Towards an Ontological Model Defining the Social Engineering Domain

Leenen

Venter

2016

Computers & Security

Self Cite

117

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process. The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.

Section: Defining Social Engineering Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Social engineering attack examples, templates and scenarios

Leenen

Venter

2016

Computers & Security

Self Cite

117

“…These traps operate in the Application layer. Due to the difficulty of detecting social engineering attacks, to determine that one of these attack mechanisms was used has a low confidence [27,28,29].…”

Section: Attack Mechanism Determinationmentioning

confidence: 99%

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Heerden

Malan

IFIP Advances in Information and Communication Technology

et al. 2014

Self Cite

Abstract. This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.

“…Social engineering -in the context of this paper -refers to the science of using social interaction as a means to persuade an individual or an organisation to comply with a specific request from an attacker where either the social interaction, the persuasion or the request involves a computer-related entity [1]. As clearly stated by various authors, the human element is the 'glitch' or vulnerable element in security systems [2,3,4].…”

Section: Introductionmentioning

confidence: 99%

Necessity for ethics in social engineering research

Malan

Kimppa

et al. 2015

Computers & Security

Self Cite

Social engineering is deeply entrenched in the fields of both computer science and social psychology. Knowledge is required in both these disciplines to perform social engineering based research. Several ethical concerns and requirements need to be taken into account when social engineering research is conducted to ensure that harm does not befall those who participate in such research. These concerns and requirements have not yet been formalised and most researchers are unaware of the ethical concerns involved in social engineering research. This paper identifies a number of concerns regarding social engineering in public communication, penetration testing and social engineering research. It also discusses the identified concerns with regard to three different normative ethics approaches (virtue ethics, utilitarianism and deontology) and provides their corresponding ethical perspectives as well as practical examples of where these formalised ethical concerns for social engineering research can be beneficial.