restrict email attachments, or at least quarantine them to an area where they can be individually investigated before use. iii. Given its ubiquity, use Google to locate the URL of a recommended website. iv. As OSNs are a standard customer engagement and support channel for many organisations, the security threats can be mitigated by a number of commercial security
Jon Newson Student #11542153 Page 13 of 22 solutions. Free products such as AVG PrivacyFix “offers its users a simple way to manage their privacy settings on Facebook, LinkedIn, and Google. Additionally, PrivacyFix helps its users block over 1200 trackers by following their movements online” (Fire et al., 2014, p. 2028). v. Removing Installed 3rd party applications is just as important a countermeasure for OSN as it is for the corporate server farm. As many users will not have the resources to identify and understand the risks and weaknesses in 3rd party applications, removing them reduces a potential victim’s attack surface. vi. Block or disable geo-location awareness. “Many users publish their current or future location in multiple OSNs, and this information can be used by criminals or stalkers” (Fire et al., 2014, p. 2032). Social Countermeasures It is important that, regardless of the countermeasures employed that the reasons for implementing them is conducted with sensitity. This is particularly the case for penetration tests, where the unfortunate employee who succumbed to a social engineering attack may develop feelings of vulnerability, betrayal, guilt and remorse. Such effects may result in a disgruntled employee that wishes to exact revenge on their employer for placing them in such a position. i. Security Awareness Training is a technique endorsed by many (Mowbray, 2013) (Brody, Brizzee, & Cano, 2012). A useful demonstration of the efficacy of security awareness training was reported by Bullée and others (2015) that found in their experiment that found a 25% reduction in susceptibility to suggestion and coercion. According to Mowbray, “security awareness training should be mandatory for every person in an organization. Training should be completed before a person is given computer access, and then the organization should conduct annual refresher courses”. (Mowbray, 2013, p.
Jon Newson Student #11542153 Page 14 of 22 48). Training should be supported by reinforcement messages on corporate collateral such as that documented as part of Bullée’s study (2015, p. 105): Figure 2: Security Awareness Collateral. ii. Information Security Policies: A well-formed and comprehensively communicated information security policy can be an effective countermeasure against human agent attacks. There should be clear expectations for all staff regarding network authentication requirements, and clear and enforced procedures for password resets. Such policies are merely corporate tinsel if they aren’t enforced. Executive management must endorse and actively enforce the authority for help desk staff protocol. Employees that excessively pressure using benign or more aggressive postures, help desk staff to circumvent controls ‘just this once’ because ‘I’m on a deadline’ or ‘my boss really needs this’ should be subject to an escalating scale of disciplinary action. This is particularly important in organisational cultures where authority is accorded reverence, as Bullée’s study found awareness training had no reduction of yielding to requests from authority (2015, p. 97). iii. Dumpster diving prevention: Cross-cut paper shredders, well-lit areas for bin storage, physical media destruction. iv. Separation of Duties: Whilst this is a standard control to prevent internal fraud, it can prove effective in reducing the likelihood of a social engineering attack if a physical breach of a company’s premises were to occur. v. Telephone training: To re-iterate Mitnick, the telephone is the hacker’s “most dangerous tool” (2011, p. 18). According to Mowbray “the training should articulate the organization’s policies on what information can be divulged to which groups of customers or co-workers” (2013, p. 48). vi. Live drills and tests: Some organisations may have financial reporting standards that require statements to justify the return-on-investment (ROI). As noted by Pieters “adversarial experiments” (Pieters, Hadžiosmanović, & Dechesne, 2015) are crucial to
Jon Newson Student #11542153 Page 15 of 22 measure the efficacy of awareness training. Live drills and tests may provide have a multiplying effect, but as potential targets acclimatise and the awareness required may dissipate, it is important that drills and tests are regularly repeated such that users are kept vigilant. In a recent study within a corporate environment by Caputo and others found that “dedicated security staff and cybersecurity tools, such as firewalls and monitored antivirus software, provide a level of security usually not available on home computers. These controls make interviewees more likely to click links in emails or on the Web while using their corporate computers, because they feel more protected within the company firewall (2014, pp. 36-37). Such entrenched habits and psychological postures may require repeated exposures so behavioural patterns can change. Emerging Directions of Social Engineering As technology presents more social utility and perceived benefit, social engineers explore these new potential targets. Novel technology domains such as the Internet of Things (IoT), whereby devices that do not present a traditional computer interface are being used in many different manifestations. Wearable technology such as physical activity trackers (e.g. Sophisticated pedometers, heart rate monitors, etc.) and smart watches present themselves as possible target markers for malevolent social engineers in two ways. Firstly, the vast quantity of data that such devices harvest could present an attractive target. The sharing of health data, sleep patterns and other physical activity via manufacturer or other sites “faces not only the traditional mobile communication network security issues but also some special security issues different from
Jon Newson Student #11542153 Page 16 of 22 existing one's. This is because it is constituted by a large number of machines, lack of effective monitoring and management” (Gang, Zeyong, & Jun, 2011, p. 3). Such data could be used to create a variation on pleaserobme.com. Secondly, there are numerous studies, such as those by Setz (2010), Bauer & Lukowicz (2012), and Sano & Picard (2013) into the utility of wearable devices as stress monitors, providing they have the “ability to discriminate cognitive load from stress” (Setz et al., 2010, p. 410). Despite such investigations, there is little research into the impact of wearable devices themselves as a stressor and generator of cognitive load. Such developments are an important avenue of further research.
Jon Newson Student #11542153 Page 17 of 22 Conclusion Social engineering techniques can be benign or malicious. Professionals such as medical doctors and psychologists are just as likely to employ social engineering techniques as an identity thief or fraudster. It is one’s intent that categorises its use, accordingly we must be aware of situational context so that an appropriate response can be exercised. Social engineering attacks can be manifest in a combination from human and/or technology actors. Because these attacks can be adaptive, defenses against them must be broad, deep and refreshed regularly so they can keep potential targets ever vigilant. By categorising social engineering attacks according to delivery characteristics, taxonomy or similar classification scheme, social and technical countermeasures can be developed that appropriately address an attack’s characteristic. The countermeasures that can address the OSN attack vectors derive from established principles that are still effective and necessary to defend against other attack vectors. Whilst OSNs currently present a fertile and commercial lucrative avenue for social engineering attacks, this doesn’t mean that other historically targeted areas can be complacent. The telephone and other direct means of human contact still present an ever-present source of attacks. Humans present an attractive and lucrative social engineering target due to our innate optimism bias and our trusting nature. Our propensity, through both habit and neural pattern matching called heuristics means we often inadequately assess social engineering threats. Such inadequecy will likely be exploited with greater verve to target domestic technology and increasingly affluent populations. The adoption of wearable technolgies such as the Apple
