ABSTRACT
As technological and operational security measures for the protection of information systems are being widely adopted, it is much easier for a malicious user to launch an attack on an information system's weakest link, the humans operating it. Despite the damage that these attacks can cause, they are rarely taken into account in vulnerability assessment models. These models usually focus on representing the internal states of an information system, whereas social engineering attacks often start by gathering information and building relationships with the potential victims, which tends to occur outside an information system's gates. Hence, a model assessing social engineering threats should be able to account for the different channels which could be used to approach victims (professional mail, personnel mail, on-line social networks, etc). Although security professionals might not monitor some of the channels leveraged in an attack, a comprehensive vulnerability assessment model would allow the assessment of the likelihood and cost of a successful breach and tailor a security awareness programs to avoid it. We describe in this paper a multi-layered graph-based model for social engineering vulnerability assessment. We then present case studies in which vulnerabilities in an automated social engineering attack and an automated reverse social engineering attack in addition to vulnerabilities from interactions in different social networking sites, blogs and forums are assessed using this model.
- S. Heikkinen, "Social engineering in the world of emerging communication technologies," Proceedings of Wireless World Research Forum, pp. 1--10, 2006. {Online}. Available: http://www.cs.tut.fi/~sheikki/docs/WWRF-Heikkinen-SocEng.pdfGoogle Scholar
- X. Luo, R. Brody, A. Seazzu, and S. Burd, "Social Engineering," Information Resources Management Journal, vol. 24, no. 3, pp. 1--8, 2011. Google ScholarDigital Library
- D. Kvedar, M. Nettis, and S. P Fulton, "the Use of Formal Social Engineering Techniques To Identify Weaknesses During a Computer vulnerability competition," Journal of Computing Sciences in Colleges, vol. 26, no. 2, pp. 80--87, 2010. Google ScholarDigital Library
- S. Granger, "Social engineering fundamentals, part I: hacker tactics." in SecurityFocus, 2001.Google Scholar
- K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element in Security, 2003. {Online}. Available: http://www.bmj.com/content/347/bmj.f5889 Google ScholarDigital Library
- P. Kaul and D. Sharma, "Study of Automated Social Engineering, its Vulnerabilities, Threats and Suggested Countermeasures," International Journal of Computer Applications, vol. 67, no. 7, pp. 13--16, 2013. {Online}. Available: http://research.ijcaonline.org/volume67/number7/pxc3886726.pdfGoogle ScholarCross Ref
- M. Huber, S. Kowalski, M. Nohlberg, and S. Tjoa, "Towards Automating Social Engineering Using Social Networking Sites," 2009 International Conference on Computational Science and Engineering, vol. 3, 2009. Google ScholarDigital Library
- K. Malagi, A. Angadi, and K. Gull, "A Survey on Security Issues and Concerns to Social Networks," vol. 2, no. 5, 2013.Google Scholar
- R. Gross and A. Acquisti, "Information revelation and privacy in online social networks (Facebook case)," Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 71--80, 2005. {Online}. Available: http://portal.acm.org/citation.cfm?id=1102214 Google ScholarDigital Library
- M. Jakobsson, "Modeling and Preventing Phishing Attacks," Lecture Notes in Computer Science, vol. 3570, no. 578, pp. 1--19, 2005. {Online}. Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.64.1926&rep=rep1&type=pdfGoogle Scholar
- T. Thornburgh, "Social engineering: the dark art," Proceedings of the 1st annual conference on Information security curriculum development, pp. 133--135, 2004. {Online}. Available: http://dl.acm.org/citation.cfm?id=1059554 Google ScholarDigital Library
- T. N. Jagatic, N. a. Johnson, M. Jakobsson, and F. Menczer, "Social phishing," Communications of the ACM, vol. 50, no. 10, pp. 94--100, 2007. Google ScholarDigital Library
- A. Dolan, "Social Engineering," SANS Institute InfoSec Reading Room, p. 18, 2004. {Online}. Available: http://www.google.fr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCgQFjAB&url=http://www.sans.org/reading-room/whitepapers/engineering/social-engineering_1365&ei=aaIqVbbvKtLoaJqOgYgE&usg=AFQjCNEVDB7ZW2F5BkYk2HVichZECspwhQ&sig2=C-MU7GL542mGoogle Scholar
