SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social...
Transcript of SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social...
SOCIAL ENGINEERING 1
Topic:Social Engineering Risk and Management in Organisations
References: Harvard
Pages: 60
Words: 15000 words
SOCIAL ENGINEERING 2
Social Engineering Risk and Management in Organisations
[Name of the Writer]
[Name of the Supervisor]
[Course]
SOCIAL ENGINEERING 3
Acknowledgement
I am very thankful to my supervisor for his complete guidance in order to complete my
dissertation; I was unable to accomplish my research without his practical advices. I have been
really inspired by him because of his deep insight and experience which made me to perform at
my best for my research.
I am also thankful to my friends who supported me throughout the course and guided me for the
completion of this research.
Finally, I am really thankful to my parents for their on-going support, and always giving me the
strength, courage and determination to face various challenges and for believing in my ability
and trust.
SOCIAL ENGINEERING 4
Abstract
Social Engineering offers attackers a multitude of possibilities to reach through targeted manipulation and information to their desired goal. A particularly dangerous situation when the information of one person is used to access the computer system of an organization. The abuser is easily passed for a system operator or an IT manager or system engineer. Often the perpetrator is not even in direct contact with the victim. Even the most conservative in the management of sensitive information, people can fall into the trap of social engineering.
On the one hand, the "technological neglect" makes people vulnerable when they treat their sensitive data too carelessly and publish private information on the Web and is sometimes too lazy to "clean up" their online profile regularly. On the other hand, we all are only human beings. Always in search of recognition, flattery, compliments, friendship etc. Human virtues as helpfulness and weaknesses as vanity are exploited by attackers to manipulate their victims. Most of the employees of a company believe that the most important thing is to be a good teammate and solidarity with colleagues; which is often at the expense of safety.
This study describes the impact of social engineering attacks on organizations. The study also discusses the prevention techniques which can be used by the employees to thwart the threat of information leakage through social engineering.
SOCIAL ENGINEERING 5
Contents Chapter 1: Introduction ........................................................................ 8
1.1 Background of the Problem ................................................................................................... 8
1.2 Statement of the Problem ...................................................................................................... 9
1.3 Aim of the Study ................................................................................................................. 12
1.4 Objectives ............................................................................................................................ 12
1.5 Research Questions ............................................................................................................. 13
Chapter 2 Literature Review .............................................................. 14 2.1 Need for Information Security ............................................................................................ 14
2.2 Types of Information Security Attacks ............................................................................... 17
2.2.1 Intrusion or Hacking ..................................................................................................... 17
2.2.2 Viruses and Worms ...................................................................................................... 18
2.2.3 Denial of Service (DoS) ............................................................................................... 18
2.2.4 Sniffing ......................................................................................................................... 19
2.2.5 Spoofing........................................................................................................................ 19
2.2.6 IP Spoofing ................................................................................................................... 19
2.2.7 DNS Spoofing............................................................................................................... 20
2.2.8 ARP Spoofing ............................................................................................................... 20
2.3 Social Engineering .............................................................................................................. 20
2.4 Social Engineering Types: .................................................................................................. 21
2.4.1 User Impersonate .......................................................................................................... 22
2.4.2 Staff Sympathy ............................................................................................................. 22
2.4.3 Intimidation .................................................................................................................. 22
2.4.4 Dumpster Diving ......................................................................................................... 22
2.4.5 Reverse Social Engineering .......................................................................................... 22
2.4.6 Shoulder Surfing ........................................................................................................... 22
2.5 Online Social Engineering .................................................................................................. 24
2.6 Earlier Work ........................................................................................................................ 26
2.6.1 Social Engineering Attack Model ................................................................................. 26
2.6.2 Social Engineering Trust Model ................................................................................... 29
SOCIAL ENGINEERING 6
2.7 Social Engineering Risk Management ................................................................................ 30
2.7.1 Insider ........................................................................................................................... 30
2.8 Social Engineering Attack Vectors ..................................................................................... 35
2.9 Incident Management .......................................................................................................... 36
2.10 Resolution Approach ......................................................................................................... 37
Chapter 3: Methodology ...................................................................... 39 3.1. Introduction ........................................................................................................................ 39
3.2. Research Methodology ....................................................................................................... 39
3.3. Research Philosophy .......................................................................................................... 40
3.4. Research Approaches ......................................................................................................... 41
3.5. Research Design ................................................................................................................. 42
3.5.1. Descriptive Design ...................................................................................................... 42
3.5.2. Experimental design .................................................................................................... 42
3.5.3. Surveys by Questionnaire ............................................................................................ 43
3.5.4. Interview ...................................................................................................................... 43
3.5.5. Phishing ....................................................................................................................... 44
3.6. Action Research ................................................................................................................. 44
3.6.1. Primary Data ................................................................................................................ 44
3.6.2. Secondary Data ............................................................................................................ 45
3.7. Analysis of Data ................................................................................................................. 45
3.8. Ethical Issues ...................................................................................................................... 45
Chapter Four: Result and Discussion ................................................. 47 4.1. Result .................................................................................................................................. 47
4.1.1 Survey ........................................................................................................................... 47
4.1.2 Interviews ..................................................................................................................... 53
4.1.3 Phishing ........................................................................................................................ 53
4.2. Discussion .......................................................................................................................... 54
4.2.1. The Shock Doctrine ..................................................................................................... 58
Threats of social engineering and related defences ............................................................... 59
4.2.2. E-Mail Threats ............................................................................................................. 61
SOCIAL ENGINEERING 7
4.2.3. Change Management ................................................................................................... 63
Conclusion ............................................................................................. 69 Bibliography ......................................................................................... 74
Figure 1 ....................................................................................................................................................... 18Figure 2 ....................................................................................................................................................... 21Figure 3 ....................................................................................................................................................... 23Figure 4: Social Engineering attack cycle ................................................................................................... 27Figure 5: A Concept .................................................................................................................................... 27Figure 6: Attack Structure ........................................................................................................................... 28Figure 7: Trust Model ................................................................................................................................. 29Figure 8: Types of Network Security Threats ............................................................................................. 31Figure 9: Size of Companies ..................................................................................................................... 31Figure 10: Types of misuse and reporting frequency ............................................................................ 33Figure 11: Social Engineering Risk Management ...................................................................................... 34Figure 12: Respondents by Profession ........................................................................................................ 47Figure 13: Awareness of Social Engineering .............................................................................................. 48Figure 14: Social Engineering Attack Experience ...................................................................................... 49Figure 15: Motivation for Social Engineering Attacks ............................................................................... 49Figure 16: Attacks Frequency ..................................................................................................................... 50Figure 17 ..................................................................................................................................................... 51Figure 18 ..................................................................................................................................................... 52Figure 19: Most Common Threats .............................................................................................................. 52
SOCIAL ENGINEERING 8
Chapter 1: Introduction
1.1 Background of the Problem
Social Engineering is actually a manipulation by deception (Mitnick et al, 2002). In our everyday
life, we encounter social engineering in different aspects of life like in advertising. In this case,
the "seller" is trying to behave or be sold so that he enjoys the favour of his
"objective."Unfortunately, the art of manipulation, particularly in relation to new media, is often
used for unfair practices. In these cases, human vulnerabilities are exploited. It is in the nature of
man to want to help others and to trust his fellow man. So calculated (and for a long time), the
scammer built a relationship of trust with the person. At one moment, the credulity of the victim
is exploited to obtain the coveted profitable information. It may be money, trade secrets,
economic benefits or competitive sabotage (Mitnick et al, 2002).
Unlike more complex infiltration methods that rely on the manipulation of computer code, social
engineering is based primarily on the "human factor" (Hadnagy, 2011) including on intuition
(e.g. guessing passwords) and / or scenarios for gaining the trust of a user, either to induce him to
run a malicious program, disclose sensitive information, or simply to impersonate.
Employees are the first owners of the information and know-how of the company, and the risk of
loss of information lies in the very nature of human beings: we cannot predict the behaviour of
employees because human risk can take many forms. Whether it is industrial espionage in order
to sell information to the competition or just the resignation of an employee who goes to work
for a competitor, taking with him his expertise and possibly key data, the consequences can be
dramatic. Internal risk is even stronger than the economic crisis, the need for money, uncertainty
about the future and frustrations situations are increasingly common and weaken employees.
SOCIAL ENGINEERING 9
Another type of human risk is related to social networks, which cannot be overemphasized,
represent a powerful means of information leakage for companies, either because the employees
go online with confidential information about their work, or because hackers use data collected
on employee profiles to guess passwords or to gain their trust in order to extract information
(Allsopp, 2009). The latter two techniques are part of what is called social engineering. We can
rely on the fact that employees have trouble distinguishing the boundary between their
professional and personal lives. They were not more aware of the many ways in which the
information they post online can be used.
1.2 Statement of the Problem
Cybercriminals are turning increasingly to companies including compromising intellectual
property (IP) attached to projects they are working. The mails are of course always preferred
entrance doors (Mann, 2008), for example the Trojan called "Hydraq" uses social engineering
emails targeted to an individual or a small group of employees to infect machines. If the attacker
is able to trick the user via his mail look legitimate-that is, if he manages to make him open a
link or attachment, Hydraq can then infect the machine and allow the hacker to take the remote
control. Hackers exploit the abundance of personal information available on social networking
sites to target their attacks on key individuals within targeted businesses (Huber et al, 2009). The
correlation between social engineering and growth of social networks is significant. Social
Engineering is one of the most serious threats for computer networks’ security. This is a type of
very powerful attack to the extent where no software or hardware used to defend themselves
effectively. Social engineering has to do with psychology, so it is the user who must learn to
expose and thwart his techniques.
In general the methods of social engineering are taking place according to the following scheme:
SOCIAL ENGINEERING 10
• A phase approach to put the user in confidence, posing a person of his superiors, the
company of his entourage or a customer, supplier, etc.;
• A word of warning, in order to destabilize and ensure its rapid reaction. It may for
example be a pretext of security or emergency;
• A diversion, that is to say a phrase or situation to reassure the user and prevent it focuses
on the alert. It may be for example a thank announcing that everything is back in order, a
trivial sentence or in the case of an email or a web site, a redirect to the website the
company (Long, 2008).
Even if a company is equipped with all the paraphernalia of digital defence, it appears that it
remains vulnerable. There are in fact two ways to break into a computer system. Either passes
through firewalls and intrusion detection systems, which may be too complex or exploit human
weaknesses. It is the human effect which is used as a tool of infiltration by hackers. Thus, an
employee may unwittingly transmit sensitive information that enables attackers to act with great
efficiency and discretion (Peltier, 2006). The idea is either to impersonate an employee to act
without arousing either the suspicions of the latteror those of management, or to use techniques
for handling the information is given voluntarily. Social engineering, phishing and social
networking applications are the most used tools to impersonate individuals (Huber et al, 2009).