Jon Newson Student #11542153 Page 18 of 22 Watch, and gadgets that connect into the evolving IoT should not be ignored. As architects and engineers are grappling with storage and bandwidth issues, a hacker is considering how such devices can be exploited.
Jon Newson Student #11542153 Page 19 of 22 References ABC. (2014, October 7). Crypto-ransomware attack targets Australians via fake Australia Post emails. Retrieved January 5, 2016, from http://www.abc.net.au/news/2014-10-07/fake- auspost-emails-used-in-crypto-ransomware-attack/5795734 ACSC. (2015). 2015 CYBER SECURITY SURVEY: MAJOR AUSTRALIAN BUSINESSES, 1–32. Australia Post Cryptolocker Email. (n.d.). Australia Post Cryptolocker Email. Retrieved from http://auspost.com.au/media/images/scam-email-example2-aug14-b.gif Bauer, G., & Lukowicz, P. (2012). Can smartphones detect stress-related changes in the behaviour of individuals? Pervasive Computing and …. Bilge, L., Strufe, T., Balzarotti, D., & Kirda, E. (2009). All your contacts are belong to us: automated identity theft attacks on social networks (pp. 551–560). Presented at the Proceedings of the 18th …. Boshmaf, Y., Muslukhov, I., & Beznosov, K. (2011). The socialbot network: when bots socialize for fame and money. Presented at the Proceedings of the 27th …. Boshmaf, Y., Muslukhov, I., & Beznosov, K. (2012). Key challenges in defending against malicious socialbots. Presented at the Proceedings of the 5th …. Boshmaf, Y., Muslukhov, I., Beznosov, K., & Ripeanu, M. (2013). Design and analysis of a social botnet. Computer Networks, 57(2), 556–578. http://doi.org/10.1016/j.comnet.2012.06.006 Brody, R. G., Brizzee, W. B., & Cano, L. (2012). Flying under the radar: social engineering. International Journal of Accounting & Information Management, 20(4), 335–347. http://doi.org/10.1108/18347641211272731 Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks, 11(1), 97–115. http://doi.org/10.1007/s11292-014-9222-7 Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2014). Going Spear Phishing: Exploring Embedded Training and Awareness. IEEE Security & Privacy, 12(1), 28–38. http://doi.org/10.1109/MSP.2013.106 Chaiken, S. (1980). Heuristic versus systematic information processing and the use of source versus message cues in persuasion. Journal of Personality and Social Psychology, 39(5), 752– 766. http://doi.org/10.1037/0022-3514.39.5.752 Craggs, A. (2014, October 8). Cryptolocker (Again!) - Secure IT. Retrieved January 5, 2016, from https://blogs.adelaide.edu.au/secureit/2014/10/08/cryptolocker-again/ Fire, M., Goldschmidt, R., & Elovici, Y. (2014). Online Social Networks: Threats and Solutions. IEEE Communications Surveys & Tutorials, 16(4), 2019–2036. http://doi.org/10.1109/COMST.2014.2321628 Gang, G., Zeyong, L., & Jun, J. (2011). Internet of Things Security Analysis (pp. 1–4). Presented at the 2011 International Conference on Internet Technology and Applications (iTAP), IEEE. http://doi.org/10.1109/ITAP.2011.6006307 Gold, S. (2010). Social engineering today: psychology, strategies and tricks. Network Security, 2010(11), 11–14. http://doi.org/10.1016/S1353-4858(10)70135-5 Hadnagy, C. (2011). Social Engineering. Indianapolis: Wiley.
Jon Newson Student #11542153 Page 20 of 22 Harrison, B., Vishwanath, A., Ng, Y. J., & Rao, R. (2015). Examining the Impact of Presence on Individual Phishing Victimization (pp. 3483–3489). Presented at the 2015 48th Hawaii International Conference on System Sciences (HICSS), IEEE. http://doi.org/10.1109/HICSS.2015.419 Herley, C., & Pieters, W. (2015). If you were attacked, you'd be sorry: Counterfactuals as security arguments (pp. 112–123). Presented at the the New Security Paradigms Workshop, New York, New York, USA: ACM. http://doi.org/10.1145/2841113.2841122 Huber, M., Kowalski, S., Nohlberg, M., & Tjoa, S. (2009). Towards Automating Social Engineering Using Social Networking Sites. 2009 International Conference on Computational Science and Engineering (Vol. 3, pp. 117–124). IEEE. http://doi.org/10.1109/CSE.2009.205 Huber, M., Mulazzani, M., & Weippl, E. (2010). Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks on Social Networking Sites. In Security and Privacy – Silver Linings in the Cloud (Vol. 330, pp. 80–89). Berlin, Heidelberg: Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-15257-3_8 Kenrick, D. T., Goldstein, N. J., Braver, S. L., Kenrick, D. T., Goldstein, N. J., & Braver, S. L. (2012). Six degrees of social influence : science, application, and the psychology of Robert Cialdini (pp. 1–206). New York: Oxford University Press. Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social engineering attacks on the knowledge worker (pp. 28–35). Presented at the the 6th International Conference, New York, New York, USA: ACM Press. http://doi.org/10.1145/2523514.2523596 Logsdon, J. M., & Patterson, K. D. W. (2009). Deception in Business Networks: Is It Easier to Lie Online? Journal of Business Ethics, 90(S4), 537–549. http://doi.org/10.1007/s10551-010- 0605-z Mitnick, K. D. (2011). Are You the Weak Link? Harvard Business Review, 18–20. Mowbray, T. J. (2013). Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions (pp. 1–362). Wiley. Pieters, W., Hadžiosmanović, D., & Dechesne, F. (2015). Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace. Science and Engineering Ethics, 1–20. http://doi.org/10.1007/s11948-015-9648-y Qin, T., & Burgoon, J. K. (2007). An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering (pp. 152–159). Presented at the 2007 IEEE Intelligence and Security Informatics, IEEE. http://doi.org/10.1109/ISI.2007.379548 Sano, A., & Picard, R. W. (2013). Stress recognition using wearable sensors and mobile phones. Affective Computing and Intelligent …. Setz, C., Arnrich, B., Schumm, J., La Marca, R., Troster, G., & Ehlert, U. (2010). Discriminating Stress From Cognitive Load Using a Wearable EDA Device. IEEE Transactions on Information Technology in Biomedicine, 14(2), 410–417. http://doi.org/10.1109/TITB.2009.2036164 Slonka, K. J. (2014). Awareness of malicious social engineering among facebook users. Social-Engineering Inc. (n.d.). What is Social Engineering? Retrieved December 25, 2015, from Symantec Corporation. (2015). 2015 Internet Security Threat Report, 20, 1–119. UNSW IT. (2014, August 8). Information CryptoLocker Ransomware. Retrieved January 5, 2016, from https://www.it.unsw.edu.au/news/crypto_locker.html Vishwanath, A. (2014). Diffusion of deception in social media: Social contagion effects and its
Jon Newson Student #11542153 Page 21 of 22 antecedents. Information Systems Frontiers, 17(6), 1353–1367. http://doi.org/10.1007/s10796-014-9509-2 Vrij, A. (2007). Detecting Lies and Deceit : Pitfalls and Opportunities (2nd ed., pp. 1–504). Chichester: John Wiley & Sons. Yang, Z., Wilson, C., Wang, X., Gao, T., & Zhao, B. Y. (2014). Uncovering social network sybils in the wild. ACM Transactions on Knowledge Discovery From Data, 29. http://doi.org/10.1145/2556609

