Douglas P. Twitchell
ABSTRACT
With the increasing use of security technology, technical attacks should become more difficult leading attackers to employ social engineering as a means to obtaining unauthorized access to information. Therefore, social engineering is a potentially dangerous threat to information security. Fortunately, a number of countermeasures have been proposed to defend against it. These countermeasures include implementing policy, providing end-user and key personnel education, and performing security audits. However, most current prominent information assurance curricula do not directly address social engineering and only indirectly address the countermeasures. Amending these curricula to include social engineering as a topic may help students be better prepared for encountering social engineering threats.
- Anti-Phishing Working Group. Phishing attack trends report january, 2004. http://www.antiphishing.org/reports/APWG.Phishing.Attack.Report.Jan2004.pdf, 2004.Google Scholar
- Anti-Phishing Working Group. Phishing attack trends report december, 2005. http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf, 2005.Google Scholar
- CERT. The CERT®survivability and information assurance curriculum. http://www.cert.org/sia/, 2005.Google Scholar
- CNSS. Instructions. http://www.cnss.gov/instructions.html, 1994-2006.Google Scholar
- CSSIA. Center for systems security and information awarenes curriculum overview. http://www.cssia.org/CUR_Intro.cfm, 2006.Google Scholar
- L. A. Gordan, M. P. Loeb, W. Lucyshyn, and R. Richardson. 2005 CSI/FBI computer crime and security survey. http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml, 2005.Google Scholar
- D. Gragg. A multi-level defense against social engineering. White paper, SANS Institute, 2003.Google Scholar
- A. J. Herbert. Information battleground. Air Force Magazine, 88(12), December 2005 2005.Google Scholar
- (ISC)2. Certified information systems security profiessional (cissp) candidate information bulletin. https://www.isc2.org/cgi-bin/request_studyguide. cgi?displaycategory=694, 2006.Google Scholar
- C. E. Lively Jr. Psychological based social engineering. http://www.giac.org/certified_professionals/practicals/gsec/3547.php, 2003.Google Scholar
- K. D. Mitnick and W. L. Simon. The Art Of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers. Wiley, Indianapolis, Indiana, 2005. Google ScholarDigital Library
- NIATEC. Information assurance teaching materials. http://niatec.info/teachmatl.htm, 2006.Google Scholar
- B. Schneier. Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Copernicus Books, New York, 2003. Google ScholarDigital Library
- T. Thornburgh. Social engineering: the "dark art". In 1st annual conference on Information security curriculum development, pages 133--135, Kennesaw, Georgia, 2004. ACM Press. Google ScholarDigital Library
- M. E. Whitman and H. J. Mattord. A model curriculum for programs of study in information security and assurance v. 3.0. http://infosec.kennesaw.edu/presentations/InfoSecCurriculumModel.pdf, 2005.Google Scholar
- I. S. Winkler and B. Dealy. Information security technology? dont rely on it: A case study in social engineering. In Fifth USENIX UNIX Security Symposium, Salt Lake City, UT, 1995. Google ScholarDigital Library
Index Terms
- Social engineering in information assurance curricula
Recommendations
Cyber Social Engineering Kill Chain
Science of Cyber SecurityAbstractCyber attacks are often initiated with a social engineering attack to penetrate a network, which we call Cyber Social Engineering (CSE) attacks. Despite many studies, our understanding of CSE attacks is inadequate in explaining why these attacks ...
Incorporating current events into information assurance curriculum
InfoSecCD '09: 2009 Information Security Curriculum Development ConferenceThis paper describes an approach to teach current events in information assurance curriculum. The approach is modeled after social sciences curriculum for which a large body of research and statistical data supports the use of current events and ...
Ethical Hacking in Information Security Curricula
Teaching offensive security ethical hacking is becoming a necessary component of information security curricula with a goal of developing better security professionals. The offensive security components extend curricula beyond system defense strategies. ...
Comments