The challenge of an attack residing in the acquisition of passwords, more and more companies
equip powerful security systems that prevent outside intrusion. But to circumvent these systems,
hackers are taking advantage of the ignorance of employees' phishing. These, by their credulity,
may provide sensitive information to outside parties thinking they are on a secure web site, or
they received the invitation to join a social network does not represent a danger. But once they
entered password to register, phishing occurs successfully. Indeed, most people use the same
SOCIAL ENGINEERING 11
password for all their accounts (Chantler & Broadhurst, 2006). Having obtained this sesame,
attackers can then be introduced into the records of the company under the name of the employee
who is the victim of phishing. In this type of attack, the employee remains passive, and it is his
lack of phishing techniques is a security for the company. This is why data security latter also
relies on employee awareness of techniques used by hackers.
Many companies fail to educate their staff to attacks that can undergo without their knowledge.
Thus, an awareness of the tools used by hackers would prevent data leakage and reduce the costs
(Mann, 2008). But knowledge of these tools is not enough, because attackers are also formidable
and manipulative and they have to be unmasked. For example, in order to trust their partner, they
use the jargon of the business or mention the names of the leaders in their discussions. In this
way, the listener is quickly convinced that the person is part of the business and responds to these
requests or advice. Indeed, the attacker plays with the feelings of guilt and compassion for his
victim support and observes discretion. Thus, an email from a so-called colleague calling for
help because he lost his password is a cause of empathy. At the risk of being fired, the employee,
to help his colleague, go to provide the password of the manager or another colleague. The
employee becomes an active participant in the attack, and that is why the security system of the
company should establish control mechanisms, in addition to awareness of phishing (Chantler &
Broadhurst, 2006).
In general, anyone can be a victim of social engineering. The attacks are always where there are
values that may be of interest to someone. However, it is in the workplace where the people are
particularly exposed. If only the smallest piece of critical information leak for the criminal is
perhaps becomes the biggest threat of the security plan of the organization. Even the family,
SOCIAL ENGINEERING 12
friends and colleagues could win the attention of spies because it is from third parties that often
try successfully to receive critical information.
The best way to protect against social engineering is to use common sense to not to disclose any
information which may affect the safety of the company. It is advised, regardless of the type of
information requested:
• To learn about the identity of the caller by asking specific information (name, company,
phone number);
• To verify any information provided;
• To consider the criticality of the information requested (Chantler & Broadhurst, 2006).
1.3 Aim of the Study
The purpose of this paper is to explain that social engineering is a threat for organizations’
security and something has to be done to manage this threat. The purpose of this paper is to
explain the impact which social engineering will create on the security and business policy of the
organizations. This paper will also discuss the methods of prevention which should be taught to
the employees to thwart the menace of social engineering.
1.4 Objectives
• To discuss and explain the security threat for organizations caused due to social engineering
• To discuss different techniques which can be used by the hackers in social engineering to get
the inside information of the company
• To identify the impact of social engineering on organizations
• To describe what is the best prevention strategy to avoid social engineering
SOCIAL ENGINEERING 13
1.5 Research Questions
• What is Social Engineering?
• What are the different methods of social engineering used to get inside information?
• What is the impact of social engineering on organizations?
• What are the steps required by the organizations to manage and prevent the threat of
social engineering?
SOCIAL ENGINEERING 14
Chapter 2Literature Review
2.1 Need for Information Security
Organisations must be fully aware and mindful to dedicate adequate resources for the security of
information to prevent crimes and maintain confidentiality in both government and business
sectors. A security breach is an unauthorised access to personal or business information of a
citizen, company or government entity. The most common hazard of a security breach is identity
or financial fraud (Murr, 2012). Notices are the most common method to report breach or
potential threat of breach at any point where a person is providing personal information. These
notices are means to create “awareness among the public,” and “allow the appropriate regulatory
bodies to perform their functions, provide advice and deal with complaints” (Chandra & Bensky,
2011). There must be a developed framework for information security governance. Even though
there are dedicated personnel in organisations to protect enterprise information systems (headed
by Chief Information Officer) it should be a collective effort and responsibility. The strategists
should incorporate the protection of the information and their assets at the core of their policies.
Information security is also required so that one has the confidence that his information cannot
be changed. There should be back-up copies of the information so that it is available whenever
one needs it. In an organization, information security performs four different functions (Maiden,
2010); 1) organization’s ability to function should be protected; 2) the safe operation of
applications implemented on the organization’s IT systems should be enabled; 3) the data that
organization collects and uses should be protected and 4) the technology assets that are in use at
the organization should be safeguarded.
SOCIAL ENGINEERING 15
To address the issue at hand several governments and organisations have introduced certain
standards and legislations to secure information and make sure that adequate level of security is
employed by organisations. Information security is huge and many casual users do not even
think about it, or if they do, only as an afterthought (Giorgini & Mylopoulos, 2011). Intruders
may come from a wide variety of places and could be someone as simple as user’s next door
neighbour stealing wireless internet from users. With the complexities of software these days
there will always be vulnerabilities to expose and utilise which is why every user needs to stay
on top of their own security (Maiden, 2010). This typically means applying the latest operating
system and software patches, maintaining a firewall and up to date virus scanning software,
being intelligent about where web surf and what click on, and just being as smart in the digital
world as users are in the physical world.
Study will cover some of the types of network attacks that are out there as well as various
computer security threats that may be encountered as well as various preventative measures that
can be utilized to minimize exposure to attack (Klevinsky et al, 2002). The number one rule
when it comes to information security is that the human is the first point of weakness. User can
have the most secure network, computer, or system and all it takes it for one person to fall victim
to a social engineering attack to compromise everything (Janczewski & Colarik, 2008).
With SSL the consumer can feel confident that their credit card and other personal information
will be transmitted safely from their internet device to the e-commerce business that their
purchase was performed at. The next logical step in security actually takes place at the web
server where the consumers data is now being stored which itself is vulnerable to attack from
outside forces, such as hackers, intent on gaining access to this valuable information for their
own personal gain and fortune (Grebmer, 2008). A way to minimize the merchants’ actual
SOCIAL ENGINEERING 16
involvement in holding this personal information was developed called Secure Electronic
Transaction (SET). This method was developed by Visa and MasterCard and uses PKI for
privacy and digital certificates to authenticate the merchant, consumer and bank. SET does not
make it possible for sensitive information to be seen by the merchant nor is anything stored by
them on their own servers.
The goal of implementing information security is to defend against probable threats and attacks
to the data/information of an organisation. It is essential for business survival and to minimise
the needs of the business to manage risk related to information security and system
vulnerabilities (Abraham, 2010). Information of an organization is considered as an asset in
modern management. With the growth of technology in information technology risks and threats
are also growing and organizations are very mindful to secure the information they have.
Numerous steps are under employed by the managements to prevent unauthorized access to
sensitive information and systems. Leakage or loss or both of the information of customer and
the corporation causes financial losses and compromises the reputation of the organization
(Maiden, 2010).
Due to the high rate of cybercrime laws and regulations are rising against them. Now it is
necessary to install and manage an information security system which has broadened the
umbrella of information security field and industry. Under present threatening and challenging
circumstances, the system provides growth to business by ensuring controlled flow of
information between two entities (Ashenden, 2008).
Companies heavily invest and concentrate on technological aspect and security to protect their
asset. They purchase and implement firewalls and antivirus software’s they hire security teams
SOCIAL ENGINEERING 17
but they fail to realize that there is always a weak link and that is human involvement. The
phenomenon of attacks on the information system using humans involved in organizations is
called social engineering.
To control the risk to information in an organization, there must be a security aware culture. This
culture can be the best defence against all possible threats posed by an employee and his/her
risky interaction with the information asset (Veiga, 2009).
2.2 Types of Information Security Attacks
There are various types of information security attacks, such as intrusion or hacking, viruses and
worms, denial of service, sniffing, and spoofing. Each of the attacks is explained in detail below.
2.2.1 Intrusion or Hacking Hackers are people who gain access of a computer system without the knowledge of the system’s
owner. On getting the access of the targeted system successfully, the data available on those
systems are altered and private and confidential information is stolen. People, who are involved
in hacking, usually do it for various reasons; some do it for fun and curiosity, and some do it in
order to take revenge (Klevinsky et al 2002). The process of hacking takes place, once the
hackers has the required information about the targeted systems and they know the strengths and
weaknesses of the system, operating systems used, unsecured folders, shared folders, and
configuration files. When the information is collected, analysis of how to compromise the
targeted website or system is done. The techniques or loopholes that hackers use are poor
implementation of shopping carts; hidden fields in the html forms; client-side validation scripts;
direct SQL attack; session hijacking; buffer overflow forms; and port scan.
SOCIAL ENGINEERING 18
2.2.2 Viruses and Worms Viruses and Worms are computer programs that do not allow the computer systems to function
properly. Both the programs can replicate themselves, however, a minor difference between both
the programs are that viruses cannot travel on its own and requires a network to attach on and
perform its function, while worms can travel on its own and function independently (Hadnagy,
2010). The goal of the viruses and worms it to malfunction the working system. In the past years,
viruses use to spread through floppy diskettes, but now viruses spread through Internet, which
reaches millions of computer systems in a snap. If the virus enters an organizational network,
then all the systems connected to the network will be affected in a minute, thus, creating millions
of dollars loss for the organization.
Figure 1
2.2.3 Denial of Service (DoS) The denial of service is an attack that brings down the targeted network and makes it to deny the
service for legitimate users. To perform a DoS attack, the attacker need not be an expert; this
attack can be performed with a simple ping command. The experienced hackers, who want to
SOCIAL ENGINEERING 19
perform the DoS attack, would not do it from their own system (Shoniregun, 2005). A small
program known as zombies is installed on some computers that have intermediate level access in
a network; whenever the attack needs to be performed, the zombies program will be run remotely
and the computers having this program installed will launch the attacks simultaneously. The
attacker doesn’t need username or password in these cases. A known weakness or link in the
system can provide the opportunity for such attacks. These attacks usually disable the network
and/or corrupt the critical information. The target system crashes or goes into a state where it
can’t work efficiently and services provided by the system are halted.
2.2.4 Sniffing Sniffing means seeing all packets, which are passed through wires or sometimes through air for
wireless networks? This type of technique was used for fixing network problems, because
network packets can be watched through this, and hackers now use sniffing to scan login ids and
passwords over the wires. UNIX based systems are the major targeted systems for sniffing.
Encryption is one way to avoid sniffing attack (Grebmer, 2008). Sensitive information, such as
bank details or other personal details, is encrypted before they are sent to wires, and then hackers
really can’t understand what the information is. In order to understand the information, they
would need to decrypt the information which can take a lot of time and money.
2.2.5 Spoofing Spoofing means to deceive others; it is fooling other computer users that the information they are
getting from a source, it is being provided by a legitimate user. Spoofing can take place several
ways, such as IP Spoofing, DNS Spoofing, and ARP (Address Resolution Protocol) Spoofing.
