Paste 1. Introduction
This chapter of the dissertation gives the
Nowadays, information security is threatened by various kinds of attack. The limitations in traditional information security defences lead to overlooking some new threats that are rising in recent decades. A frequently overlooked threat in Information Security is the human, and more specifically the manipulation or influence of a person to compromise information security. As technology matures, hardware and software vulnerabilities nowadays are harder to exploit. Hence, attackers shifted away from targeting technologies and instead exploited human vulnerabilities, which is social engineering. A European IT security firm named Balabit has conducted a survey about the TOP 10 Most Popular Hacking Methods during the Black Hat USA and Europe conference in 2015, and more than 80% of those surveyed IT security practitioners considered social engineering had become the most popular hacking method (Balabit, 2016).
All social engineering attacks are either human-based or computer-based attack, and they both have one thing in common, which is targeting the human being. According to Social-Engineer, Inc. (2014), there are 37.3 million users reported that they had been a victim of phishing attacks in 2014 and 88% of all reported phishing victims had clicked the links within the email. The aforementioned phishing attack belongs to computer-based social engineering attack, as well as on-line scams and baiting. Human-based social engineering attack will be more complicated since it requires interaction with humans. The techniques of human-based social engineering attack include impersonation, posing as an important user, being a third party, desktop support, and dumpster diving (Shaw, 2013).
2. Literature Review
This chapter sdf
Social engineering was associated with the social science in the first place. In the context of social science, it refers to using scientific methods to influence target’s decision-making, attitudes and social behaviours (Wikipedia). Even though social engineering was first introduced in social science, this terminology has been widely adopted by information security professionals since they have been aware that the characteristics of social engineering in social science can be used by attackers to persuade their human targets into giving the information that the attacker normally should not have access to. In fact, social engineering is a process of exploitation of human vulnerabilities, even attackers with no technical skill but have the ability to talk in a way that their targets find persuasive. In the context of information security, social engineering has been defined in several ways but not far from the meaning of, bluntly speaking, a con (or an art) that influences an individual in order to gain sensitive information which the attacker would not otherwise be able to attain. There are several practitioners from information security defined social engineering as:
Hadnagy (2010, p.10) defines social engineering as:
… the act of manipulating a person to take actions that may or may not be in the “target’s” best interest.
Mitnick and Simon (2002) explain social engineering in his book “The Art of Deception”:
… Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
Mann (2008, p.11) writes the definition for social engineering as:
To manipulate people, by deception, into giving out information, or performing an action.
Allen, Heriyanto, and Ali (2014, p.233) in their book “Kali Linux – Assuring Security by Penetration Testing” believe that:
Social Engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities … From a security perspective, social engineering is a powerful weapon used for manipulating people in order to achieve a desired gold.
Evans (2009, p.10) defines social engineering as:
Social engineering attacks have the goal of collecting a certain amount of data to be used later in a technical attack…
Samani and Mcfarland (2014, p.6) wrote a McAfee report that defined social engineering as:
The deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.
As the definition presented above, all the practitioners are sharing the same view of the primary target of social engineering attack, which is human. However, opinions differ when it comes to the purpose of the attack. The majority of the practitioners consider information gathering is the purpose of social engineering attack but some of them have different views. For example, Hadnagy (2010, p.10) believe that social engineering can be applied not only in information security field but also broadened to many aspects of our everyday life, which is not always negative. Moreover, Evans (2009, p) considered social engineering is just a pre-work for launching a sophisticated technical attack.
In this dissertation, we will define social engineering as a process that exploits the weakest link in information security, human, in order to achieve the ultimate goal which is to gain valuable information from the target and use those information for further attacks or other purposes (e.g. selling valuable information in the black market). To do so, the attacker will have to acquire some target’s background information coupled with psychological methods (e.g. persuasion) for the purpose of constructing an elaborate social engineering attack tactics.
2.2. Social Engineering Attack Cycle
2.2.1. ‘The Cycle’ by Allen
Just like any other criminal act, social engineering has its own attack pattern. Allan (2016, p.5) proposes a social engineering attack pattern in a lifecycle, which consists of four phases (Information Gathering, Developing Relationship, Exploitation and Execution) and he named it ‘The Cycle’.
Figure 2.1: The Cycle (Allen, 2006)
The above figure 2.1 shows how those four phases are connected in order to successfully execute a social engineering attack. Furthermore, Allen (2006, p.5) points out that each social engineering attack is a unique process that might involve other traditional attack phases or techniques in order to achieve the final goal of the attack.
I will elaborate The Cycle phase by phase in the following:
• Information Gathering
This is the first and crucial step when conducting either social engineering attack or traditional cyber attack. It aims to collect as much information as possible, from a multitude of sources, to get a better picture of the target (Allen, Heriyanto & Ali, 2014, p.86). Gathering information will help the social engineer to have a better understanding, or ideally, a thorough knowledge of the target’s background which allows the attacker to define and refine his/her attack strategy, for example, the effort and knowledge that required for this attack. Once gathered enough information, that information will be used in the next phase in order to gain trust from the target (Allen, 2006, p.5).
• Developing Relationship
The second phase is the development of rapid rapport in order to establish trust between social engineers and targets (Mitnick & Simon, 2002, p.8). A relationship can be established quickly and even strengthened with the proper information gathered from the previous phase. The aim of this phase is to improve the willingness of the target for considering the attacker is trustworthy, therefore, not to arouse suspicions about what the attacker is attempting. Once the relationship is built, it can then be used to either execute the social engineering attack or give the attacker extra information or resources for further purpose (Oosterloo, 2008, p.19).
Since the attack has been gained trust by the target, he/she can then exploit this trust relationship by using influence techniques or other deceiving techniques in order to obtain sensitive information or manipulate the victim to perform actions that the target would normally not doing it.
your essay in here...
...(download the rest of the essay above)