Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks:...
Transcript of Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks:...
![Page 1: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/1.jpg)
1
Social Engineering-Based Attacks:Model and New Zealand Perspective
By Lech Janczewski and Lingyan (René) FuThe University of Auckland, New Zealand
2010 Proceedings of the International Multiconference on Computer Science and
Information Technology
Presented by Brad Kaufmann
![Page 2: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/2.jpg)
2
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 3: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/3.jpg)
3
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 4: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/4.jpg)
4
What is Social Engineering?
• Technique to gain access to confidential, proprietary, personal information
• Primarily human-based attack method– Impersonation– Dumpster diving– Shoulder surfing– Vishing
• Technology-based methods exist– Phising
![Page 5: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/5.jpg)
5
Why Use Social Engineering?
• Effectiveness of traditional hacking attacks has decreased
• Technological security solutions being adopted more and more
• Attackers turning to alternative methods• Social engineering targets vulnerabilities
of both people and technology
![Page 6: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/6.jpg)
6
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 7: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/7.jpg)
7
Background and Motivation
• Social engineering is overlooked because awareness is low– Lacks conceptual model
• Determine major aspects and constructs of social engineering– Identify relations between them
• Design case study to understand social engineering phenomenon– Gather insights from IT professionals
![Page 8: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/8.jpg)
8
Background and Motivation [2]
Conceptual Model of Major Aspects of Social Engineering-Based Attacks
![Page 9: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/9.jpg)
9
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 10: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/10.jpg)
10
Study Objectives
• Explore significant entities and relations within social engineering attacks– People– Security awareness– Psychological weaknesses– Technology– Defenses– Attack Methods
![Page 11: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/11.jpg)
11
Study Objectives [2]
• Five research questions:– What are existing security vulnerabilities which
can be exploited by attacks? (RQ1)– What are the methods of attack? (RQ2)– What are the consequences of a successful
attack? (RQ3)– What can be done to mitigate attacks? (RQ4)– What is New Zealand's perspective of attacks?
(RQ5)
![Page 12: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/12.jpg)
12
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 13: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/13.jpg)
13
Study Setup
• Conducted 25 interviews with individuals with IT backgrounds and experiences– IT architect, IT consultant, IT educator, etc.
• Individuals from 17 different organizations– 7 local, 10 international– Cross-section of industries
• Security advisory services, government, consulting firms, education, etc.
![Page 14: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/14.jpg)
14
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 15: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/15.jpg)
15
RQ1: Existing Vulnerabilities
• People are the weakest link– 64% lack understanding of security issues– 40% appearance can influence perceived
trustworthiness
• Technology issues– 16% flaws in security design– 12% social engineering bypasses technical
controls– 12% growing trend toward malicious misuse of
technology products
![Page 16: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/16.jpg)
16
RQ1: Existing Vulnerabilities [2]
• Security process issues– Social engineering depends on uncertainty
• Putting processes into place works to minimize
– 40% organizations had poor security processes because people issues were overlooked
![Page 17: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/17.jpg)
17
RQ2: Methods of Attack
• Human-based– Based on deception in person or on phone
• Impersonation, shoulder surfing, questionnaire, etc.
– Phone attacks most widespread mode• Attacker can disguise voice• Easier for attacker to cover his/her tracks
• Technology-based– Trick users into belief they are using authentic
computer systems• Popup windows, email attachments, fishing, etc.
![Page 18: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/18.jpg)
18
RQ3: Consequences of Attack
• Primary damages– Breach of CIA
• Gain authorized access to resources• Preparation and information gathering for attack
• Secondary damages– Reputation damage– Financial damage
![Page 19: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/19.jpg)
19
RQ4: Mitigation Strategies
• Physical security properly implemented– Different control mechanisms based on
security classification
• Proper technical controls– Multifactor authentication
• Security policy– Most important and effective element– Takes away uncertainty– Supplement with education and training
![Page 20: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/20.jpg)
20
RQ5: New Zealand Perspective
• Shares similar trend with other countries– Technology adoption– Security risks
• Behind in awareness of security issues and implementation of countermeasures
• Insufficient understanding of security risks– 64% of survey participant responses– 28% due to lack of major security disasters– 44% due to high level of social trust
![Page 21: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/21.jpg)
21
RQ5: New Zealand Perspective [2]
• Lack of well-defined security strategy– 40% of participant responses– 16% due to small country and small businesses– 20% due to lack of standards and legislation– 40% due to immature strategies that expose
vulnerabilities that can be exploited
• Participant examples showed diversity and complexity– Need for multifaceted defense approach
![Page 22: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/22.jpg)
22
Revised Conceptual Model
Revised Conceptual Model of Major Aspects of Social Engineering-Based Attacks
![Page 23: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/23.jpg)
23
Road Map
• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary
![Page 24: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/24.jpg)
24
Summary
• Social engineering depends on uncertainty– Manipulates, influences people's actions
• Security strategy and policy is key to preventing social engineering– Eliminates uncertainty
• Advice– Do not give out passwords – Ever!– Be dubious of people who look suspicious– Do not hold doors open
![Page 25: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/25.jpg)
25
Questions
???
![Page 26: Social Engineering-Based Attackshossein/Teaching/Sp12/... · Social Engineering-Based Attacks: Model and New Zealand Perspective By Lech Janczewski and Lingyan (René) Fu The University](https://reader033.fdocuments.in/reader033/viewer/2022042408/5f230f259910816ed2252fe9/html5/thumbnails/26.jpg)
26
Bibliography
• Lech Janczewski and Lingyan Fu, “Social Engineering-Based Attacks: Model and New Zealand Perspective”, Proceedings of the International Multiconference on Computer Science and Information Technology 2010”, IEEE, Wisla, Poland, October 2010, pp. 847-853