2.2.6 IP Spoofing IP Spoofing is about changing the source-address of an IP packet to portray to other users that
the source is legitimate, when in reality it’ll be coming from a hacker. Therefore, the hacker
SOCIAL ENGINEERING 20
attacks the system and at the same time hides his IP address from firewalls. IP Spoofing targets
UNIX systems and RPC services. IP Spoofing targets those services specifically, which require
IP authentication.
2.2.7 DNS Spoofing DNS Spoofing directs the users to incorrect location. This means, the users are directed to a
different website and personal information are collected through web forms illegally. DNS
Spoofing is regarded as a dangerous threat, due to that fact that anyone can manage domain
names and create equivalent IP addresses.
2.2.8 ARP Spoofing ARP Spoofing is also known as ARP Poisoning. A table of MAC addresses of all the computers
that are connected in a network are maintained in ARP. Information that comes to ARP is
forwarded to respective computer based on the mappings available on the ARP’s tables. Example
can be, ARP is not able to find MAC address for a message, so it broadcasts a message to all
systems to get a response from the precise destination-machine with its MAC address; when it
receives the destination-machine’s MAC address, and it is updated on the MAC table. At this
stage, ARP Spoofing can take place (Janczewski & Colarik, 2008). The process of ARP works in
this way; the hacker sends a reply to the ARP’s broadcasted message saying that the hacker’s
machine is the legitimate one. Then, ARP gets hacker’s MAC address and adds it to the table. As
a result, the hacker gains a legitimate connection to the network illegally. Once connected to
network, hacker can do all sorts of things.
2.3 Social Engineering
Social engineering involves techniques to manipulate humans and bypass the security instead of
using technology (Margaret). Social engineering is a collection of techniques and malware
SOCIAL ENGINEERING 21
viruses plus manipulation of people and exploitation of their unawareness of information security
policies and procedures. These people are usually end users with little knowledge of computers
and IT. According to Joan the system firewalls and intrusion detection system do not ensure
safety of the data and information. A smart single social engineer can bypass all (Verma, 2011).
Social engineering threats and incidents are rapidly increasing since last few years. According to
(Abraham, 2010) the number of social engineering incidents are increasing at a very fast pace.
Figure 2
Social engineering is particularly concentrated on the human aspect. The attacker can be an
insider.
2.4 Social Engineering Types:
Social engineering has several forms and techniques. Following are some common methods
which are used by Hackers and Crackers.
SOCIAL ENGINEERING 22
2.4.1 User Impersonate A special scenario is created with the target that is unaware of the situation. The attacker
pretends to be someone inside from the company and resets the password using telephonic
conversation or emails.
2.4.2 Staff Sympathy In this technique a false error is generated and then the attacker pretends to be one of the helping
staff and obtains user information while trying to help the target log on into the system
2.4.3 Intimidation Pretending to be a part of high management or misusing available authority on a junior employee
to get unauthorized information is called Intimidation. Electronic devices can be used to disguise
voices and pretend to be authorized personnel to extract personal information of the employees.
2.4.4 Dumpster Diving This related to identity theft. It includes credit card’s information, accessing documents which
are not supposed to be read anyone but the intended, organizational rosters and charts etc. A
disposal policy to shred documents and erase of storage media before recycling is recommended.
(Rouse)
2.4.5 Reverse Social Engineering Social engineers create an environment that people contact them and share their personal info by
themselves. Especially this has become very common after the launch of social networking web
sites
2.4.6 Shoulder Surfing The main purpose of shoulder surfing is to gain the usernames and passwords of the system. It is
very easy if the target person is unaware of the technological details or if a level of trust is built
up between the two and they share information.
SOCIAL ENGINEERING 23
Most favourite methods of social engineers are social networking web sites and phishing emails.
With the ease and time efficiency provided by the internet and social networking websites people
now prefer to manage their relationships through Facebook, and twitter etc. they are also
ignorant/careless to the security of the information and measures to prevent violation; therefore,
companies are incurring costs subject to the security of the information (Michael Workman)
Figure 3
SOCIAL ENGINEERING 24
2.5 Online Social Engineering
Social Engineering is using non-technical means to gain unauthorized access to information or
system (Chandra & Bensky, 2011). Normally a hackers would use exploit a systems
vulnerabilities and run scripts to gain access. When hackers deploy social engineering they
exploit human nature. Social Engineering is represented by building trust relationships with
people who work in the inside of the organisation to gain access or who are privilege to sensitive
information such as usernames, passwords, and personal identification codes which are needed to
get access networks, information and equipment (Janczewski & Colarik, 2008).
Social networking websites are most popular websites today. The numbers of users are growing
by leaps and bounds. They provide excellent services to make new friends, find old friends and
share pictures and videos. These websites have become one of the most entertaining tools on the
internet. The registered users must share some basic information about themselves but they have
options to share unlimited personal and family information on the internet. Users share this
information with their friends and relatives and to make their web pages interesting and funny.
Social engineers use these websites to prey for potential targets. SE attacks are easy to attempt,
have low cost and very difficult to trace back. Online SE attacks are usually variants of
traditional information security hacking programs such as malware, worms etc. but in case of a
social networking website social engineers exploit the trust factor among victim and friends of
the victim to obtain sensitive and valuable information (Podgórecki et al, 2006).
Social Engineering tools are designed by hacker and crackers to hack the target machine by
spreading virus and malware applications. Following are some other forms of online social
engineering methods commonly used by attackers.
SOCIAL ENGINEERING 25
• Piggybacked software installation: it is usually an offer on the internet to download and
install free software such as a game or a media player. Hidden within the program are
some spywares that monitor your activities on that system and has the ability to temper
and extract information from your system (Murr, 2012);
• Mail: these are email alerts either from one of your friends or an unknown well-wisher
informing about something mysterious or a warning about system. As soon as user open
the file or any attachment a spyware is downloaded into the system unnoticed (Murr,
2012);
• Fake anti Spyware: these are utilities and software available on the internet for free and
they are supposed to protect you from spywares. But actually they are the spywares. They
are very attractive and sensibly planned and advertised on the internet. So be very
careful;
• Spam Mail: you often receive an email that tells you that you have won a lottery or you
are the millionth visitor of the website therefore you have an earned a gift. Subjects are
usually “You won the lottery”. Another method is to make offers of huge discounts or
supply of a very valuable product on low prices so that you may provide them your
account information.
The number of internet users is increasing day by day. Individuals and companies are using
internet for correspondence and social websites and internet messaging to get connected.
Information about companies and its executives are easily available on facebook and LinkedIn
and employees follow them regularly. In profile building people share their personal information
even contact numbers and addresses hobbies and activities which make it easier for social
engineers to exploit them using their personality traits.
SOCIAL ENGINEERING 26
2.6 Earlier Work
2.6.1 Social Engineering Attack Model Hacking and malicious soft wares are the earliest version of attack on information security but
their efficiency and results are decreasing because companies are investing heavily to acquire
cutting edge technology to counter technical attacks. Therefore, intruders are developing non-
technical methods to do their dirty work. Social engineering as an alternative and this method is
more successful because it uses psychological weaknesses and vulnerabilities (Chitrey, 2012).
Social Engineering attack cycle explains in4 steps model:
STEP
#
STEP DESCRIPTION
1 INFORMATION
GATHERING
Social Engineers accumulate information about their
targets such as nature of job, position, privileges, authority
and powers and weaknesses.
2 DEVELOPMENT OF
RELATIONSHIP
Social engineers then try to build relation of trust. Once
they gain contact and trust of the target it is easier for
them to exploit the weaknesses and pursue their real goals.
SOCIAL ENGINEERING 27
3 EXPOLITATION OF
RELATIONSHIP
In this phase he manipulates primary information and
relationship with the target and weaknesses to get the real
information he after.
4 EXECUTION TO
ACHIEVE OBJECTIVE
After obtaining sensitive and private information from the
target they use that information to plan and execute the
real attack on the organization.
Figure 4: Social Engineering attack cycle
A concept model proposed by (Janczewski)
Figure 5: A Concept
SOCIAL ENGINEERING 28
(Oosterloo) Proposed an attack structure comprises of four phases that has been derived from
basic attack cycle.
Figure 6: Attack Structure
Following are the some possible tactics that can gain the psychological attention of humans
− Profiling,
− Piggybacking
− Identity theft
− Item dropping
Following psychological principles are also discussed
− Overloading
− Strong effect
− Deceptive relationship
− Authority
SOCIAL ENGINEERING 29
− Integrity
2.6.2 Social Engineering Trust Model A trust model has been designed by Laribee that explains how a social engineer develops
relationship with the target. After development of the relationship how he/she gets the relevant
information to design and execute the actual attack on the organization.
Figure 7: Trust Model
Social engineers build a trust relationship with the target primarily because people can only be
deceived when they trust social engineers otherwise they not share sensitive information with
them. Once the trust is developed the collection of information is easier and faster. They
information can be collected directly or indirectly. "By design, social engineering involves the
abuse of trust relationships." (htt)
SOCIAL ENGINEERING 30
2.7 Social Engineering Risk Management
Every organization has to manage risk to continue operations. Therefore, the higher management
introduces a process to keep the risk and vulnerabilities at minimal level (Oosterloo)
Social engineering risk management model is specifically built to deal with the threats and
attacks and to prevent leaks and theft of information. Organizations must plan and implement
social engineering risk management model within the scope of company’s information and
security policy. This model help to
• reduce the redundancy of risk
• prevent uncertain loss
• risk identification
• update information security policy for smooth operations
2.7.1 Insider Inside threats and weaknesses are as disastrous as technological attacks. Organization should not
depend on technological aspect solely. On the other hand viruses and hackers can be identified
and eliminated easier as compared to the detection and prevention of an inside leakage of
information or accidental loss of data. An insider can cause far more damage and has numerous
opportunities to cause the damage (Colwill).
SOCIAL ENGINEERING 31
Figure 8: Types of Network Security Threats
Insiders do not need to do research. They have access to major areas and information of the
company. They have access to the sensitive information and he is trusted. It is a very difficult
task to draw a line to split an employee using IT resources and a person who misuse his
authorities. (Magklaras, 2001).
Figure 9: Size of Companies
SOCIAL ENGINEERING 32
The security policy holds restrictions on the access and usage of the information stored in the
organization but it becomes very complex if more than one employee or high level managers are
using, entering and manipulating of same information.
Misuse can be either accidental or intentional. Former is ignorable and may save the day for the
employee but intentional misuse is absolutely different. There may be one or more reasons for
the intentional reason for example data theft or may be the employee is just not willing to follow
the rules it’s their habit. Accidental misuses are prevented by introducing protocols and code of
conduct for example if an employee might plug-in his/her usb device and endup corrupting
system it is called accidental
Liu has reported that two-thirds of the security breach indents are inside employees and insiders
(Liu, 2008). It widely observed that organizations focus more on technological tactics like
installing firewalls and software to protect the network from outside attacks but insufficient
efforts and resources are available to counter social engineering. The biggest reason is
organizations do not realize or recognize that it is happening. Even if they know that they a have
a social engineering attack it is easier to stay in denial and protect reputation in peers, public and
competition (Colwill, 2009).
SOCIAL ENGINEERING 33
Figure 10: Types of misuse and reporting frequency
Situation crime prevention theory’s ypothesis states that to prove crime elements of intention and
opportunity should be there. (Theoharidou, 2005). ISO17999. (ISO/IEC: 2000) and other
organizations have proposed Proposes security controls to protect Information System from an
insider threat. But before such controls and policies are implemented a risk analysis survey is
necessary. These controls includes
• Roles and responsibilities
• Staff personal Screening
• Non-disclosure agreement about confidentiality
• Training of Information Security for awareness purposes
SOCIAL ENGINEERING 34
The social engineering risk management model defines the risk management process and as a
result of careful planning and execution yields to control of attacks and risks involved therein. It
is designed to defend against the attacks and secure information as much as possible. There are
several international standards defined by numerous governments as a touchstone or guide to the
design and implementation of the model in an organisation (Janczewski & Colarik, 2008).
The social engineering risk management can be categorized as a figure shown below. It
categorizes the risks based on significance level and likelihood (because “risk impact” =
significance level * likelihood).
Figure 11: Social Engineering Risk Management
When there is high significance and low likelihood risk, the risk should be transferred. During
the low significance and low likelihood risk, the risk should be accepted. A high significance and
high likelihood risk indicates that the risk should be avoided. Lastly, the low significance and
high likelihood risk shows that the risk should be mitigated.
SOCIAL ENGINEERING 35
2.8 Social Engineering Attack Vectors A Social Engineering attack can be initiated from many different vectors. A phone call could be
made by an attacker to extract data. Email phishing attacks can be composed to look like a
legitimate request for sensitive information or a physical intrusion into the building by someone
claiming false credentials. The reality is a skilled Social Engineering attack can fool even the
most paranoid “tin foil hat” wearers (Klevinsky et al, 2002).
Alarmingly when it comes to Social Engineering, people’s curiosity seems often kill the cat. The
most common and well known issue would be that user that clicks on a rogue link in an email or
social media site that propagates malware. Malware originating from social media sites are
growing at an alarming rate (Long, 2011). Everyone seems to want to see “the guy who was on
fire or a day and was not burnt” or answer the “100 facts about me” questionnaires that can
easily be used to recover personal accounts.
Successful Social Engineers research their target thoroughly. The more information the attacker
has the more questions they can answer thus the more convincing they can be. Remember the
goal of a Social Engineering attack is to get the information/data needed, or to convince the
target to perform an action that benefits the intruder.
A good penetration testing company that has landed a contract to thoroughly test the security of
an organisation without many “off limit areas” will normally spend days of performing passive
research before the pen testers fire their first gun (Tolman, 2008). They will find everything they
can, and trust me it can be rather shocking the amount public information that’s available if you
know where and how to find it. With just a simple crafted search engine string you could find
information about yourself that you might have thought was private.
SOCIAL ENGINEERING 36
There are many vectors for a Social Engineering attack. Each is very dangerous and has an
alarming success rate. The more information available to the attacker the more threatening the
attack will be. Know users organisations weaknesses and what information is available
publically (Podgórecki et al, 2006). Only then will you know where to begin to eliminate
sensitive information if possible, or to better know what to educate your employees to be on the
lookout for and give examples of inquiries that should set off flags. Hire professionals to perform
an assessment on your organisations current level of security awareness if possible. Lastly and
most importantly, nothing will be effective against an attack if your employees simply do not
care. Be creative find a way to keep security on their mind.
2.9 Incident Management An incident is an unexpected and disruptive event that affects an organisation. An incident may
be intentional or unintentional and it is important to deal with an incident at a good way. One
incident does not lead to bad consequences for an organisation. An intrusion or an attempt to
steal information, but failure is an incident.
An organisation must have defined procedures for how to document the incident. The purpose of
documenting all incidents is to create a bank of experience that can used to improve the
organisation's information security (Hadnagy, 2010). When an incident occurs, the organisation
should have a process where they are investigating what happened and what or who was in the
scene put it. It is then to impose a disciplinary sanction against the employee who violated the
safety rules. When an incident with malicious consequences occurring should also make new risk
analysis.
The challenge is to discover an incident, react after documented procedures and then neutralize
the threat, to the will not happen again. Incident management must be an on-going process,
SOCIAL ENGINEERING 37
which consists of six steps. The six steps are the cornerstones of a cycle, which is an important
part of organisation's security (Grebmer, 2008). Step one is protection and that means you should
be able act before an incident has occurred and if it occurs, the damage to be minimal.
Protection also includes the development of guidelines for incident management. Step two is
identification and where it is important to find out what happened or what caused the incident. It
can be problematic for that one incident can trigger a dynamic chain of events and it can be
difficult to know exactly what it was that started the chain. Step three is reporting and is the
foundation for how to proceed in incident handling (Mann, 2012).
It is also a basis for further investigation of what really caused the incident. Step four is to
control or reduce the cause of the incident. Step five is to restore the system and its information,
after user has corrected the problem as incident caused, or that in any case, has reduced the risk
of it happening again (Hadnagy, 2010). Step six in the cycle is up and it is an important step
when it comes to preventing future incidents with adverse consequences. The monitoring covers
the knowledge gained to prevent identical and similar incidents. Each step of this process
provides the input to the next step, the step 6 provides input to step 1.
2.10 Resolution Approach Organisations occasionally hire companies to invest in improving information security. It can
include hardware and software and to train staff and implement various safety procedures. The
most important thing is that user can continually make updates to its safety procedures and its
hardware and software. The problem may be that forget or they do not bother to update their
security; because it can involve a large expense without physically can see what has been
improved. If user purchases new hardware or software, the investment becomes more apparent in
the everyday work.
SOCIAL ENGINEERING 38
The threat posed by social engineering is mainly against an organisation or person economy, but
it is also a major threat to a person or body jerked. It may be about to spread a fake shrugged, to
an organisation's success is absent. The person who entered social-engineering attack did this
action personal financial gain, or to another organisation could take advantage of that the
affected organisation losing market share. The most commonly stolen by Social engineering is
information or money (Shoniregun, 2005). The information being stolen is the one who can
provide financial returns, or the information that may harm the company information that an
organisation does not want unauthorized people to be able to access. To attack the social-
engineering does not lead to some very negative consequences, one can take some action. Most
important of all is that the management of an organisation is aware of how important it is to train
their staff, and to keep their safety procedures and its information security policy to date.
Management must be prepared to provide financial assistance in order to be able to work
continuously with training and safety procedures and the proper functioning of information
security policy.
SOCIAL ENGINEERING 39
Chapter 3: Methodology
3.1. Introduction This is a methodology section facilitate with the comprehensive details about theoretical
framework of this study and the suitability for identifying the point of the study whereas talking
about the design of research, researcher’s role, questions and sub questions answered in the
study, method of data collection and analysis.
3.2. Research Methodology The major task of any science is getting insight and selecting the most appropriate method that
enables us to understand the actual fact is therefore important one. The issue appears in believing
the erroneous skills or vice versa (Dawson, 2002). Deductive and Inductive methods have both
diverse objectives and perhaps summed up as theory analysis and theory development,
respectively. Usually, inductive method is connected with qualitative way of research whereas
the deductive method is frequently connected with quantitative way of research (Kothari, 1985).
Dawson (2002) describe qualitative approaches of study as “a collection of interpretive
approaches, which look for describe, decode, interprets and otherwise come to terms with the
meaning, not the incidence, of sure more or less naturally according term in the society world.”
About all research will contain some numerical information that could usefully be quantified to
guide responses, study questions and to complete main goals (Dawson, 2002). Quantitative
information defines to all those information and can be a product of all study plans. This style is
an easy approach to accumulate suitable information from an important numbers of samples.
Research in primary care can combine qualitative and quantitative mutually enriching. Ways to
combine are multiples. Qualitative research may precede quantitative research generating
hypotheses for generating and / or test items a quantitative questionnaire. Symmetric sorting,
SOCIAL ENGINEERING 40
quantitative work can facilitate qualitative research identifying subjects participating in
qualitative approach. Both researches can be used together towards a coordinated approach
broader and richer (Guba &Lincoln, 1988).
The use of these two methods in the study could likely assist correct the biases inbuilt in each
method, but the reality that quantitative approach is the most common applied is not
unintentionally but from the development of the scientific method during the years. It is believed
that logic that quantification enhanced the understanding about the world around us. Qualitative
method of research is recognized to be descriptive, employing words and images, instead of
numerical figures to convey the outcomes of the research study (Greene, 2002). Therefore, the
secondary approach for research will be selected as the better approach to conduct this research
study.
3.3. Research Philosophy A researcher can choose one of two major philosophies for a research study that he undertakes,
namely the positivist and the interpretivist philosophies (Meyer & Redd, 2004). The researcher
adopts a more scientific perspective when employing a positivist philosophy, seeking to establish
law-like generalizations when working with observable social occurrences. On the other hand,
the interpretivist school of thought considers the society and the happenings therein much more
complex to be generalized or interpreted as simplistic (or even complex) equations connecting a
set of independent variables to a dependent variable. The interpretivist or the phenomenological
standpoint is thus more focused on studying the reality behind the details and developing a better
understanding of these occurrences. Given that the present study seeks to gain a deeper insight
into the future sustainability in the competitive business environment, the research philosophy
SOCIAL ENGINEERING 41
underpinning the current study is the interpretivist one, rather than the positivist school of
thought (Meyer, & Redd, 2004).
3.4. Research Approaches The methodology refers to the set of rational procedures used to achieve a range of objectives
governing in scientific research, a doctrinal exposition two or tasks that require skills, knowledge
or specific care. Alternatively you can define the methodology as the study or choice of an
appropriate method for a given purpose (limat.org, 2012). There are two ways to analyse the
research data they are as follow:
The qualitative research or qualitative methodology is a research method used primarily in the
social sciences that is based on methodological cuts based on theoretical principles such as
phenomenology , the hermeneutic , the social interaction using data collection methods that are
not quantitative, with In order to explore the social and describe reality as experienced by their
corresponding characters (Dawson, 2002). The quantitative methodology is one that allows you
to examine data from a scientific, or more specifically in numerical form, generally using tools
from the field of statistics. For quantitative methodology exists that is required between the
elements of research problem exists regarding the nature of which is represent able by a
numerical model linear, exponential or similar. This means that there is clarity between the
elements that make up the research problem, it is possible to define, limit and know exactly
where the problem starts, in which direction and what kind of impact between its elements
(limat.org, 2012).
This research requires mixed research approach of both qualitative and quantitative approach.
This approach enables researchers to mingle depth and breadth in experimental investigation.
This enhances the legitimacy of research findings (Modell, 2010)
SOCIAL ENGINEERING 42
A qualitative and quantitative approach was used in this study to determine the importance of
future sustainability in for businesses within the context of an emerging competitive
environment. As the literature review is based on the qualitative research whereas the data is
collected through survey/questionnaire.
3.5. Research Design A research design devotes the steps and figure to the research approach to determine the ways in
which data can be placed or designed. It is one of the most important steps in developing the data
and the right way in doing the same. The research design has to be well suited to the questions
being determined. This makes the process more easy and convenient and the research more
feasible to understand.
3.5.1. Descriptive Design
Descriptive research provides a description of the state of affairs as it exists at present. It gives
descriptions on the variables which are more relevant on the conclusions (Goddard & Melville,
2007).
3.5.2. Experimental design
Experimental research is primarily concerned with cause and effect. Research identifies the
variable of interest, and tries to determine if changes in one variable (called the independent
variable or cause) result in changes in another (called the effect). Experimental research might be
used to determine if a certain material is fire-resistant or if a new teaching method achieves
better results (Goddard & Melville, 2007).
SOCIAL ENGINEERING 43
3.5.3. Surveys by Questionnaire
Questionnaire is a set of questions pertaining to the field of the study distributed amongst the
professional or as well as to the general public as per the case, whichever is required for the
subject (Dawson, 2002). It is more crucial to cover the breadth of the subject. It is undertaken to
come to a research conclusion based on the data which is collaborated (Goddard & Melville,
2007). It is more of a generalization of the research data based on the questionnaire.
Confidentiality must be imposed on certain questionnaires. Another method that will be used is
e-mail survey. A questionnaire will be prepared and will be emailed to the staff. That staff will
have to fill in and return it to the researcher within given time. Questionnaire has to be designed
as simple as possible. Because to fill questionnaire literacy is required and it has to be filled
personally. (FAO)
Questionnaires will contains multiple choices and will have open ended questions. So a hybrid
approach will be used here as interviews. Advantage to conducting surveys by e-mail is that it’s
quick and time saving. And disadvantage can be with the people who do not use computers.
(Pierce)
3.5.4. Interview
Interviewing is also known as first-hand information collection technique. Interview is the
primary source of information. It is known as 2way systematic conversation between researcher
and source (Alemayehu)
In our case interviews will be conducted individually. People seem more willing to speak than to
write. Interviews will be documented so that it can be used as future referenced. Also there is a
possibility that interviews may be recorded because it will be time saving and sometimes it
SOCIAL ENGINEERING 44
makes hard to take notes and ask questions at the same time. A mix approach of directive and
non-directive will be used. For busy officials and senior managers who might not be in office
their interviews can be conducted on telephone. Interviewing process will be consisting of
following stages. Interview preparation will be done before conducting the interview. After
introduction and explaining the purpose of conducting interview will be carried forward. Notes
will be taken and interview will be recorded as needed and then interview will be closed.
3.5.5. Phishing To observe the behaviour of employee’s phishing will be used as technique. E-mails will be sent
to employees to their official e-mail address. This will be done with taking executives permission
to analyse the level of risk and threats to organization. Whether staffs gives details of sensitive
data or password sharing.
3.6. Action Research The research gathers the comparative data about the specific performance and the general topic.
This is more practical and on the face kind of a research wherein the research is performed
taking into consideration the professionals already excelling in their respective fields. This kind
of research id carried out to approach the individuals for an immediate feedback to improve or
bring change in the practices in a systematic manner (Kothari, 2006). This research formation
was used with selective professionals of the working in TESCO as well as few employees.
3.6.1. Primary Data
The study of subject through first-hand observation and investigation is the term referred as
primary data. This is what I have done in my project but to conduct primary research I also have
taken my background of work. Primary research in my research data has come from my
observation and my experience. This data collection procedure was obtained within the context
SOCIAL ENGINEERING 45
of employees on manager positions by mailing surveys. Questionnaire has been helpful in
collecting and collaborating with the basic data through the people, interviewing them and
coming to some important conclusions from the surveys (Dawson, 2002). This collected data
overlooks the sustainability plan of TESCO for future.
3.6.2. Secondary Data
Secondary data refers to data which have already been collected and analysed by someone else.
Secondary data involves the data which is already available in public by the means of book,
journals, census data, articles, books, magazine, reports, newspaper, tourism websites, scholar
articles, internet, databases etc. this involves the collection of data then other researcher had
made of the subject (Kothari, 2006). In my research I had used secondary data which was
already collected and analysed by someone else. In my research I have collected the related data
on importance of sustainability in the competitive world of today.
3.7. Analysis of Data The descriptive analysis methodology has been used to analyse the findings of the survey. The
main reason for this is that the nature of the research is predominantly exploratory in nature, and
it is generally accepted that, for inductive and exploratory research, qualitative methods are most
suitable, as they can lead us to hypothesis building and explanations (Tony, 2011).
3.8. Ethical Issues
Gathering reliable and appropriate knowledge about the world is, definitely, a valuable target in
itself. Though, it is not unavoidably the only or eventual goal in the average people’s lives Guba
& Lincoln, 1989). Other objectives usually every day aspirations of human life comprise
innumerable practices of daily life, or in general: personal happiness, security, harmony and
peace, benefit from autonomy of action and of other different human privileges, and for some the
SOCIAL ENGINEERING 46
personal deliverance of the soul. The knowledge collected by research, to accomplish any of
these, can assist in certain occasions, but not always. It must be needless to indicate that in
science one of the most damaging unlawful activities is distortion of data its outcomes. The most
unpleasant damage is being led to the malefactor faultily a degree; the worst is that may be
fantasy information will be employed in good faith to others that can cause to much fruitless
work. Thus, it was made sure that the data or information employed in the study is suitable and
reliable.
SOCIAL ENGINEERING 47
Chapter Four: Result and Discussion
4.1. Result
4.1.1 Survey The questionnaire survey was filled by 54 respondents within an organization. The questionnaire
focused on analysing the awareness regarding social engineering within organizations and its
employees and to examine the actions undertaken to manage risk.
Figure 12: Respondents by Profession
The IT professionals, when asked to rate their awareness level regarding security threats,
reported a high degree of 86 percent out of which 39 percent described themselves as aware and
47 percent said that they are highly aware. Whereas among security professionals whose job is
primarily focused on ensuring the security of organization’s systems, was as high as 97 percent
in which 62 percent were highly aware and 35 percent were aware.
31
23
Respondents by profession
Security Professional
IT Professionals
SOCIAL ENGINEERING 48
Figure 13: Awareness of Social Engineering
The participants were asked to mention how many times they have been targeted to social
engineering. Around 43 percent of the participants said that they had been targeted where as 16
percent were confident that they had been targeted. The participants who were not aware of any
such attacks were up to 41 % however they could not say definitely if there had been attacks or
not.
47
39
12
2
0 10 20 30 40 50 60 70
Highly Aware
Aware
Somewhat aware
Never heard of it
Security Professionals
IT Professionals
SOCIAL ENGINEERING 49
Figure 14: Social Engineering Attack Experience
Those participants who said that they have been victims of social engineering were then asked if
they believed that what were the reasons behind such attacks and financial gain was the most
voted answer by 51 %, which was then followed by the 46 percent of respondents saying
proprietary information and competitive advantage by 40 percent. Revenge was only voted by
14 percent of the respondents which is fortunately lower then what expected.
Figure 15: Motivation for Social Engineering Attacks
41
43
16
Social Engineering Attack Experience
Not that I am aware of
Yes
Never
51 4640
144
0102030405060
Financial Gain Access to proprietary information
Competitive Advantage
Revenge Other
Motivations for Social Engineering Attacks
SOCIAL ENGINEERING 50
The participants who reported to be attacked by social engineering attacks tracked these
incidences through their frequency. There as a frequent occurrence of these social engineering
attacks. 25 or more attacks were reported by 32 percent of the respondents in past two years.
There was no surprise that large organizations faced more frequent attacks.
Figure 16: Attacks Frequency
The participants who had been attacked by social engineering scams were also asked regarding
the financial aspects of these attacks and how they typically each incident costs. The costs
include the disruption of business, customer outlays and revenue loss including labour cost and
other overhead. Around 48 respondents said that per incident cost is around $25,000 whereas
larger organisations said that the cost for an incident is around $ 100,000.
33
15
32
20
0 10 20 30 40
More than 50 times
25-50
5 to 24
Less than 5 times
More than 5000 employees
All companies
SOCIAL ENGINEERING 51
Figure 17
Participants were asked that whether or not new employees are greater threats for social
engineering within an organisation when asking about the social engineering techniques and 60
percent gave positive response towards new employees followed by contractors which were
voted by 44 percent of the respondents. 38 percent of the respondents said executive assistants
who have access to executive calendars.
0 10 20 30 40
More than $ 100,000
$50,000-$1000,000
$25,000-$50,000
Less than $10,000
More than 5000 employees
All Companies
SOCIAL ENGINEERING 52
Figure 18
When the participants asked about the most common type of social engineering said that the
most typical source was identified as phishing by 47 percent of the respondents followed by sites
such as LinkedIn by new employees (39%).
Figure 19: Most Common Threats
34
46
5356 56 55
0
10
20
30
40
50
60
70
New Employees Contractors Executive Assistants
Human Resources
business leaders
IT Personnel
47
39
12
2
Most common source of social engineering threats
Phishing Emails
Social Networking
Insecure Mobile Device
Other
SOCIAL ENGINEERING 53
4.1.2 Interviews a. Can social engineering attacks be defended?
Interviewee 1: To attack an organization, the hackers dedicated to social engineering exploit the
gullibility, laziness, good manners, and even the enthusiasm of company personnel. So it is
difficult to defend a social engineering attack because victims may not realize they have been
deceived or may prefer not to admit it in front of other people.
Interviewee 2: An attacker who plays a social engineering attack attempts to persuade your staff
to provide information, so that you may use the systems or system resources company. This
approach is traditionally known as scam plan. This can never be defended in any way possible.
b. Can we relate politics with social engineering?
Interviewee 2: Politics, as a social that engineering management, human masses, reducing
uncertainty in people's behaviour, therefore relies first on a phase descriptive, consists of
modelling these popular behaviours in order to define the general structures and constants.
c. What is the relation between economics and risk analysis?
Interviewee 1: The current economic crisis is obviously not escaping these manoeuvres
rebuilding the destruction, which are usually aimed at a more centralized system to simplify the
control. The economist F. William Engdahl describes on his blog Ins and Outs of a programmed
phenomenon: "Use panic to centralize power.”
4.1.3 Phishing The phishing involves the use of e-mail to get from one user personally identifiable information
or confidential information. For example, attackers can send e-mail messages that appear to
come from valid organizations, such as banks or partner companies.
