ABSTRACT
Trusted people can fail to be trustworthy when it comes to protecting their aperture of access to secure computer systems due to inadequate education, negligence, and various social pressures. People are often the weakest link in an otherwise secure computer system and, consequently, are targeted for social engineering attacks. Social Engineering is a technique used by hackers or other attackers to gain access to information technology systems by getting the needed information (for example, a username and password) from a person rather than breaking into the system through electronic or algorithmic hacking methods. Such attacks can occur on both a physical and psychological level. The physical setting for these attacks occurs where a victim feels secure: often the workplace, the phone, the trash, and even on-line. Psychology is often used to create a rushed or officious ambiance that helps the social engineer to cajole information about accessing the system from an employee.
Data privacy legislation in the United States and international countries that imposes privacy standards and fines for negligent or willful non-compliance increases the urgency to measure the trustworthiness of people and systems. One metric for determining compliance is to simulate, by audit, a social engineering attack upon an organization required to follow data privacy standards. Such an organization commits to protect the confidentiality of personal data with which it is entrusted.
This paper presents the results of an approved social engineering audit made without notice within an organization where data security is a concern. Areas emphasized include experiences between the Social Engineer and the audited users, techniques used by the Social Engineer, and other findings from the audit. Possible steps to mitigate exposure to the dangers of Social Engineering through improved user education are reviewed.
- Jones, C. (2003). Social Engineering: Understanding and Auditing. Retrieved on July 22, 2004 from http://www.giac.org/practical/GSEC/Chris_Jones_GSEC.pdfGoogle Scholar
- Gragg, D. A Multi-Level Defense Against Social Engineering. (2002). Retrieved on July 22, 2004 from http://www.sans.org/rr/papers/51/920.pdf.Google Scholar
- Littman, J. (1998). Inside jobs: Is there a hacker in the next cubicle? Retrieved on July 22, 2004 from http://www.cnn.com/TECH/computing/9808/13/hacker.idg/.Google Scholar
- Lively Jr., C. (2003) Psychological Based Social Engineering. Retrieved on July 22, 2004 from http://www.giac.org/practical/GSEC/Charles_Lively_GSEC.pdf.Google Scholar
- Mitnick, K. My First RSA Conference. Retrieved on July 22, 2004 from http://www.securityfocus.com/news/199.Google Scholar
- Mitnick, K. and Smith, W. The Art of Deception. Indianapolis, IN: Wiley Publishing Inc, 2002, 245.Google Scholar
Index Terms
- The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems
Recommendations
Cyber Social Engineering Kill Chain
Science of Cyber SecurityAbstractCyber attacks are often initiated with a social engineering attack to penetrate a network, which we call Cyber Social Engineering (CSE) attacks. Despite many studies, our understanding of CSE attacks is inadequate in explaining why these attacks ...
A framework for conceptualizing social engineering attacks
CRITIS'06: Proceedings of the First international conference on Critical Information Infrastructures SecurityAt the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, ...
Advanced social engineering attacks
Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by today's knowledge workers prepare the ground for sophisticated social engineering attacks. The ...
Comments