More Related Content

DOCX
B susser researchpaper (3)
Bradley Susser
 
PDF
Pavlos_Isaris_final_report
Pavlos Isaris
 
PDF
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Mark Raduenzel
 
PDF
Case Study On Social Engineering Techniques for Persuasion Full Text
graphhoc
 
PDF
Human Trafficking-A Perspective from Computer Science and Organizational Lead...
Turner Sparks
 
PPTX
Cognitive security: all the other things
Sara-Jayne Terp
 
PDF
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
CSCJournals
 
PDF
Strategic informer spring 2012
IBCworld
 
B susser researchpaper (3)
Bradley Susser
 
Pavlos_Isaris_final_report
Pavlos Isaris
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Mark Raduenzel
 
Case Study On Social Engineering Techniques for Persuasion Full Text
graphhoc
 
Human Trafficking-A Perspective from Computer Science and Organizational Lead...
Turner Sparks
 
Cognitive security: all the other things
Sara-Jayne Terp
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
CSCJournals
 
Strategic informer spring 2012
IBCworld
 

What's hot (17)

DOCX
Big Data Analysis and Terrorism
Amanda Tapp
 
PDF
Marriage of Cyber Security with Emergency Management -- NEMA
David Sweigert
 
PDF
NCRIC Analysis of Cyber Security Emergency Management
David Sweigert
 
PPTX
Cyberwar
zapp0
 
DOCX
Technology Evangelism & Thought Leadership by Chuck Brooks
Chuck Brooks
 
PDF
Debaratiitactcyberterrorimchapter
Operation Noah's Ark Organization
 
PPTX
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 
PDF
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
PDF
HacktivismPaper.docx
Desarae Veit
 
PDF
Concept of threats and threat environment
Uyoyo Edosio
 
PPTX
Effective Cybersecurity Communication Skills
Jack Whitsitt
 
PDF
HIMSS Response to DHS National Cyber Incident Response Plan
David Sweigert
 
PDF
Citizen Communications in Crisis - Liu and Palen
Sophia B Liu
 
PDF
R41674
KROTOASA FOUNDATION
 
PPTX
Cybernetics big data_abrusci_15 novembre 2013
Teresa Numerico
 
PDF
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
PDF
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
IJCNCJournal
 
Big Data Analysis and Terrorism
Amanda Tapp
 
Marriage of Cyber Security with Emergency Management -- NEMA
David Sweigert
 
NCRIC Analysis of Cyber Security Emergency Management
David Sweigert
 
Cyberwar
zapp0
 
Technology Evangelism & Thought Leadership by Chuck Brooks
Chuck Brooks
 
Debaratiitactcyberterrorimchapter
Operation Noah's Ark Organization
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 
Francesca Bosco, Le nuove sfide della cyber security
Andrea Rossetti
 
HacktivismPaper.docx
Desarae Veit
 
Concept of threats and threat environment
Uyoyo Edosio
 
Effective Cybersecurity Communication Skills
Jack Whitsitt
 
HIMSS Response to DHS National Cyber Incident Response Plan
David Sweigert
 
Citizen Communications in Crisis - Liu and Palen
Sophia B Liu
 
R41674
KROTOASA FOUNDATION
 
Cybernetics big data_abrusci_15 novembre 2013
Teresa Numerico
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
EMC
 
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
IJCNCJournal
 
Ad

Viewers also liked (15)

PDF
Anxiety 24 7
Sarah Masone
 
ODT
cesar
cesarguaminga
 
PDF
August week 2
jehoover_kaokendalorg
 
PDF
Giraffe's december week 3
jehoover_kaokendalorg
 
PDF
Spitz
Caterina Michelini
 
ODP
presentacion la percepción
haiku
 
PPT
Real estate services by Districtuae
Districtuae
 
PDF
Коцур Надія - автореферат
Василь Петров
 
PDF
Gerardo Pisarello
Rafael Servent Arracó
 
DOCX
Meeting Week 2 - 07/10/11
Hayley1492
 
PDF
Comparative wave field simulation
Antonis Daskalakis
 
PDF
Juneweek4creativecurriculum
jehoover_kaokendalorg
 
DOCX
Meeting Week 5 - 26.10.11
Hayley1492
 
PPSX
Power Of Tradeshows.Standalone.Show
pswords
 
PDF
What are the simple steps for successful implementation of corporate social r...
CommLab India – Rapid eLearning Solutions
 
