Skip to main content
SpringerLink
Log in

A Framework for Conceptualizing Social Engineering Attacks

  • Conference paper
Book cover Critical Information Infrastructures Security (CRITIS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4347))

Abstract

At the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, such as to disable the organization by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling (“balancing”) feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defense in control processes or in escalating (“reinforcing”) processes of resistance. The possible combinations of the two modes of attack and the two modes of defense yield four archetypes of exploit and natural defense. Predictably, the social engineer would seek to outsmart the first line of defense; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multi-layered defense against social engineering attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Greene, S.: Security Policies and Procedures: Principles and Practices. Prentice-Hall, Upper Saddle River (2006)

    Google Scholar 

  2. Keeney, M., et al.: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Carnegie Mellon, Software Engineering Institute, Pittsburgh (2005)

    Google Scholar 

  3. Winkler, I.S.: The non-technical threat to computing systems. Computing Systems 9(1), 3–14 (1996)

    Google Scholar 

  4. Wikipedia. Social engineering (computer security) (2006) [cited 2006 May 13], Available from: http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29

  5. Barrett, N.: Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report 8(4), 56–64 (2003)

    Article  Google Scholar 

  6. Harl. The psychology of social engineering (1997) (cited: May 13, 2006), Available from: http://www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html

  7. Dennet, D.C.: Freedom Evolves. Penguin Books, London (2004)

    Google Scholar 

  8. Hasle, H., et al.: Measuring resistance to social engineering. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. Winkler, I.S.: Corporate Espionage: what it is, why it is happening in your company, what you must do about it. Prima Publishing, Rocklin (1997)

    Google Scholar 

  10. Winkler, I.S.: Spies Among Us. Wiley Publishing, Inc., Indianapolis (2005)

    Google Scholar 

  11. Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York (2003)

    Google Scholar 

  12. Chabris, C.F., Hearst, E.S.: Visualization, pattern recognition, and forward search: effects of playing speed and sight of the position on grandmaster chess errors. Cognitive Science (27), 637–648 (2003)

    Article  Google Scholar 

  13. Dolan, A.: Social Engineering (2004) (cited: May 19, 2006), Available from: http://wwwsans.org/

  14. Granger, S.: Social engineering fundamentals, Part I: Hacker tactics (2001) (cited: May 12, 2006), Available from: http://www.securityfocus.com/infocus/1527

  15. Senge, P.: The Fifth Discipline. Doubleday/Currency, New York (1990)

    Google Scholar 

  16. Kim, D.: Systems Archetypes. Pegasus Communications, Cambridge (1992)

    Google Scholar 

  17. Wolstenholme, E.F.: Towards the definition and use of a core set of archetypal structures in system dynamics. System Dynamics Review 19(7), 7–26 (2003)

    Article  Google Scholar 

  18. Wolstenholme, E.F.: Using generic system archetypes to support thinking and modelling. System Dynamics Review 20(4), 341–356 (2004)

    Article  Google Scholar 

  19. Melara, C., et al.: A system dynamics model of an insider attack on an information system. In: Gonzalez, J.J. (ed.) From Modeling to Managing Security: A System Dynamics Approach. Norwegian Academic Press, Kristiansand (2003)

    Google Scholar 

  20. Martinez-Moyano, I.J., et al.: Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model. In: The 23rd International Conference of the System Dynamics Society, July 17-21. The System Dynamics Society, Boston (2005)

    Google Scholar 

  21. Schultz, E.E.: A framework for understanding and predicting insider attacks. Computers and Security 21(6), 526–531 (2002)

    Article  Google Scholar 

  22. Suler, J.R., Phillips, W.: The Bad Boys of Cyberspace: Deviant Behavior in Multimedia Chat Communities. CyberPsychology and Behavior 1, 275–294 (1998)

    Article  Google Scholar 

  23. Gragg, D.: A Multi-Level Defense Against Social Engineering (2003) (cited: May19, 2006), Available from: http://www.sans.org/

  24. Gaudin, S.: Case Study of Insider Sabotage: The Tim Lloyd/Omega Case. Computer Security Journal (2000) (cited: May19, 2006), Available from: http://www.gocsi.om/pdfs/insider.pdf

Download references

Author information

Authors and Affiliations

  1. Faculty of engineering and science, Research Cell “Security and Quality and Organizations”, Agder University College, Serviceboks 509, 4884, Grimstad, Norway

    Jose J. Gonzalez

  2. NISlab, Gjøvik University College, 2802, Gjøvik, Norway

    Jose M. Sarriegi

  3. Tecnun (University of Navarra), Manuel de Lardizábal 13, 20018, San Sebastian, Spain

    Alazne Gurrutxaga

Authors
  1. Jose J. Gonzalez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jose M. Sarriegi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alazne Gurrutxaga
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier Lopez

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gonzalez, J.J., Sarriegi, J.M., Gurrutxaga, A. (2006). A Framework for Conceptualizing Social Engineering Attacks. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_7

Download citation

  • DOI: https://doi.org/10.1007/11962977_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69083-2

  • Online ISBN: 978-3-540-69084-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation