Abstract:The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) a… Show more
“…A psychological assault aimed at misleading users to reveal sensitive information or conduct specific malicious activities unintentionally is classified as social engineering [49], [50]. The powerful social engineering technique, instant messages, or domain name system (DNS) spoofing processes is the phishing assault in which the attacker attempts to gain the attention of the user by using spoofed emails.…”
Section: ) Attack On Application Softwarementioning
This paper presents an overview of device identification techniques and the Manufacturer Usage Description (MUD) standard used for the Internet of things to reduce the IoT attack surface. The ongoing diversity and the sheer increase in the number of connected IoT devices have crumpled security efforts. There is a need to reconsider and redesign the underlying concept of developing security systems to resolve IoT security challenges. In this backdrop, device profiling and identification have emerged as an exciting technique that helps to reduce IoT device attack surface. One of the known approaches for device identification is to fingerprint a device. There are many ways to fingerprint the device, mostly using device network flows or device local attributes. The device identification ensures the authenticity of the device attached to the network, like user authentication. Since IoT devices mostly work using machine-to-machine (M2M) communication, this requires identifying each device properly. But there is no unified approach for device identification for the ever-growing world of IoT devices and applications. One of the major steps forward in this direction is the development of the Manufacturer Usage Description (MUD) standard that defines the role of a device within the network. It limits the device to execute the primary task only, which will help to reduce the attack surface. Since the inception of MUD, many security frameworks use this standard for IoT security. However, there is a need to scrutinize the security frameworks based on the MUD, to find out the claimed effectiveness of the standard in IoT security. This paper initially identifies and classifies the potential vulnerabilities in IoT devices. Then, the study provides an overview of the research that focuses on device identification techniques and analyzes their role in IoT security. Finally, the research presents an overview of MUD technology, its implementation scenarios, the limitation of the latest MUD standard, and its applications in the industry. The prime aim of this work is to examine the MUD benefits in IoT security along with the weaknesses and challenges while implementing this standard along with future directions.
INDEX TERMSManufacturer usage description (MUD), Internet of Things (IoT), device identification (DI), software defined network (SDN), machine learning (ML), deep learning (DL). NOMAN MAZHAR received the B.E. degree in software engineering and the M.S. degree in information technology from the
“…A psychological assault aimed at misleading users to reveal sensitive information or conduct specific malicious activities unintentionally is classified as social engineering [49], [50]. The powerful social engineering technique, instant messages, or domain name system (DNS) spoofing processes is the phishing assault in which the attacker attempts to gain the attention of the user by using spoofed emails.…”
Section: ) Attack On Application Softwarementioning
This paper presents an overview of device identification techniques and the Manufacturer Usage Description (MUD) standard used for the Internet of things to reduce the IoT attack surface. The ongoing diversity and the sheer increase in the number of connected IoT devices have crumpled security efforts. There is a need to reconsider and redesign the underlying concept of developing security systems to resolve IoT security challenges. In this backdrop, device profiling and identification have emerged as an exciting technique that helps to reduce IoT device attack surface. One of the known approaches for device identification is to fingerprint a device. There are many ways to fingerprint the device, mostly using device network flows or device local attributes. The device identification ensures the authenticity of the device attached to the network, like user authentication. Since IoT devices mostly work using machine-to-machine (M2M) communication, this requires identifying each device properly. But there is no unified approach for device identification for the ever-growing world of IoT devices and applications. One of the major steps forward in this direction is the development of the Manufacturer Usage Description (MUD) standard that defines the role of a device within the network. It limits the device to execute the primary task only, which will help to reduce the attack surface. Since the inception of MUD, many security frameworks use this standard for IoT security. However, there is a need to scrutinize the security frameworks based on the MUD, to find out the claimed effectiveness of the standard in IoT security. This paper initially identifies and classifies the potential vulnerabilities in IoT devices. Then, the study provides an overview of the research that focuses on device identification techniques and analyzes their role in IoT security. Finally, the research presents an overview of MUD technology, its implementation scenarios, the limitation of the latest MUD standard, and its applications in the industry. The prime aim of this work is to examine the MUD benefits in IoT security along with the weaknesses and challenges while implementing this standard along with future directions.
INDEX TERMSManufacturer usage description (MUD), Internet of Things (IoT), device identification (DI), software defined network (SDN), machine learning (ML), deep learning (DL). NOMAN MAZHAR received the B.E. degree in software engineering and the M.S. degree in information technology from the
“…Moreover, Rubell (2018) explained how hackers could turn fragments of publicly disclosed information into a useful picture about the organization, and the role of the target victim who works for that company. Bullée et al (2018) have extracted different scenarios of social engineering attacks from books written by hackers, proving that psychological manipulation, such as the persuasion principles discussed by Cialdini (2001), are often used in interactions between the offender and the target in each attack.…”
Privacy is an increasingly rare commodity. Once personal information is entered into a social network, it is no longer private. Such networks have become an incubation environment and carrier for cyber-attacks either by providing the necessary information about victims or facilitating the ways in which cyber-criminals can reach them. Social media create relationships and trust between individuals, but there is often no authority checking and validating user identities. This paper analyses different attack vectors examining the techniques used against end-users, who are targeted as a way of accessing larger organizations. It shows how the information that is disclosed to social networks can be transformed to provide insights about an organization, and the role of the victim in this process. These leaks not only expose users to the risk of cyber-attacks, but they also give attackers the opportunity to create personalized strategies that are difficult to avoid. This paper highlights these user-oriented attacks by first demonstrating the impact of disclosed information in the process of formulating an attack, in addition to group influence on an individual's vulnerability. Next, the various psychological manipulation factors and cognitive bias behind the user's failure to detect these attacks is demonstrated. This research introduces a theoretical user-based security training model called STRIM, which aims to educate and train users to detect, avoid, and report cyberattacks in which they are the primary target. The proposed model is a solution to help organizations establish security-conscious behaviors among their employees.
“…More recently, Social Engineering (SE) has emerged as a popular cyber security threat that is often overlooked [1,2]. SE can be described as the psychological or emotional manipulation of people into performing actions or divulging confidential information [3]. The increase in SE can be attached to the advancement in mobile devices and social media platforms such as Facebook, WhatsApp, Twitter, Snapchat, etc.…”
The advent of mobile technologies and social network applications has led to an increase in malicious scams and social engineering (SE) attacks which are causing loss of money and breaches of personal information. Understanding how SE attacks spread can provide useful information in curbing them. Artificial Intelligence (AI) has demonstrated efficacy in detecting SE attacks, but the acceptability of such a detection approach is yet to be investigated across users with different levels of SE awareness. This paper conducted two studies: (1) exploratory study where qualitative data were collected from 20 victims of SE attacks to inform the development of an AI-based tool for detecting fraudulent messages; and (2) a user testing study with 48 participants with different occupations to determine the detection tool acceptability. Overall, six major themes emerged from the victims’ actions “experiences: reasons for falling for attacks; attack methods; advice on preventing attacks; detection methods; attack context and victims”. The user testing study showed that the AI-based tool was accepted by all users irrespective of their occupation. The categories of users’ occupations can be attributed to the level of SE awareness. Information security awareness should not be limited to organizational levels but extend to social media platforms as public information.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.