Anxiety 24 7
Sarah Masone
 
cesar
cesarguaminga
 
August week 2
jehoover_kaokendalorg
 
Giraffe's december week 3
jehoover_kaokendalorg
 
Spitz
Caterina Michelini
 
presentacion la percepción
haiku
 
Real estate services by Districtuae
Districtuae
 
Коцур Надія - автореферат
Василь Петров
 
Gerardo Pisarello
Rafael Servent Arracó
 
Meeting Week 2 - 07/10/11
Hayley1492
 
Comparative wave field simulation
Antonis Daskalakis
 
Juneweek4creativecurriculum
jehoover_kaokendalorg
 
Meeting Week 5 - 26.10.11
Hayley1492
 
Power Of Tradeshows.Standalone.Show
pswords
 
What are the simple steps for successful implementation of corporate social r...
CommLab India – Rapid eLearning Solutions
 
Ad

Similar to ITE516 A3 (20)

PPTX
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
Pace IT at Edmonds Community College
 
PDF
Social Engineering.pdf
MeshalALshammari12
 
PPT
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
PDF
Airport IT&T 2013 John McCarthy
Russell Publishing
 
PPTX
Social engineering
Alexander Zhuravlev
 
PPTX
Social Engineering
Muhanned Alaqili
 
PPTX
Social engineering: A Human Hacking Framework
Jahangirnagar University
 
PPTX
Social Engineering Attacks in IT World
Akshay Mittal
 
PDF
- Social Engineering Unit- II Part- I.pdf
Ramya Nellutla
 
PPTX
btNOG 9 Keynote Speech on Evolution of Social Engineering
APNIC
 
PPTX
Social engineering
Maulik Kotak
 
PPT
VAPTdelivery7.ppt
smkmit2014
 
PPTX
Unmasking-Social-Engineering-Attacks.pptx
eswaransk38
 
PDF
Social engineering
Robert Hood
 
PPTX
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Steven Hatfield
 
PPTX
Social engineering
n|u - The Open Security Community
 
PPTX
Social engineering presentation
pooja_doshi
 
PDF
Presentation_Social_Engineering.pdf
internetcomputer60
 
PPTX
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
PPTX
Social engineering
Vîñàý Pãtêl
 
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
Pace IT at Edmonds Community College
 
Social Engineering.pdf
MeshalALshammari12
 
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
Airport IT&T 2013 John McCarthy
Russell Publishing
 
Social engineering
Alexander Zhuravlev
 
Social Engineering
Muhanned Alaqili
 
Social engineering: A Human Hacking Framework
Jahangirnagar University
 
Social Engineering Attacks in IT World
Akshay Mittal
 
- Social Engineering Unit- II Part- I.pdf
Ramya Nellutla
 
btNOG 9 Keynote Speech on Evolution of Social Engineering
APNIC
 
Social engineering
Maulik Kotak
 
VAPTdelivery7.ppt
smkmit2014
 
Unmasking-Social-Engineering-Attacks.pptx
eswaransk38
 
Social engineering
Robert Hood
 
Social engineering 101 or The Art of How You Got Owned by That Random Stranger
Steven Hatfield
 
Social engineering
n|u - The Open Security Community
 
Social engineering presentation
pooja_doshi
 
Presentation_Social_Engineering.pdf
internetcomputer60
 
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
Social engineering
Vîñàý Pãtêl
 