SOCIAL ENGINEERING 54
As the term phishing (a fish to bite the bait), these approaches are usually speculative and
contain a general request for information for a client. The realistic camouflage used in e-mail
messages, logos and fonts and even business toll free phone numbers of care that truly come to
life, make the message more credible. Within each phishing message contains a request for
information about the user, often targeted to facilitate an upgrade or the provision of an
additional service. There is also the spear-phishing, an extension of phishing, in which the attack
is directed at a target or a specific group within a department. It is a much more sophisticated
approach, since your personal information and related activities that are essential to make
credible deception. To carry out an attack of this type is necessary to have a better understanding
of the objective, but the information obtained will be more specific and detailed.
Even in this case the e-mail message may contain hyperlinks that can grope a staff member to
breach the security company.
A phishing email was sent to 10 randomly selected employees in the organization. None of these
employees clicked or opened the scam link given in the email.
4.2. Discussion The goals of an attacker dedicated to social engineering, or a person who attempts to gain
unauthorized access to computer systems are similar to those of any other hacker: get the money,
information and IT resources attached.
Many small and medium-sized believe that hacker attacks are a problem because of the large
multinational companies and organizations may offer greater financial rewards. Although this
may have been true in the past, the increase in cyber-crime to understand that, today, attackers
are aimed at all sectors of the community, from multinational corporations, to
individuals. Criminals can steal from a company directly, shifting funds or resources, but they
SOCIAL ENGINEERING 55
can also use a company like abutting point from which perpetrate crimes against other
people. Faced with a similar approach, the authorities more difficult to trace the culprits.
The culture of inequality is not confined to the economic sphere. It affects as the configuration of
the perceptual field. Indeed, the basis of theories monitoring, as summarized by the panoptic
principle of Jeremy Bentham, is the dissociation the couple "see" and "be seen".
This radical constructivism, from of Palo Alto and very popular in the mid consultants, do not
hesitate to consider that the perception may be detached from any real referent goal. The
engineering perceptions become almost demiurgic construction activity hallucinations collective,
shared, standardized and defining the common reality, ie an all stabilized causal relationships
forged. And advance in the famous essay hacker Kevin Mitnick, social engineering is the art of
deception, more precisely the art mislead others and exercise power over him by playing on the
failures and blind spots of its collection system and defence. Illusionism and conjuring applied to
the whole social field, so to build a living space sham, a fake reality that the real rules were
intentionally camouflaged.
These manipulation techniques rely on what is called "science management "Nebula disciplines
began to form a coherent corpus from 1920s and whose information theory and cybernetics
summarize the major ideological lines: namely, living beings and subjects are aware systems
information that can be modelled, monitored or pirated as well as the non-living information and
objects composed of non-conscious systems. For most known, these disciplines are marketing
managers, management, robotics, cognitive, social and behaviourist psychology (behavioural),
programming Neuro-Linguistic Programming (NLP), storytelling, social learning, the reality-
building. The point common of these disciplines lies in their relation to the uncertainty, they are
still trying to minimize if possible to zero. The world is thus perceived only in terms of exchange
SOCIAL ENGINEERING 56
systems and information processing need to effectively manage the best possible, that is to say,
by reducing the uncertainty of their operation by controlling the accurately as possible. In
addition, unlike the humanities and social sciences, these science managers not only to observe
and describe their object of study, they above also occur in the sense of engineering, therefore a
reconfiguration work a given. When she is done without the knowledge of the reconfigured
system reconfiguration becomes Stealth rape integrity of the system and is called hacking, or
hacking. And when he applies to humans, this interventionism configured pirate usually gives
reconfiguring the given purpose in the human sense of a reduction in the uncertainty of given
that human behaviour, individual or group.
These modelling update programs, routines, and algorithms, behavioural and psychological
conditioning which obey human groups. The computer is the perfect tool, for example in the
complex calculation (probability and stochastic) movement of crowds, which is used to manage
risks in occupational hygiene and safety bodies (evacuation buildings), but also the police and
the army to supervise and prevent any demonstration could destabilize the government. In
addition, the espionage work of a population in the optical model what she thinks and thus
defuse critical new trends requires monitoring work, intelligence, information collection and
record-keeping greatly facilitated by the development of "ubiquitous computing" (or ambient and
diffuse into the environment, as theorized by Mark Weiser) and by public crossing of electronic
databases local "expert systems" and private (interception of communications, payment cards,
etc..). The intersection of those gleaned information on digital networks to calculate by profiling
an estimate of the danger that a population (or individual) is for power, it is understandable since
the computerization of society, in order to make the switch many elements of people's lives, a
policy priority contemporary.
SOCIAL ENGINEERING 57
In his book, Global Monitoring, Eric Sadin us lists almost exhaustive of these new forms of
power-oriented rather than punitive but anticipatory and whose hold is coextensive with that
strictly technological sphere. In the U.S., in the wake of the "Patriot Act", appeared government
programs electronic monitoring such as "Total Information Awareness" (TIA) and the
"Multistate Anti-Terrorism Information Exchange "(MATRIX). In France, in 1978, Simon Nora
and Alain Minc had their famous report on the computerization of society. In the continuity, the
Ministry of Education is engaged for several years in a scan discussion forums on the Internet,
subcontracted by the company in 2008 specialist opinion "i & e" strategies. The tender for 2009
includes missions following: "Identify strategic issues (sustainable, predictable and emerging).
Identify and analyse strategic or structural sources of opinion. Identify opinion leaders, whistle-
blowers and analyse their potential impact and their ability to be in network. Deciphering the
sources of debate and propagation modes. Identify meaningful information (especially weak
signals).
Track information meaningful in time. Addressing quantitative indicators (volume contributions,
number of comments, hearing, etc.). Bringing this information and interpret. Anticipate and
assess the risks of contagion and crisis. Alert and recommend accordingly. Meaningful
information relevant are those which precede debate a "risk opinion "potential crisis or hard
times to come in which departments find involved. (...) The Internet monitoring will focus on
strategic sources Online: Sites "commentators" of the news, protest, informative, participatory,
political, etc. She and focus on online media sites unions, political parties, thematic or regional
portals, sites militants associations, movements protest or alternative, opinion leaders. The day
will also include engines general, the general public and specialized forums, blogs, personal
SOCIAL ENGINEERING 58
pages, social networks, as well as calls and online petitions, and other formats diffusion (videos,
etc.).
4.2.1. The Shock Doctrine Social engineering work as reconfiguring a given human precedes still inflicting systematic
shocks. Indeed, reconfiguring a system to make more secure and predictable requires prior erase
its current configuration mode. The Resetting a human group therefore requires its cause amnesia
by founder trauma, opening a window for action on the group's memory and allowing an outsider
to work on it to reformat, rewrite, recompose. The term "shock strategy" to describe this method
of social hacking was popularized by Naomi Klein. In The Shock Doctrine: the rise of capitalism
disaster, the author highlights the homology procedures of liberal capitalism and scientific
torture as theorized in the manuals of the CIA (with great fanfare psychiatric therapies references
to the trauma), ie production intentional regressive impact in the form of economic crises and
planned or methodical emotional trauma, to destroy the data structures to a clean slate allowing
to implement new.
We know the story of that broadcast software developer himself viruses to then sell anti-virus
owners of infected computers. In the field economic, we also talk about deregulation or
liberalization to evoke by these intentional understatement de-structuring. Naomi Klein gives
multiple examples, supported by theoretical considerations of Milton Friedman, who all
converge for the purpose of destroying local economies, national or even lower level in the
deregulating and liberalizing for re-regulate by placing trust companies private multinational or
transnational organizations such as the International Monetary Fund (IMF). It is every time to
lose an entity its sovereignty, self-control, to be put under outside control. The major obstacle in
this process is the level of health of the entity stands in the level of political autonomy and
SOCIAL ENGINEERING 59
sovereignty, which naturally resists this attempt by a reconfiguration decision external control,
the "hostile takeover" felt as alienation and transgression integrity. Violence inflicted shocks will
measure the level of health and sovereignty of the entity, its resistance level.
In addition, in a social engineering framework, it is not necessary that the shocks inflicted are
still real and can only be dramatized in the field of perceptions. Systematic shocks can therefore
meet the hoax and pure illusion, or yet interweave real and illusion, as Alain Minc note in Ten
Days that shake the world: "Only a traumatic event awaken us, as the effect of the September 11,
2001 fainted. This may be a false alarm in London, the appearance of a cyber-virus may block
the global computer networks or the worst act of a psychopath who considers himself in terms of
the number of its victims. Democracies do not anticipate but they react. The opinion forbids
preventive measures scrambling the daily life but accepts that following a traumatic event
decisions. Nothing would be better to put us on alert, a gigantic hoax, when it will raise panic: a
fake nuclear blackmail would be good pedagogy.
To protect personnel from social engineering attacks, you need to know what to expect,
understand what the hacker wants to get and evaluate the value of losses for the
organization. With this information, you can increase the effectiveness of security policies also
include defences against social engineering. This document assumes that the company has
security policies that define the objectives, practices and procedures recognized, necessary to
protect the resources, information assets and staff from the technological and physical
attacks. Changes to security policies allow you to provide employees with information on how to
react to a person or a computer application that attempts to coerce or persuade them to expose
corporate resources or disseminate safety information.
Threats of social engineering and related defences
SOCIAL ENGINEERING 60
The hacker who creates a social engineering attack has five major carriers:
• Internet
• Phone
• Waste Management
• Personal approaches
• Reverse social engineering
In addition to recognizing these entry points, you must also know what they hope to get the
hackers. Their goals are focused on achieving important elements for all, meaning the money,
social advancement and self-esteem. The hackers want to steal the money and the resources of
others and be recognized within the company or its group of colleagues, in essence feel
important. Unfortunately, these goals are achieved illegally through theft or damage to computer
systems. Any kind of attack has costly consequences as it involves loss of money, income,
resources, information, or availability of corporate credibility. When you design your defences
against such threats is important to assess the costs of a possible attack.
Online threats
In today's business world, more and more networked, staffs often responds to requests
electronically and uses information from inside and outside the company. Such connectivity
allows hackers to get closer to the corporate staff from the relative anonymity of the
Internet. Often the press disseminates news online attacks carried out by e-mail, pop-up and
instant messaging applications that launch and Trojan horses, worms and viruses, collectively
referred to as malware in order to harm or violate the computing resources. By implementing the
powerful anti-virus defences can counteract the attacks of malware.
SOCIAL ENGINEERING 61
The hacker dedicated to social engineering could persuade a staff member to provide information
using a ruse or it could infect a computer with malware by means of a direct attack. An attack
can give the attacker the information that will enable a further attack with malware, but this
result does not belong to social engineering. It is therefore important to suggest to the staff the
best way to identify and avoid online attacks social engineering.
