SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social Engineering Risk and Management in Organisations

SOCIAL ENGINEERING 1

Topic:Social Engineering Risk and Management in Organisations

References: Harvard

Pages: 60

Words: 15000 words


Social Engineering Risk and Management in Organisations

[Name of the Writer]

[Name of the Supervisor]

[Course]


Acknowledgement

I am very thankful to my supervisor for his complete guidance in order to complete my

dissertation; I was unable to accomplish my research without his practical advices. I have been

really inspired by him because of his deep insight and experience which made me to perform at

my best for my research.

I am also thankful to my friends who supported me throughout the course and guided me for the

completion of this research.

Finally, I am really thankful to my parents for their on-going support, and always giving me the

strength, courage and determination to face various challenges and for believing in my ability

and trust.


Abstract

Social Engineering offers attackers a multitude of possibilities to reach through targeted manipulation and information to their desired goal. A particularly dangerous situation when the information of one person is used to access the computer system of an organization. The abuser is easily passed for a system operator or an IT manager or system engineer. Often the perpetrator is not even in direct contact with the victim. Even the most conservative in the management of sensitive information, people can fall into the trap of social engineering.

On the one hand, the "technological neglect" makes people vulnerable when they treat their sensitive data too carelessly and publish private information on the Web and is sometimes too lazy to "clean up" their online profile regularly. On the other hand, we all are only human beings. Always in search of recognition, flattery, compliments, friendship etc. Human virtues as helpfulness and weaknesses as vanity are exploited by attackers to manipulate their victims. Most of the employees of a company believe that the most important thing is to be a good teammate and solidarity with colleagues; which is often at the expense of safety.

This study describes the impact of social engineering attacks on organizations. The study also discusses the prevention techniques which can be used by the employees to thwart the threat of information leakage through social engineering.


Contents Chapter 1: Introduction ........................................................................ 8

1.1 Background of the Problem ................................................................................................... 8

1.2 Statement of the Problem ...................................................................................................... 9

1.3 Aim of the Study ................................................................................................................. 12

1.4 Objectives ............................................................................................................................ 12

1.5 Research Questions ............................................................................................................. 13

Chapter 2 Literature Review .............................................................. 14 2.1 Need for Information Security ............................................................................................ 14

2.2 Types of Information Security Attacks ............................................................................... 17

2.2.1 Intrusion or Hacking ..................................................................................................... 17

2.2.2 Viruses and Worms ...................................................................................................... 18

2.2.3 Denial of Service (DoS) ............................................................................................... 18

2.2.4 Sniffing ......................................................................................................................... 19

2.2.5 Spoofing........................................................................................................................ 19

2.2.6 IP Spoofing ................................................................................................................... 19

2.2.7 DNS Spoofing............................................................................................................... 20

2.2.8 ARP Spoofing ............................................................................................................... 20

2.3 Social Engineering .............................................................................................................. 20

2.4 Social Engineering Types: .................................................................................................. 21

2.4.1 User Impersonate .......................................................................................................... 22

2.4.2 Staff Sympathy ............................................................................................................. 22

2.4.3 Intimidation .................................................................................................................. 22

2.4.4 Dumpster Diving ......................................................................................................... 22

2.4.5 Reverse Social Engineering .......................................................................................... 22

2.4.6 Shoulder Surfing ........................................................................................................... 22

2.5 Online Social Engineering .................................................................................................. 24

2.6 Earlier Work ........................................................................................................................ 26

2.6.1 Social Engineering Attack Model ................................................................................. 26

2.6.2 Social Engineering Trust Model ................................................................................... 29


2.7 Social Engineering Risk Management ................................................................................ 30

2.7.1 Insider ........................................................................................................................... 30

2.8 Social Engineering Attack Vectors ..................................................................................... 35

2.9 Incident Management .......................................................................................................... 36

2.10 Resolution Approach ......................................................................................................... 37

Chapter 3: Methodology ...................................................................... 39 3.1. Introduction ........................................................................................................................ 39

3.2. Research Methodology ....................................................................................................... 39

3.3. Research Philosophy .......................................................................................................... 40

3.4. Research Approaches ......................................................................................................... 41