ITE516 A3

  • 1. ITE516 Hacking Countermeasures Assessment Three: Social Engineering Jon Newson – Student # 11542153
  • 2. What is Social Engineering?..............................................................................................................3 Social Engineering Context...............................................................................................................5 Social Engineering Examples ............................................................................................................7 Ransomware: Australia Post Cryptolocker Attack. ..........................................................................7 Online Social Networking Site Attacks .............................................................................................8 Why is combating social engineering hard?...................................................................................11 Social Engineering countermeasures .............................................................................................11 Technical Countermeasures ...........................................................................................................12 Social Countermeasures.................................................................................................................13 Emerging Directions of Social Engineering.....................................................................................15 Conclusion ......................................................................................................................................17 References......................................................................................................................................19 Table 1: Social Engineering Attacks: Characteristics ........................................................................5 Figure 1: Australia Post Cryptolocker Message................................................................................8 Figure 2: Security Awareness Collateral.........................................................................................14
  • 3. Introduction Technology hackers of both ethical and nefarious intent search for and attack unintended flaws in hardware and software systems. One of the techniques at their disposal is social engineering. Social Engineering attacks exploit weaknesses in people that are generally known and are available and published in psychology literature and to a less rigours extent in popular science books and publications. This essay discusses why social engineering attacks, or what have evolved into “technology- assisted social engineering” (Gold, 2010, p. 11), can often be simple to implement, but difficult to detect and defend against. This essay presents a combined taxonomy and attack characteristic overview. It raises some of the attack vectors involved in social engineering within the overview framework and provides counter measures that can be proactively deployed. Firstly, an overview of what social engineering is, different types of social engineers and some of the psychological tools a social engineer can deploy to execute an attack. An exhaustive study is beyond the scope of this essay. Secondly, an introduction of some countermeasures for the social tools and approaches. Thirdly, the paper discusses new payload vehicles and attack scenarios for social engineering attacks. The essay concludes with a summary of the material presented.
  • 4. Jon Newson Student #11542153 Page 3 of 22 What is Social Engineering? Social engineering is not a new activity. Some define it as “any act that influences a person to take an action that may or may not be in their best interest” (Social-Engineering Inc., n.d.). Alternatively, it could be viewed as, “the art … of skilfully manoeuvring human beings to take action in some aspect of their lives” (Hadnagy, 2011, p. 9). Whilst some aspects of the media may portal otherwise, social engineering is not necessarily illegal. The types of social engineers comprise a wide cross-section of society. Some that employ social engineering techniques include the most trusted professionals in society, and those we trust with our most personal and intimate details. Doctors and Psychologists use social engineering to infer if a treatment might be effective or coax us towards therapeutic outcomes. State actors such as skilled police detectives can use elements of social engineering against a suspect to elicit evidence of a crime. Spies employ social engineering to carry out the orders of their governments. Social engineering can also be a tactical defense as Logsdon & Patterson observed, “such as when an individual uses an alias identity when participating in a chat room to protect privacy” (2009, p. 537). Conversely, actors that are tacitly hostile towards us and with malicious intent such as identity thieves, scam artists, disgruntled current or former colleagues employ it to assist in committing fraud, identity theft, and other criminal activity. Skilled and renowned hackers such as Kevin Mitnick understand that, within a cybersecurity context, “social engineering is one of the most powerful tools a hacker can utilize as even the most secure systems can be affected” (Krombholz, Hobel, Huber, & Weippl, 2013, p. 28). Regardless of the intent, social engineers
  • 5. Jon Newson Student #11542153 Page 4 of 22 have a common aim: to have their human target(s) regard their approach as they would a sincere and truthful interaction. To frame the appropriate response, one has to determine if “there is a malicious motivation to harm the receiver of the message” (Logsdon & Patterson, 2009, p. 537). Accordingly this essay employs the term digital deception, defined as “intentional control of information in a technologically mediated message to create a false belief in the receiver of the message” (Logsdon & Patterson, 2009, p. 537).
  • 6. Jon Newson Student #11542153 Page 5 of 22 Social Engineering Context To assist the understanding of social engineering attacks, and to assist in developing a threat model, a social engineering attack can be usually be categorised as to having characteristics similar to the table below, adapted from (Krombholz et al., 2013, p. 32): Table 1: Social Engineering Attacks: Characteristics Phishing Clickjacking Malware SpoofedContent Piggybacking Tailgating Farcing DumpsterDiving Persuasion ReverseSocialEngineering Trojans AdvancedPersistentThreats Baiting Channel Cloud X Social Network X X X X Telephone X X X E-mail X X X X Website X X X X X X X Physical X X X X X X X X Operator Human X X X X X X X X X X Software X X X X X X Type Physical X X X X X Technical X X X X X Social X X
  • 7. Jon Newson Student #11542153 Page 6 of 22 Socio- technical X X X X What is common for many social engineering attacks is the most effective involve a human operator and the telephone. As stated by renowned and reformed hacker Kevin Mitnick “the greatest misconception about security is that a computer is the hacker's most dangerous tool. Not so. It's the phone (Mitnick, 2011, p. 18). Now that the focus of social engineering is set, it is useful to understand some examples of psychological techniques that social engineering attacks utilise. As authors such as Logsdon & Patterson note, social engineering attacks exploit the “asymmetric emotional relationship” (2009) between the attacker and target. This can be in the form of one or more psycho- emotional techniques that can be used to persuade human targets, summarised by Tarkington that augments the six tools of persuasion researched by Cialdini (Kenrick et al., 2012) as: Referential Association, Sensationalism, Scarcity, Acting, Question Overloading, Confusion, Claiming of Authority, Aggressive Posturing, Pattern Interrupts, Reciprocity, Time Splitting, and Rapport.
