Social Engineering – Facts, Myths and Countermeasures Eakan Gopalakrishnan School of Electronics and Computer Science, University of Southampton
[email protected]
Abstract There are several ways of stealing information; most of them done by exploiting the technical factors of security and some by exploiting the non-technical factors. Social Engineering is a hacking technique that relies on weaknesses in humans rather than software systems. This literary search provides a summary of the research that has been done in this field and countermeasures that can be taken to deal with it. The detailed description of the methods and solutions is out of scope of this literary search and will be looked into in detail in the technical report.
1. Introduction Not many reviewed technical papers or books are available in the field of Social engineering. This is probably because it is something something which we have started to put focus on recently. This very fact has been stated in the paper by M. Dontamsetti, Dontamsetti, A. Narayanan [5]. According to them threats to information are mainly of three types: technical, physical and human in nature. Today, we are in the third generation of the information security evolution, which has evolved from its initial focus being on security on technology, to focus on process related security and to the current focus on the human element that manages or uses the technologies and processes in place. “This shift in focus has only happened because of the realization that technology and processes are only as good as the humans that use them” [5]. In simple words Social Engineering can be called “human hacking”. This particular method of hacking was made famous by Kevin Mitnick. His book [15] describes various methods of human hacking through a series of anecdotes. Very few researchers like J.M Sarriegi, J.J Gonzales have tried to conceptualize social engineering attacks [2]. Winkler provides a case study of such an attack on a large US Corporation [21] and several other case studies on social engineering in [14]. A good amount of statistics statistics and information information about computer crimes can be seen in [41] and [42]. All this evidence suggests that
social engineering truly a very good method of hacking.
2. Impacts of Social Engineering Social engineering attacks mostly results in network outage like denial of service, fraud, identity theft and industrial espionage [12]. If a company gets infiltrated and confidential information is stolen and this information goes public, customers or potential customers of that company lose confidence on the company and this could cause the company to run out of business in the long run. Many different types of the threats and impacts have been analyzed by R. Gulati in [43]. In Business Communications Review 2005, p46, it has been given that in United States alone the estimated loss due to phishing attacks resulted in a 1.2 billion dollars for the year 2003, and 500 million dollars in consumer losses. This means that small to medium sized companies could go bankrupt due to such attacks.
3. Methods of Attack Most social engineering techniques involve a lot of background study of the target organization or individual. A lot of the background information can be gathered from the internet itself. Other sources can be done through spying or eavesdropping or dumpsterdiving which means going through trash that includes, telephone directories, organizational charts, memos, post-its, manuals, calendars, improperly disposed confidential documents etc to fetch information of an individual or individuals inside an organization. Technical expertise can be used along with impersonation or disguise which could very effectively be used in techniques like support staff or voice of authority. Many of the tactics used by social engineers can be found in the article by S. Granger [19]. L. Laribee has classified social engineering attacks into different categories in her thesis [12]. The different methods and strategies can also be found in [13], [1], [18].
4. Previous Models of Social Engineering The closest research work associated in this area is in the area of Trust. Trust is subjective. The decision to trust someone or not may be intentional, or subconsciously taken. The Click and Whirr approach [26], [27], [28] is an easy method of manipulating trust. This has also been elaborated by Laribee in her thesis [12] and trust and the factors that influence trust have also been described in detail. A person’s compliance to another person’s request can be understood in terms of human tendency to shortcut response [25]. This makes humans truly the weakest links. Various other methods of influence and attaining others trust has been elaborated by Cialdini in [28]. A summary of these models is given in
5. Why it still works? A social engineer utilizes the psychological weaknesses of their victims [17]. Even now technologies like firewall are given more than required attention while people and processes are being overlooked partially or completely. Mitnick sums it up nicely as “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to oldfashioned manipulation.” This vulnerability is mostly due to lack of awareness among employees of organization, mainly due to organizations underestimating social engineering in their employee security awareness programs. Hasler et-al attempted to formulate a method to measure the resistance to social engineering in [20]. The weaknesses in humans that are exploited by social engineers have been analyzed and listed out in [4], [3], [5], [6], [8]. Obedience to authority, self preservation and ‘need to be liked’ are some psychological aspects quoted in [5]. According to Mayhorn et-al “humans tend to act or take decisions according to three factors, the user, the technology and the environment/context in which the interaction takes place [6]. They have also researched into the psychological factors like credibility, pressure, inattention etc. that make a user to become a victim
6. Countermeasures D. Cragg has developed a multi-level defense mechanism against social engineering attacks in [24]. Recognition is the first step to preventing social engineering attacks. The importance of creating awareness about social engineering is pointed out as a
countermeasure in [12]. There is no particular security patch that can be applied to prevent social engineering attacks, thus educating people about the different types of attacks and building a good security policy would be some of the good countermeasures. countermeasures. Additional methods to safeguard against social engineering has been given in [16] by C. Rhodes. Mayhorn et-al has also suggested that THERP be used by security designers in [6]. THERP stands for technique for human error rate prediction.