- D. Gragg, "A Multi-Level Defense Against Social Engineering," no. December, 2002.Google Scholar
- N. Shashidhar and L. Chen, "a Phishing Model and Its Applications To Evaluating Phishing Attacks," no. August, pp. 63--69, 2011.Google Scholar
- R. Vida, J. Galeano, and S. Cuenda, "Vulnerability of multilayer networks under malware spreading," arXiv preprint arXiv:1310.0741, pp. 1--5, 2013. {Online}. Available: http://arxiv.org/abs/1310.0741Google Scholar
- O. Jaafor, B. Birregah, C. Perez, and M. Lemercier, "Privacy Threats from Social Networking Service Aggregators," in Cybercrime and Trustworthy Computing Conference (CTC). IEEE Computer Society, 2014. Google ScholarDigital Library
- C. Perez, B. Birregah, and M. Lemercier, "The Multi-layer Imbrication for Data Leakage Prevention from Mobile Devices." IEEE Computer Society, 2012.Google Scholar
- C. Phillips and L. P. Swiler, "A Graph-Based System for Network-Vulnerability Analysis," pp. 71--79, 1999. Google ScholarDigital Library
- P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, graph-based network vulnerability analysis," Proceedings of the 9th ACM conference on Computer and communications security - CCS '02, p. 217, 2002. {Online}. Available: http://dl.acm.org/citation.cfm?id=586110.586140 Google ScholarDigital Library
- T. Tidwell, R. Larson, K. Fitch, and J. Hale, "Modeling Internet Attacks," Network, vol. 1, pp. 5--6, 2001. {Online}. Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.9040&rep=rep1&type=pdfGoogle Scholar
- L. Wang, A. Singhal, and S. Jajodia, "Toward measuring network security using attack graphs," Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07, p. 49, 2007. {Online}. Available: http://portal.acm.org/citation.cfm?doid=1314257.1314273 Google ScholarDigital Library
- M. Magnani and L. Rossi, "Multi-Stratum Networks: toward a unified model of on-line identities," arXiv preprint arXiv:1211.0169, pp. 1--18, Nov. 2012. {Online}. Available: http://arxiv.org/abs/1211.0169v1Google Scholar
- A. Cardillo, M. Zanin, J. Gómez-Gardeñes, M. Romance, A. J. García del Amo, and S. Boccaletti, "Modeling the multi-layer nature of the European Air Transport Network: Resilience and passengers re-scheduling under random failures," European Physical Journal: Special Topics, vol. 215, pp. 23--33, 2013.Google ScholarCross Ref
- C. Perez, B. Birregah, and M. Lemercier, "A smartphone-based online social network trust evaluation system," Social Network Analysis and Mining, vol. 3, no. 4, pp. 1293--1310, 2013. {Online}. Available: http://link.springer.com/10.1007/s13278-013-0138-4Google ScholarCross Ref
- S. Boccaletti, G. Bianconi, R. Criado, C. I. del Genio, J. Gómez-Gardeñes, M. Romance, I. Sendiña Nadal, Z. Wang, and M. Zanin, "The structure and dynamics of multilayer networks," Physics Reports, vol. 544, no. 1, pp. 1--122, 2014. {Online}. Available: http://dx.doi.org/10.1016/j.physrep.2014.07.001Google ScholarCross Ref
- M. Kivelä, A. Arenas, M. Barthelemy, J. P. Gleeson, Y. Moreno, and M. a. Porter, "Multilayer Networks," arXiv, p. 37, 2014. {Online}. Available: http://arxiv.org/abs/1309.7233Google Scholar
- L. Bilge, T. Strufe, D. Balzarotti, E. Kirda, and S. Antipolis, "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks," Www 2009, pp. 551--560, 2009. Google ScholarDigital Library
- D. Irani, M. Balduzzi, D. Balzarotti, E. Kirda, and C. Pu, "Reverse social engineering attacks in online social networks," Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6739 LNCS, no. March, pp. 55--74, 2011. Google ScholarDigital Library
- Multi-layered graph-based model for social engineering vulnerability assessment
Recommendations
Overview of Social Engineering Attacks on Social Networks
AbstractSocial networks have become a trusted communication medium for both personal and professional communication. However, hackers regularly exploit the trust of the users of social networks for their own gain. This is often done by using phishing ...
Cyber Social Engineering Kill Chain
Science of Cyber SecurityAbstractCyber attacks are often initiated with a social engineering attack to penetrate a network, which we call Cyber Social Engineering (CSE) attacks. Despite many studies, our understanding of CSE attacks is inadequate in explaining why these attacks ...
Reverse social engineering attacks in online social networks
DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessmentSocial networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3% per week. One of the key ...
Comments