  • 8. Jon Newson Student #11542153 Page 7 of 22 Social Engineering Examples In the Australian Cyber Security Centre’s (ACSC) 2015 Cyber Security survey, the most prevalent incident is ransomware (2015, p. 17). The ACSC define ransomware as “extortion through the use of malware that typically locks a computer’s content and requires victims to pay a ransom to regain access” (2015, p. 25). The ACSC reports that “the number of ransomware incidents reported has increased … four times that of 2013” (2015, p. 23). Attacks that use social networking sites such as Facebook are also becoming more common. Following is a brief examination of how social engineering is used to perform such attacks. Ransomware: Australia Post Cryptolocker Attack. During October 2014 Australian businesses, institutions and organisations were targeted with the Cryptolocker ransomware attack (ABC, 2014; Craggs, 2014; UNSW IT, 2014). The attackers pretext or background story is an html formatted email message that refers to a package that could be delivered. The message would be similar to the figure below (Australia Post Cryptolocker Email, n.d.). The attack employs several of the psycho-emotional techniques as the figure’s annotations show.
  • 9. Jon Newson Student #11542153 Page 8 of 22 Figure 1: Australia Post Cryptolocker Message Online Social Networking Site Attacks The popularity of online social networks (OSN) such as Facebook and LinkedIn has provided an attractive attack vector for social engineering techniques. According to Irani, “attacks on social
  • 10. Jon Newson Student #11542153 Page 9 of 22 networks are usually variants of traditional security threats (such as malware, worms, spam, and phishing)” (Irani, Balduzzi, Balzarotti, Kirda, & Pu, 2011, p. 56). The term farcing has been coined (Vishwanath, 2014) to refer to attacks involving fake online social network accounts on sites such as Facebook. Farcing attacks exploit the compelling social force of conformity. As Bullée citing the key study by Asch, “conformity, or social proof, is imitating the behaviour of other people. Members of the in-group have a stronger feeling of group-safety compared with members of the out-group (Asch 1951)” (Bullée, Montoya, Pieters, Junger, & Hartel, 2015). Vishwanath observed that farcing attacks have two stages. “A first stage where phishers use a phony profile to friend victims, and a second stage, where phishers solicit personal information directly from victims” (2014, p. 1353). OSNs calibrate the potential target, and whilst in one respect providing a forum for contact and arguably presents a significant pretext. The first stage of farcing attacks can be automated (Boshmaf, Muslukhov, & Beznosov, 2011; Huber, Kowalski, Nohlberg, & Tjoa, 2009). The ease of creating new accounts is a vital measure that contributes towards the OSN future success. Particularly for sites where “the service itself is free of charge and profit is made by selling online advertising services to third parties” (Huber, Mulazzani, & Weippl, 2010, p. 81). The creation of fake OSN accounts or sybils (Slonka, 2014; Yang, Wilson, Wang, Gao, & Zhao, 2014) is a wide-spread problem. Sybils can be used as a home socialbots. “A socialbot is an automation software that controls an OSN account and has the ability to execute basic social activities such as posting a message or sending a friendship request” (Boshmaf, Muslukhov, & Beznosov, 2012, p. 1).
  • 11. Jon Newson Student #11542153 Page 10 of 22 The second stage of OSN attacks can have consequences ranging from harvesting new user recruitment via affiliate referrals: “One site pays affiliates up to $6 for every user who signs up for an account and up to $60 if a user signs up for a premium service, which typically involves paying for a subscription using a credit card” (Symantec Corporation, 2015, p. 49). To identity harvesting and theft, where researchers such as Bilge and others have demonstrated attacks that “clone an already existing profile in a social network and … send friend requests to the contacts of the victim” (2009, p. 552). The market for such activity is not as lucrative as it once was but may still present a worthwhile return on investment. As recently as 2013 “1 MB of email addresses is worth $0.3–$40 in IRC underground markets when bought in bulk, with an average of $20.15 per MB” (Boshmaf, Muslukhov, Beznosov, & Ripeanu, 2013, p. 570). Whilst such commercial reward provide incentives to social engineers, responding to these attacks is difficult.
  • 12. Jon Newson Student #11542153 Page 11 of 22 Why is combating social engineering hard? Humans are social creatures, but also lazy ones with cognitive limitations that impair the detection or more rigorous examination of social engineering attacks. Much literature reports that “pattern matching” or “heuristics” (Chaiken, 1980; Qin & Burgoon, 2007; Vrij, 2007) present the greatest challenge when combating social engineering. “When presented with information online, individuals have the tendency to utilize heuristics, or mental shortcuts and judgment rules, to make quick inferences” (Harrison, Vishwanath, Ng, & Rao, 2015, p. 3483). “Rather than carefully scrutinising someone’s responses when attempting to detect deceit, observers may instead rely on general decision rules” (Vrij, 2007, p. 400). Effective social engineers understand that people will unknowingly resort to mental shortcuts when pressured. As Vrij observed “… this is the most effective way for observers with limited time and attention resources to deal with complex environments (Macrae & Bodenhausen, 2001)” (2007, p. 400). Social engineers can thus calibrate the emotional and psychological backdrop with the psychosocial techniques raised previously. These heuristics are set against a general tendency towards optimism. “In daily life, people encounter more truthful than deceptive messages, and they therefore assume that the behaviour they observe is usually honest” (Vrij, 2007, p. 400). Social Engineering countermeasures The countermeasures to social engineering require both social and technology. This section will examine the most common countermeasures that could address the attack examples discussed previously and address social engineering attacks generally. “If resources were unlimited, or
  • 13. Jon Newson Student #11542153 Page 12 of 22 countermeasures were costless, then of course we could take action against every possible scenario we could think of” (Herley & Pieters, 2015, p. 113). Hence, these countermeasures are certainly not exhaustive, and should not be misinterpreted as a substitute for controls recommended in standards such as ISO27000 and PCI-DSS. SEE: (Boshmaf et al., 2012) (Fire, Goldschmidt, & Elovici, 2014) Technical Countermeasures Given the prevalence of e-mail delivered phishing attacks and malware, the following countermeasures should be employed. There is no single countermeasure that will address the spread of attack vectors. Hence, a defense-in-depth and defense-in-breadth response is necessary. i. Email client software should employ a standard configuration that blocks the loading of or at least only allows remote content such as JavaScript from whitelisted sources. ii. Restrict email attachments, or at least quarantine them to an area where they can be individually investigated before use. iii. Given its ubiquity, use Google to locate the URL of a recommended website. iv. As OSNs are a standard customer engagement and support channel for many organisations, the security threats can be mitigated by a number of commercial security