7. Further Reading Business communication review articles are a good read for being aware of the current issues in the field of information technology. Persuasion, thought systems and argument quality psychological factors that also involves factors that affect decisions and responses have been researched by Petty and Wegener [27]. The social and cultural aspects of social engineering have been explored in [7], [8], [9], [10] and [11].
8. References [1] P. O. Onkeyi, T.J. Owens, “On the Anatomy of Human Hacking”, Information Security Systems, Vol. 16, no.6, pp. 302-314, Nov 2007 [2] Sarriegi, J.M. and Gonzalez, J.J. (2008) ‘Conceptualising social engineering attacks through system archetypes’, Int. J. system of Systems Engineering, Vol. 1, Nos. 1/2, pp.111– 127.
[3] D. S. Carstens, “Human and Social Aspects of Password Authentication”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 1, Chapter 1, pp. 114. [4] M. Nohlberg, “Why Humans are the Weakest Link”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures , Information Science Reference, Reference, Section 1, Chapter 1, pp. 15-26. [5] M. Dontamsetti, A. Narayanan, “Impact of Human Element on Information Security”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 1, Chapter 3, pp. 27-42. [6] R. West, C. Mayhorn, J. Hardee, J. Mendel, “The Weakest Link: A Psychological Perspective on Why Users Make Poor Security”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 1, Chapter 4, pp. 43-60.
[7] R. Kuusisto, T. Kuusisto, “Information Security Culture as a Social System: Some Notes of Information Availability and Sharing”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Reference, Section 2, Chapter 6, pp. 7797. [8] P. Drake, S. Clarke, “Social Aspects of Information Security: An International Perspective”, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 2, Chapter 7, pp. 98-115.
[18] R. Gulati, “Threat of Social Engineering and your defense against it”, GIAC Security Essentials Certification Practical Assignment, SANS Institute 2003, “http://cnscenter.future.co “http://cnscenter.future.co.kr/resource/ .kr/resource/security/ha security/hacking/1232. cking/1232. pdf” [19] Granger, S. (2001) “Social engineering fundamentals, Part I: Hacker tactics”, Cited on 9 November 2009, “http://www.securityfocus.com/infocus/1527” [20] H. Hasle, Y. Kristiansen, K. Kintel, E. Snekkenes, “Measuring Resistance to Social Engineering”, Information Security Practice and Experience, First International Conference, ISPEC 2005, Singapore, April 2005, Proceedings, pp 132-143.