4.2.2. E-Mail Threats Many members of staff receive dozens or hundreds of emails every day, both from the corporate
mail systems that by private systems. It becomes difficult to pay close attention to every message
due to the volume of e-mail messages. This fact facilitates the intervention instead of an attacker
dedicated to social engineering. In most cases, users of electronic mail are happy to manage
correspondence that is the electronic equivalent of moving sheets of paper from the cassette of
their incoming and outgoing. If the attacker is able to make a simple request that is easy to
please, the victim will satisfy this request without even thinking about what he's doing.
For example, a very simple attack could be sending an e-mail message to a staff member on a
claim that the boss would like to receive the full schedule of holidays in a meeting and wants the
names in the list is copied into the message. It is easy to slide an external name in the list copied
and fake (spoof) the sender's name so that the message appears to come from an internal
source. This scam is called "spoofing" and is particularly simple if an attacker gains access to a
computer company, as this does not involve the violation of perimeter firewalls. Know the
schedule of the leave of a department might not seem like a real threat to security; however,
mean that the hacker knows when a staff member is absent. An attacker can impersonate the
employee on leave running less risk of being discovered.
Over the past decade, the use of email as a tool of social engineering has become endemic.
SOCIAL ENGINEERING 62
There are a number of other options that the hacker uses a phishing scam, including images,
which are hyperlinks that which is downloaded malware, such as viruses or spyware, but also the
text presented in an image that allows you to bypass filters for the protection of hyperlinks.
Most of the protection measures keep out unauthorized users. However, an attacker can bypass
many defences if he can cheat a user and enter in company a Trojan horse, worm or a virus from
a link. The hyperlink may also lead a user to a site that uses pop-up applications to request
information or to offer assistance.
You can use a matrix of vectors of attack, the target of attack, descriptions, with costs for the
company similar to those shown in the following table, in order to facilitate the classification of
the attacks and determine the risk to the company. Sometimes a threat can result in more of a
risk. If this is the case, the following examples highlight in bold risks and serious risks.
Table 1: Online attacks via e-mail and related costs
SOCIAL ENGINEERING 63
As in most of these scams, you cannot resist more effectively to social engineering attacks
approaching with scepticism to anything that arrives without notice in the mailbox on the way. In
order for this approach is supported within an organization, it is important to include in the
criteria for protection of specific guidance on the use of e-mail those interests:
• The Annexes to documents.
• The hyperlinks in documents.
• Requests for personal and business information from within the company.
• Requests for personal and business information from outside the company.
In addition to these guidelines, it is important to bring examples of phishing attacks. If a user
recognizes a fraud based on phishing will be much easier to note those of another type.
4.2.3. Change Management Resistance to change, this is the main problem to overcome engineering social. The question that
always arises the practitioner is "How to cause the least resistance to my work reconfiguration,
how to ensure that the shock inflicted not provoke a backlash?” So how to accept change, and if
possible how should desire, how to join shock and reformatting that in following? How like
instability, movement, insecurity. In short, how to inoculate the Stockholm syndrome to entire
populations? Is a prelude to prepare the minds of promoting in the public space of keywords such
as "Nomadism", "dematerialization", "deteritorialization", "mobility", "flexibility" "Break",
"reform", etc? But it is by no means sufficient. In all cases, the attack direct, whose visibility
causes reactive against-productive rotation, must be abandoned in favour of an indirect tactic,
known bypass in the military vocabulary (SunTzu Clausewitz).
The famous words of Jean Monnet, one of the founding fathers of the European Union, "People
only accept change in necessity and they do not see the need in the crisis "could be a motto for
SOCIAL ENGINEERING 64
all social engineers. A line of change well done and consists of three steps: the thin "frozen"
structures of group by injecting factors disorders and disruptive factors leading to crisis - this is
Step 1 of creating the problem, the intentional destruction or "Controlled demolition" and this
inevitably causes a destabilization reaction confusion in the group - this is the step 2, the
difficulty is to measure carefully disorders caused a total panic that might make the system
beyond the control of the experimenter, and finally step 3, provides a solution to re-stabilization
group heteronymous solution enthusiastically welcome the group to calm his anxiety, without
realizing that in doing so, he comes to outside interference.
Internal leaks are responsible for nearly a loss of information on two (Theft Barometer and
information loss in 2010, studies KPMG). Accidental deletion of data, loss or theft of computers
or industrial espionage, the employees are the heart of the problems related to the loss of
strategic information to businesses. We cannot think to protect their information without going
through the control of risk posed by employees.
Employees are the first owners of the information and know-how of the company, and the risk of
loss of information lies in the very nature of human beings: we cannot predict the behaviour of
employees and error is soon here. The human risk can thus take many forms.
The internal malicious accounted for 21% of incidents causing loss of information in 2010,
according to the Barometer KPMG, an increase of 20% over three years (recorded between
January and June 2010 incidents). Whether it is industrial espionage in order to sell information
to the competition or just the resignation of an employee who goes to work for a competitor,
taking with him his expertise and possibly key data now, the consequences can be dramatic. For
example, the company CCM Leather saw its turnover divided by three in ten years as a result of
SOCIAL ENGINEERING 65
poaching of new employees by a competitor. I work satisfaction, frustration, disappointment,
need money, playfulness ... the list of reasons pushing employee malice is long. Internal risk is
even stronger than the economic crisis, the need for money, uncertainty about the future and
frustrations situations are increasingly common and weaken employees.
Another type of human risk is on social networks, which cannot be overemphasized, represent a
powerful means of information leakage for companies, either because the employees go online
confidential information about their work, or because hackers use data collected on employee
profiles to guess passwords or to gain their trust in order to extract information. The latter two
techniques are part of what is called social engineering. A test performed on the occasion of the
Defcon hacking conference in July 2010 submitted 135 employees of 17 large companies (Coca-
Cola, Ford, Wal-Mart etc.). The result is alarming: 96% of these employees contacted through
phone or by mail, have disclosed sensitive information (version of the operating system,
antivirus software, browsers used in the company, etc.). Then explain the boom of social
engineering and including the fact that so much information coming to filter through social
networks? We can rely on the fact that employees have trouble distinguishing the boundary
between their professional and personal lives. They were not more aware of the many ways in
which the information they post online can be used.
They fall under the social engineering or otherwise, the art attempts to approach employees are
many and varied and are an important factor to take into account. Risk Fake job interviews,
journalists, researchers, etc.., the There are many excuses to get employees to disclose
information. They can also be approached through them (family, friends, and lovers). These
approaches attempts sometimes rely on complex psychological principles and methods, which
make them very difficult to prevent. And often, the employee realizes nothing! The human
SOCIAL ENGINEERING 66
being, by its very nature, full of flaws and is therefore extremely manipulated. The naivety of
employees who deliver information without realizing it by need to talk, to be heard is to blame.
Feelings of frustration employees also represent real gold mine to be exploited for intelligence
specialists human. Finding flaws in the employee, they will manage to handle letting him see a
future satisfaction to deliver confidential information.
More simply, an employee may commit negligence leading to leakage of sensitive information.
Whether conversations in public places, working on a laptop on a train or a plane, or even a
seemingly trivial discussion with a potential client at a trade show, employees usually a lot about
their work, regardless of where they are or who they have in front of them. They did indeed
realize that we cannot listen to them. Overconfidence, typically French attitude is also involved:
people tend to easily talk to people they barely know. Yet competitors are constantly on the
lookout and there is always someone to collect strategic information left breakaway. The loss or
theft of documents or computer media is also a major vector of information leakage, as well as
the misuse of computer resources. The latter is often due to poor knowledge of the procedures
and risks.
Most of the time, information incriminables employees leaks occur unintentionally, but the
consequences can be dramatic, especially for SMEs whose balance is fragile and are equipped
with little means of protection.
In general, employees do not feel involved in the protection of information; they do not think
they have important information. The need to protect the information is not something they have
in mind, and they are not aware of the damage that the information leak can cause to their
business.
SOCIAL ENGINEERING 67
The first thing to do is to consider the welfare of employees at work. Cultivating listening,
recognizing and valuing employees, managers develop a sense of employee loyalty to the
company and they will protect against deviant behaviour. It will be much easier to detect leaks of
information: employees feeling confident, they dare to speak to their manager more of a mistake
they may have committed or doubts they would feel in relation to a given situation. The welfare
of employees at work grows through the behaviour of the hierarchy, but can also be boosted by
the introduction of seminars teams to strengthen the bonds of trust between the team and line
management.
Then it is important to educate all employees of the company with the need to protect
information. We must make them aware of the risks related to information and methods used by
the "prey" of information leaks. They must also know the many situations in which they must be
vigilant and safe behaviours. The best way is to use concrete examples, the daily close of the
employee, and regularly repeat the message of awareness. A simple implementation of oral care
from hierarchy may prevent the company leaked information. The members of the management
team have also a role to play to such employees. Companies knowing cultivate trust increase the
responsiveness of their employees awareness message.
Parallel to these actions, the company must establish a legal protection in contracts clauses,
discretion, non-competition, patents etc. This protects legally in case of proven information
leakage and also has the merit of raising awareness and empowering employees.
Similarly, the procedures and technical help to protect the company's human risks, including the
computer system: Automate the locking sessions and regular change of password forcing
employees to take these basic safeguards, whether they like it or not.
SOCIAL ENGINEERING 68
In general, to guard against the human risk to leak sensitive information is neither complicated
nor expensive when it was realized that management is the cornerstone of any approach.
Focused on the development and employee recognition, it should allow establishing a climate of
confidence and wellbeing in the company that will develop the sense of belonging.
SOCIAL ENGINEERING 69
Conclusion From experience, it is very complementary to reason about the levers and risks: drive is both
seek to improve and seek to limit the occurrence or the impact of the deterioration factors. We
can therefore recommend, in all steering it bears on a project, process or any other object, to
review for each objective continued not only the levers, but also the risks and devices control.
This is probably one aspect underdeveloped management control; it must integrate risk
management strategy in its range of tools and approaches. Moreover, the proposed approach
would win, no doubt, to be supported by experimenting with similar approaches in other cases.
The case we have presented has, in fact, some limitations: from the model presented. we have
discussed in the case of implementation of this method risk for type 1 (Control of an activity
within a framework of experience: e.g. work maintenance), type 2 (control activity in an
innovation framework: example activities in the field of the safety), type 3 (control of a process
within a framework of experience: an example of the marketing process) and type 5
(coordination a set of processes related to the same value chain, such as the steering a regional
transport corridor). Other experiments are to be carried out in a context change.
One can also note that in terms of risk management, the claim to completeness is illusory. The
answers are procedural rather than substantive: it is establish a regular listening environment, an
update to a maximum of relevant risks and develop management methods that one can do first
discuss the risks and then implement the terms of collective research manage these risks. In this
sense, an organization in some way "chooses" its risks in terms of attention and priorities. Risk
analysis and action on risk go through a strategic study "focused" action system, resources and
skills that mobilizes the environment in which it operates, which requires an active participation
of stakeholders, owners of much of the knowledge required by this type study. Factors
awareness, accountability and incentives are essential in the management of risk. They have an
SOCIAL ENGINEERING 70
individual dimension, but also often collective as much risk is present at more or coordination
less comprehensive (activity, process, value chain). Like many disciplines (Ergonomics, quality,
safety), risk management must address the dimension specifically organizational action, for
which the concepts of process and project can play a pivotal role.