  • 14. Jon Newson Student #11542153 Page 13 of 22 solutions. Free products such as AVG PrivacyFix “offers its users a simple way to manage their privacy settings on Facebook, LinkedIn, and Google. Additionally, PrivacyFix helps its users block over 1200 trackers by following their movements online” (Fire et al., 2014, p. 2028). v. Removing Installed 3rd party applications is just as important a countermeasure for OSN as it is for the corporate server farm. As many users will not have the resources to identify and understand the risks and weaknesses in 3rd party applications, removing them reduces a potential victim’s attack surface. vi. Block or disable geo-location awareness. “Many users publish their current or future location in multiple OSNs, and this information can be used by criminals or stalkers” (Fire et al., 2014, p. 2032). Social Countermeasures It is important that, regardless of the countermeasures employed that the reasons for implementing them is conducted with sensitity. This is particularly the case for penetration tests, where the unfortunate employee who succumbed to a social engineering attack may develop feelings of vulnerability, betrayal, guilt and remorse. Such effects may result in a disgruntled employee that wishes to exact revenge on their employer for placing them in such a position. i. Security Awareness Training is a technique endorsed by many (Mowbray, 2013) (Brody, Brizzee, & Cano, 2012). A useful demonstration of the efficacy of security awareness training was reported by Bullée and others (2015) that found in their experiment that found a 25% reduction in susceptibility to suggestion and coercion. According to Mowbray, “security awareness training should be mandatory for every person in an organization. Training should be completed before a person is given computer access, and then the organization should conduct annual refresher courses”. (Mowbray, 2013, p.
  • 15. Jon Newson Student #11542153 Page 14 of 22 48). Training should be supported by reinforcement messages on corporate collateral such as that documented as part of Bullée’s study (2015, p. 105): Figure 2: Security Awareness Collateral. ii. Information Security Policies: A well-formed and comprehensively communicated information security policy can be an effective countermeasure against human agent attacks. There should be clear expectations for all staff regarding network authentication requirements, and clear and enforced procedures for password resets. Such policies are merely corporate tinsel if they aren’t enforced. Executive management must endorse and actively enforce the authority for help desk staff protocol. Employees that excessively pressure using benign or more aggressive postures, help desk staff to circumvent controls ‘just this once’ because ‘I’m on a deadline’ or ‘my boss really needs this’ should be subject to an escalating scale of disciplinary action. This is particularly important in organisational cultures where authority is accorded reverence, as Bullée’s study found awareness training had no reduction of yielding to requests from authority (2015, p. 97). iii. Dumpster diving prevention: Cross-cut paper shredders, well-lit areas for bin storage, physical media destruction. iv. Separation of Duties: Whilst this is a standard control to prevent internal fraud, it can prove effective in reducing the likelihood of a social engineering attack if a physical breach of a company’s premises were to occur. v. Telephone training: To re-iterate Mitnick, the telephone is the hacker’s “most dangerous tool” (2011, p. 18). According to Mowbray “the training should articulate the organization’s policies on what information can be divulged to which groups of customers or co-workers” (2013, p. 48). vi. Live drills and tests: Some organisations may have financial reporting standards that require statements to justify the return-on-investment (ROI). As noted by Pieters “adversarial experiments” (Pieters, Hadžiosmanović, & Dechesne, 2015) are crucial to
  • 16. Jon Newson Student #11542153 Page 15 of 22 measure the efficacy of awareness training. Live drills and tests may provide have a multiplying effect, but as potential targets acclimatise and the awareness required may dissipate, it is important that drills and tests are regularly repeated such that users are kept vigilant. In a recent study within a corporate environment by Caputo and others found that “dedicated security staff and cybersecurity tools, such as firewalls and monitored antivirus software, provide a level of security usually not available on home computers. These controls make interviewees more likely to click links in emails or on the Web while using their corporate computers, because they feel more protected within the company firewall (2014, pp. 36-37). Such entrenched habits and psychological postures may require repeated exposures so behavioural patterns can change. Emerging Directions of Social Engineering As technology presents more social utility and perceived benefit, social engineers explore these new potential targets. Novel technology domains such as the Internet of Things (IoT), whereby devices that do not present a traditional computer interface are being used in many different manifestations. Wearable technology such as physical activity trackers (e.g. Sophisticated pedometers, heart rate monitors, etc.) and smart watches present themselves as possible target markers for malevolent social engineers in two ways. Firstly, the vast quantity of data that such devices harvest could present an attractive target. The sharing of health data, sleep patterns and other physical activity via manufacturer or other sites “faces not only the traditional mobile communication network security issues but also some special security issues different from
  • 17. Jon Newson Student #11542153 Page 16 of 22 existing one's. This is because it is constituted by a large number of machines, lack of effective monitoring and management” (Gang, Zeyong, & Jun, 2011, p. 3). Such data could be used to create a variation on pleaserobme.com. Secondly, there are numerous studies, such as those by Setz (2010), Bauer & Lukowicz (2012), and Sano & Picard (2013) into the utility of wearable devices as stress monitors, providing they have the “ability to discriminate cognitive load from stress” (Setz et al., 2010, p. 410). Despite such investigations, there is little research into the impact of wearable devices themselves as a stressor and generator of cognitive load. Such developments are an important avenue of further research.
  • 18. Jon Newson Student #11542153 Page 17 of 22 Conclusion Social engineering techniques can be benign or malicious. Professionals such as medical doctors and psychologists are just as likely to employ social engineering techniques as an identity thief or fraudster. It is one’s intent that categorises its use, accordingly we must be aware of situational context so that an appropriate response can be exercised. Social engineering attacks can be manifest in a combination from human and/or technology actors. Because these attacks can be adaptive, defenses against them must be broad, deep and refreshed regularly so they can keep potential targets ever vigilant. By categorising social engineering attacks according to delivery characteristics, taxonomy or similar classification scheme, social and technical countermeasures can be developed that appropriately address an attack’s characteristic. The countermeasures that can address the OSN attack vectors derive from established principles that are still effective and necessary to defend against other attack vectors. Whilst OSNs currently present a fertile and commercial lucrative avenue for social engineering attacks, this doesn’t mean that other historically targeted areas can be complacent. The telephone and other direct means of human contact still present an ever-present source of attacks. Humans present an attractive and lucrative social engineering target due to our innate optimism bias and our trusting nature. Our propensity, through both habit and neural pattern matching called heuristics means we often inadequately assess social engineering threats. Such inadequecy will likely be exploited with greater verve to target domestic technology and increasingly affluent populations. The adoption of wearable technolgies such as the Apple