[9] M. Carr, “Social and Human Elements of Information Security: A Case Study”, Social and Human Elements of Information Security: Emerging Trends and [21] IS Winkler, “Case Study of Industrial Espionage Countermeasures, Information Science Reference, Section 2, through Social Engineering”, 19th National Information Chapter 8, pp. 116-132. Systems Security Conference 1996, “http://citeseerx.ist.psu. “http://citeseerx.ist.psu.edu/view edu/viewdoc/downlo doc/download?doi=10.1.1 ad?doi=10.1.1.3 .3 [10] B. Hoanka, K. Mock, “Effects of Digital Convergence 6.115&rep=rep1&type=pdf” on Social Engineering Attack Channels”, Social and Human [22] A. Katz, “Computers: The Changing face of Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, Section 2, Criminality”, Unpublished Dissertation: Michigan State Chapter 9, pp. 133-147. University, 1995, “http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=17 [11] E. Yu, L. Liu, J. Mylopoulos, “A Social Ontology for 3511” Integrating Security and Software Engineering”, Social and Human Elements of Information Security: Emerging Trends [23] K Bagchi, G. Udo, “An Analysis of the Growth of and Countermeasures, Information Science Reference, Computer and Internet Security Breaches”, CAIS Volume 12 Section 2, Chapter 10, pp. 148-177. 2003, “http://citeseerx.ist.psu. “http://citeseerx.ist.psu.edu/view edu/viewdoc/downlo doc/download?doi=10.1.1 ad?doi=10.1.1.1 .1 [12] L. Laribee, “Development of Methodical Social 38.2439&rep=rep1&type=pdf” Engineering Taxonomy Project”, Thesis at Naval Postgraduate School, Monterey, California, June 2006 [24] D. Gragg, “A Multi-Level Defense against Social Engineering”, SANS Reading Room, 2003, [13] J. Baker, B. Lee, “The Impact of Social Engineering “http://southwestans.com/Resources/docs/social/A%20MultiAttacks on Organizations: A differentiated Study”, Florida Level%20Defense%20Against%20Social%20Engineering.pd Atlantic University, f” http://itom.fau.edu/jg http://itom.fau.edu/jgoo/fa05/ISM4320/ oo/fa05/ISM4320/SocialEng.pdf SocialEng.pdf [25] P. Sztompka, “Trust: A Sociological Theory”, [14] I.S. Winkler, B. Dealy, “Information Security Cambridge Cambridge University Press, 1999 Technology?...Don’t Rely on It. A Case Study in Social Engineering”, Science Applications International [26] S. Chen, S. Chaiken, K. Duckworth, “Motivated Corporation, 5th USENIX UNIX Security Symposium, Salt Heuristics and Systematic Processing”, Psychological Lake City, Utah, June 1995 Inquiry, Vol 10, No.1, 1999, “http://www.jstor.org/pss/1449522” [15] K. Mitnick, W.L. Simon, “ The Art of Deception: Controlling the Human Element of Securit y”, y”, John Wiley [27] R.E. Petty, D.T. Wegener,”Thought Systems, Argument and Sons, October 2002 Quality and Persuasion”, Advances in Social Cognition : Content, Structure, Operation of Thought Systems, Vol. 4, [16] C. Rhodes, “Safeguarding against Social Engineering”, LEA, Chapter 8, pp. 147-162 East Carolina University, 2007, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83 [28] R.B. Cialdini, “Influence: Science and Practice”, .5142&rep=rep1&type=pdf “http://www.influenceatwork.com/Media/RBC/Influence_SP .pdf”, 2001 [17] M Nohlberg, “Social Engineering: Understanding, Measuring and Protecting Against Attacks”, Thesis Proposal, 9. Bibliography University of Skovde, Sweden, June 2007.
[29] C. Pfleeger, S. Pfleeger, Security in Computing, 4th Edition, Pearson Education Inc, 2006. [30] S. McClure, J. Scambray, G. Kurtz, Hacking Exposed 6 : Network Security Secrets and Solutions , McGraw Hill Publishers, 2009. [31] K. Mitnick, W. Simon, The Art of Intrusion – The real stories behind the Exploits of Hackers, Intruders and Deceivers , Wiley Publishing, 2006. [32] G. Notoatmodjo, “Exploring the Weakest Link: A study of personal password security”, Thesis submitted at University of Auckland, New Zealand, December 2007 [33] J. Rusch, “The ‘social engineering’ of Internet fraud”, Paper presented at the 1999 Internet Society's INET'99 conference,“http://www.isoc.org/isoc/conferences/inet/99/pro ceedings/3g/3g_2.htm” [34] M. Gupta, R. Sharman, Social and Human Elements of Information Security: Emerging Trends and Countermeasures, Information Science Reference, 2009.