These two complementary approaches have helped to give the management of the company:
- Firstly risk mapping on a sample of activities. This mapping helped to raise awareness of the
importance of certain risks and identify improvements to the control device which served as the
basis for the new organization of management audits (definition of missions and means). The
mere fact of driving a process of this type requires players the company to perform a kind of
"reflexive return" on their own activity and its risks. Such a practice has an important educational
purpose. More than outcome of the investigation at time t, by definition temporary, imperfect,
questionable is setting recurring implementation of this type of approach, with the frequency
fixed and a well-established method to better identify risks operational and better communicate
about them;
- Secondly process analysis showed the feasibility of a steering process with a risk component
and has served element of reflection the organization of the management of the company. It turns
out that on one axis Geographic transportation given the various internal stakeholders
"producers, designers, controllers, commercial ... "and external" other carriers local authorities,
event organizers for drain flow visitors "are a true value chain. This chain is structured "design
provides transportation process, production delivery transportation, marketing, ". Explicit
modelling of the entire value chain and building process helps each actor to better understand its
role in meeting the needs of the customer, to better understand the risks which it may give birth
SOCIAL ENGINEERING 71
by its action, or the risks he may help control, even if the effects are being felt quite elsewhere in
the chain. It turns and lack of coordination is a determinant of operational risks. Unfortunately, it
would seem easy to solve and control in a limited geographical focus becomes more complex
when it is viewed in the overall context of a large company. The debate on organizational
choices and the opportunity to segment the business units autonomous geographic has an
obvious impact on the management of risk.
Recommendations
Reverse social engineering is a concept that indicates a situation in which the victim or victims
make the initial approach and offer the hacker the information you want. A similar scenario may
seem unlikely, however the authority figures, especially from the point of view of technical or
social, are able to receive personal information of vital importance, such as user IDs and
passwords, just because they seem above any suspicion. For example, no support person would
ask a caller ID or password, since it is able to solve problems without this information. Many
users who experience difficulties with the computer may voluntarily provide this data, vital to
the protection, in order to accelerate the resolution of the problem. An attacker should not even
ask. The social engineering attacks are not reactive, as suggested by this scenario.
A social engineering attack creates a situation, recommends a solution and provides assistance
when required, perhaps in a simple way described in the following scenario.
A colleague at work, which is actually an attacker, renames or moves a file so that the victim
may believe that you lost. The hacker assumes that may be able to recover the file. The victim,
eager to continue his work, or worried that the loss of data could be his fault, immediately
accepted the offer of help. The hacker claims that the operation can be performed if you log in
with your personal information (victim) and could, however, argue that corporate security
SOCIAL ENGINEERING 72
policies forbid it. The victim asks the attacker with access to its data to try to restore the file. The
hacker showing accepts reluctantly restores the original file and robs the victim of user ID and
password. In this way, the hacker has created a reputation and may receive more requests for
assistance from colleagues. This approach can bypass the regular channels of IT support and
facilitates maintaining the anonymity of the attacker.
It is not always necessary to know a victim or meet to make a reverse social engineering
attack. The imitation problems using dialog boxes can be effective in a reverse social
engineering attack nonspecific. The dialog box announces that there is a problem or you need to
perform an upgrade to continue. The window offers a download that fixes the problem. Once the
transfer is complete, the problem disappears and the user continues to work, oblivious to the fact
that the protection has been violated and that you have downloaded a malware program.
Having realized the vastness of existing threats, three steps are necessary to design a defence
against the threats of social engineering aimed at the corporate staff. An effective defence is the
design activities. Often the defences are reactive: it turns a violation and erects a barrier to ensure
that the problem does not happen again. Although this approach demonstrates a level of
awareness, the solution arrives late if the problem is severe or involves high costs. To avoid this
scenario, you must take the following three actions.
• Develop a framework for security management. The company must define a set of
objectives for protection against social engineering and determine which staff members
are responsible to take care of these goals.
• Conducting evaluations of risk management. Threats of this kind do not exhibit the
same level of risk for different companies. It is therefore necessary to re-examine each
SOCIAL ENGINEERING 73
threat from social engineering and rationalize the danger that each of them can account
for the individual organization.
• Implement defences against social engineering in the field of security policy. Must be
processed in writing of the criteria and procedures which are established for the
administration, from the staff, the situations that could be categorized as social
engineering attacks. This step assumes the existence of security policies, beyond the
threat of social engineering. If the company does not have a security policy, you must
process them. The elements identified in the assessment of the risks of social engineering
kick off the company; however you must also consider other potential threats.
SOCIAL ENGINEERING 74
Bibliography Abraham, S. (2010). An overview of social engineering malware: Trends, tactics, and
implications. Technology in Society, 183.
Alemayehu. (n.d.). Basics of Marketing research Methods. Retrieved from http://www.globusz.com/ebooks/MarketingResearch/00000016.htm
Allsopp, William (2009). Unauthorised access: Physical penetration testing for it security teams.
Hoboken, NJ: Wiley.
Ashenden, D. (2008). Information Security management: A human challenge? Information Security Technical Report.
Berr. (n.d.). BIS Information Security Brreaches 2008. Retrieved from BIS: http://www.bis.gov.uk/files/file45714.pdf
Colwill, Carl (2009). The insider threat. Information Security Technical Report , 191.
Chandra, Praphul & Bensky, Dan (2011). Wireless Security: Know It All: Know It All. Publisher Newnes.
Chantler, A. & Broadhurst, R. (2006).Social Engineering and Crime Prevention in Cyberspace.
Queensland University of Technology.
Chitrey, A. (2012). A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model. International Journal of Information and Network Security, 46.
Dawson, C. (2002). Practical Research Methods: A User-friendly Guide to Mastering Research Techniques and projects (1st ed.). Oxford: Cromwell Press.
FAO. (n.d.). Data Collection Techniques. Retrieved from UN Food and AgricultureOrganization:
http://www.fao.org/docrep/003/X2465E/x2465e09.htm
Goddard, W., & Melville, S. (2007). Research Methodology: An Introduction (Second ed.). Lansdownw: Juta & CoLtd.
Grebmer, Andreas Von (2008). Information and IT Risk Management in a Nutshell: A Pragmatic Approach to Information Security. Publisher. BoD – Books on Demand. 58-74
Hadnagy, Christopher (2011).Social Engineering: The Art of Human Hacking.NJ: Wiley
Hermansson, M. (2005). Fighting Social Engineering. Stockholm: Royal Institute of Technology.
Huber, M., Kowalski, S., Nohlberg, M.& Tjoa, S. (2009). Towards Automating Social
Engineering Using Social Networking Sites.Computational Science and Engineering, Volume: 3, 117 – 124
SOCIAL ENGINEERING 75
Hughes, C. (n.d.). QUALITATIVE AND QUANTITATIVE APPROACHES. Retrieved AUG 2012, from http://www2.warwick.ac.uk/fac/soc/sociology/staff/academicstaff/chughes/hughesc_index/teachingresearchprocess/quantitativequalitative/quantitativequalitative/
ISO/IEC:2000. (n.d.). ISO. Retrieved from
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=33441
Janczewski. (n.d.). Social Engineering Base Attacks. Retrieved from http://www.proceedings2010.imcsit.org/pliks/36.pdf
Janczewski, Lech, J. & Colarik, Andrew, Michael (2008). Cyber Warfare and Cyber Terrorism. Publisher Idea Group Inc
Joan, G. (n.d.). Social Engineering: The Basics. Retrieved from http://www.csoonline.com/article/514063/social-engineering-the-basics
Klevinsky, T. J., Laliberte, Scott & Gupta, Ajaya, K. (2002). Hack I.T.: Security Through Penetration Testing. Publisher Addison-Wesley Professional.
Kothari, C. (2006). Research Methodology (Second ed.). New Delhi: New Age International (P) Ltd.
Laribee, L. (n.d.). Development of methodical social engineering taxonomy PROJECT. Retrieved from
http://faculty.nps.edu/ncrowe/oldstudents/laribeethesis.htm
limat.org. (2012, 09 14). http://www.limat.org/data/research/Research%20Methodology.pdf
Liu, D. (2008). Game-theoretic modelling and analysis of insider threats. International Journal of Critical Infrastructure Protection, 77.
Long, Johnny (2008). No Tech Hacking – A Guide to Social Engineering, Dumpster Diving, and
Shoulder Surfing.Syngress Publishing Inc.
Magklaras, G. (2001). Insider Threat Prediction Tool: Evaluating the probability of IT misuse. Computers & Security, 63.
Maiden, Neil (2010). Social Engineering. Publisher General Books LLC.
Mann, Ian (2008). Hacking the Human: Social Engineering Techniques and Security
Countermeasures. Gower Publishing Ltd.
Margaret, R. (n.d.). Social engineering. Retrieved from http://searchsecurity.techtarget.com/definition/social-engineering
SOCIAL ENGINEERING 76
Meyer, P., &Redd, S. (2004). Every breath we take. Forum for Applied Research and Public Policy, vol. 14 no. 4: pp.43–49.
Michael Workman. Gaining Access with Social Engineering: An Empirical Study of the Threat. Florida Institute of Technology.
Mitnick, Kevin, Simon, William, L. & Wozniak, Steve (2002). The Art of Deception: Controlling the
Human Element of Security. NJ: Wiley
Modell, S. (2010). Bridging the paradigm divide in management accounting research. Management Accounting Research, 129.
Murr, Mike (2012). Human Compromise: The Art of Social Engineering. Publisher Elsevier Science & Technology Books.
Oosterloo, B. (n.d.). Managing Social Engineering Risk. University of Twente.
Podgórecki, Adam, Alexander, Jon & Shields, Rob (2006).Social Engineering. Publisher McGill-Queen's Press
Peltier, T. R. (2006). Social Engineering: Concepts and Solutions. Information Systems Security,
15, 13-21.
Rouse, M. (n.d.). Dumpster diving. Retrieved from techtarget.com: http://searchsecurity.techtarget.com/definition/dumpster-diving
Shoniregun, Charles, A. (2005). Impacts and Risk Assessment of Technology for Internet Security: Enabled Information Small-medium Enterprises. Publisher. Springer.
Theoharidou, M. (2005). The insider threat to information systems and the effectiveness of ISO 17799. Computers & Security, 479.
Tolman, William, Howe (2008). Social Engineering. Publisher BiblioBazaar.
Veiga, A. D. (2009). A framework and assessment instrument for information security culture.
Computers & Security, 209.
Verma, Nina (2011). Social Engineering: A Means to Violate a Computer System. Publisher Global Vision Publishing House.