  • 19. Jon Newson Student #11542153 Page 18 of 22 Watch, and gadgets that connect into the evolving IoT should not be ignored. As architects and engineers are grappling with storage and bandwidth issues, a hacker is considering how such devices can be exploited.
  • 20. Jon Newson Student #11542153 Page 19 of 22 References ABC. (2014, October 7). Crypto-ransomware attack targets Australians via fake Australia Post emails. Retrieved January 5, 2016, from http://www.abc.net.au/news/2014-10-07/fake- auspost-emails-used-in-crypto-ransomware-attack/5795734 ACSC. (2015). 2015 CYBER SECURITY SURVEY: MAJOR AUSTRALIAN BUSINESSES, 1–32. Australia Post Cryptolocker Email. (n.d.). Australia Post Cryptolocker Email. Retrieved from http://auspost.com.au/media/images/scam-email-example2-aug14-b.gif Bauer, G., & Lukowicz, P. (2012). Can smartphones detect stress-related changes in the behaviour of individuals? Pervasive Computing and …. Bilge, L., Strufe, T., Balzarotti, D., & Kirda, E. (2009). All your contacts are belong to us: automated identity theft attacks on social networks (pp. 551–560). Presented at the Proceedings of the 18th …. Boshmaf, Y., Muslukhov, I., & Beznosov, K. (2011). The socialbot network: when bots socialize for fame and money. Presented at the Proceedings of the 27th …. Boshmaf, Y., Muslukhov, I., & Beznosov, K. (2012). Key challenges in defending against malicious socialbots. Presented at the Proceedings of the 5th …. Boshmaf, Y., Muslukhov, I., Beznosov, K., & Ripeanu, M. (2013). Design and analysis of a social botnet. Computer Networks, 57(2), 556–578. http://doi.org/10.1016/j.comnet.2012.06.006 Brody, R. G., Brizzee, W. B., & Cano, L. (2012). Flying under the radar: social engineering. International Journal of Accounting & Information Management, 20(4), 335–347. http://doi.org/10.1108/18347641211272731 Bullée, J.-W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks, 11(1), 97–115. http://doi.org/10.1007/s11292-014-9222-7 Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2014). Going Spear Phishing: Exploring Embedded Training and Awareness. IEEE Security & Privacy, 12(1), 28–38. http://doi.org/10.1109/MSP.2013.106 Chaiken, S. (1980). Heuristic versus systematic information processing and the use of source versus message cues in persuasion. Journal of Personality and Social Psychology, 39(5), 752– 766. http://doi.org/10.1037/0022-3514.39.5.752 Craggs, A. (2014, October 8). Cryptolocker (Again!) - Secure IT. Retrieved January 5, 2016, from https://blogs.adelaide.edu.au/secureit/2014/10/08/cryptolocker-again/ Fire, M., Goldschmidt, R., & Elovici, Y. (2014). Online Social Networks: Threats and Solutions. IEEE Communications Surveys & Tutorials, 16(4), 2019–2036. http://doi.org/10.1109/COMST.2014.2321628 Gang, G., Zeyong, L., & Jun, J. (2011). Internet of Things Security Analysis (pp. 1–4). Presented at the 2011 International Conference on Internet Technology and Applications (iTAP), IEEE. http://doi.org/10.1109/ITAP.2011.6006307 Gold, S. (2010). Social engineering today: psychology, strategies and tricks. Network Security, 2010(11), 11–14. http://doi.org/10.1016/S1353-4858(10)70135-5 Hadnagy, C. (2011). Social Engineering. Indianapolis: Wiley.
  • 21. Jon Newson Student #11542153 Page 20 of 22 Harrison, B., Vishwanath, A., Ng, Y. J., & Rao, R. (2015). Examining the Impact of Presence on Individual Phishing Victimization (pp. 3483–3489). Presented at the 2015 48th Hawaii International Conference on System Sciences (HICSS), IEEE. http://doi.org/10.1109/HICSS.2015.419 Herley, C., & Pieters, W. (2015). If you were attacked, you'd be sorry: Counterfactuals as security arguments (pp. 112–123). Presented at the the New Security Paradigms Workshop, New York, New York, USA: ACM. http://doi.org/10.1145/2841113.2841122 Huber, M., Kowalski, S., Nohlberg, M., & Tjoa, S. (2009). Towards Automating Social Engineering Using Social Networking Sites. 2009 International Conference on Computational Science and Engineering (Vol. 3, pp. 117–124). IEEE. http://doi.org/10.1109/CSE.2009.205 Huber, M., Mulazzani, M., & Weippl, E. (2010). Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks on Social Networking Sites. In Security and Privacy – Silver Linings in the Cloud (Vol. 330, pp. 80–89). Berlin, Heidelberg: Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-15257-3_8 Kenrick, D. T., Goldstein, N. J., Braver, S. L., Kenrick, D. T., Goldstein, N. J., & Braver, S. L. (2012). Six degrees of social influence : science, application, and the psychology of Robert Cialdini (pp. 1–206). New York: Oxford University Press. Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2013). Social engineering attacks on the knowledge worker (pp. 28–35). Presented at the the 6th International Conference, New York, New York, USA: ACM Press. http://doi.org/10.1145/2523514.2523596 Logsdon, J. M., & Patterson, K. D. W. (2009). Deception in Business Networks: Is It Easier to Lie Online? Journal of Business Ethics, 90(S4), 537–549. http://doi.org/10.1007/s10551-010- 0605-z Mitnick, K. D. (2011). Are You the Weak Link? Harvard Business Review, 18–20. Mowbray, T. J. (2013). Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions (pp. 1–362). Wiley. Pieters, W., Hadžiosmanović, D., & Dechesne, F. (2015). Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace. Science and Engineering Ethics, 1–20. http://doi.org/10.1007/s11948-015-9648-y Qin, T., & Burgoon, J. K. (2007). An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering (pp. 152–159). Presented at the 2007 IEEE Intelligence and Security Informatics, IEEE. http://doi.org/10.1109/ISI.2007.379548 Sano, A., & Picard, R. W. (2013). Stress recognition using wearable sensors and mobile phones. Affective Computing and Intelligent …. Setz, C., Arnrich, B., Schumm, J., La Marca, R., Troster, G., & Ehlert, U. (2010). Discriminating Stress From Cognitive Load Using a Wearable EDA Device. IEEE Transactions on Information Technology in Biomedicine, 14(2), 410–417. http://doi.org/10.1109/TITB.2009.2036164 Slonka, K. J. (2014). Awareness of malicious social engineering among facebook users. Social-Engineering Inc. (n.d.). What is Social Engineering? Retrieved December 25, 2015, from Symantec Corporation. (2015). 2015 Internet Security Threat Report, 20, 1–119. UNSW IT. (2014, August 8). Information CryptoLocker Ransomware. Retrieved January 5, 2016, from https://www.it.unsw.edu.au/news/crypto_locker.html Vishwanath, A. (2014). Diffusion of deception in social media: Social contagion effects and its
  • 22. Jon Newson Student #11542153 Page 21 of 22 antecedents. Information Systems Frontiers, 17(6), 1353–1367. http://doi.org/10.1007/s10796-014-9509-2 Vrij, A. (2007). Detecting Lies and Deceit : Pitfalls and Opportunities (2nd ed., pp. 1–504). Chichester: John Wiley & Sons. Yang, Z., Wilson, C., Wang, X., Gao, T., & Zhao, B. Y. (2014). Uncovering social network sybils in the wild. ACM Transactions on Knowledge Discovery From Data, 29. http://doi.org/10.1145/2556609