3.5. Research Design ................................................................................................................. 42

3.5.1. Descriptive Design ...................................................................................................... 42

3.5.2. Experimental design .................................................................................................... 42

3.5.3. Surveys by Questionnaire ............................................................................................ 43

3.5.4. Interview ...................................................................................................................... 43

3.5.5. Phishing ....................................................................................................................... 44

3.6. Action Research ................................................................................................................. 44

3.6.1. Primary Data ................................................................................................................ 44

3.6.2. Secondary Data ............................................................................................................ 45

3.7. Analysis of Data ................................................................................................................. 45

3.8. Ethical Issues ...................................................................................................................... 45

Chapter Four: Result and Discussion ................................................. 47 4.1. Result .................................................................................................................................. 47

4.1.1 Survey ........................................................................................................................... 47

4.1.2 Interviews ..................................................................................................................... 53

4.1.3 Phishing ........................................................................................................................ 53

4.2. Discussion .......................................................................................................................... 54

4.2.1. The Shock Doctrine ..................................................................................................... 58

Threats of social engineering and related defences ............................................................... 59

4.2.2. E-Mail Threats ............................................................................................................. 61


4.2.3. Change Management ................................................................................................... 63

Conclusion ............................................................................................. 69 Bibliography ......................................................................................... 74

Figure 1 ....................................................................................................................................................... 18Figure 2 ....................................................................................................................................................... 21Figure 3 ....................................................................................................................................................... 23Figure 4: Social Engineering attack cycle ................................................................................................... 27Figure 5: A Concept .................................................................................................................................... 27Figure 6: Attack Structure ........................................................................................................................... 28Figure 7: Trust Model ................................................................................................................................. 29Figure 8: Types of Network Security Threats ............................................................................................. 31Figure 9: Size of Companies ..................................................................................................................... 31Figure 10: Types of misuse and reporting frequency ............................................................................ 33Figure 11: Social Engineering Risk Management ...................................................................................... 34Figure 12: Respondents by Profession ........................................................................................................ 47Figure 13: Awareness of Social Engineering .............................................................................................. 48Figure 14: Social Engineering Attack Experience ...................................................................................... 49Figure 15: Motivation for Social Engineering Attacks ............................................................................... 49Figure 16: Attacks Frequency ..................................................................................................................... 50Figure 17 ..................................................................................................................................................... 51Figure 18 ..................................................................................................................................................... 52Figure 19: Most Common Threats .............................................................................................................. 52


Chapter 1: Introduction

1.1 Background of the Problem

Social Engineering is actually a manipulation by deception (Mitnick et al, 2002). In our everyday

life, we encounter social engineering in different aspects of life like in advertising. In this case,

the "seller" is trying to behave or be sold so that he enjoys the favour of his

"objective."Unfortunately, the art of manipulation, particularly in relation to new media, is often

used for unfair practices. In these cases, human vulnerabilities are exploited. It is in the nature of

man to want to help others and to trust his fellow man. So calculated (and for a long time), the

scammer built a relationship of trust with the person. At one moment, the credulity of the victim

is exploited to obtain the coveted profitable information. It may be money, trade secrets,

economic benefits or competitive sabotage (Mitnick et al, 2002).

Unlike more complex infiltration methods that rely on the manipulation of computer code, social

engineering is based primarily on the "human factor" (Hadnagy, 2011) including on intuition

(e.g. guessing passwords) and / or scenarios for gaining the trust of a user, either to induce him to

run a malicious program, disclose sensitive information, or simply to impersonate.

Employees are the first owners of the information and know-how of the company, and the risk of

loss of information lies in the very nature of human beings: we cannot predict the behaviour of

employees because human risk can take many forms. Whether it is industrial espionage in order

to sell information to the competition or just the resignation of an employee who goes to work

for a competitor, taking with him his expertise and possibly key data, the consequences can be

dramatic. Internal risk is even stronger than the economic crisis, the need for money, uncertainty

about the future and frustrations situations are increasingly common and weaken employees.


Another type of human risk is related to social networks, which cannot be overemphasized,

represent a powerful means of information leakage for companies, either because the employees

go online with confidential information about their work, or because hackers use data collected

on employee profiles to guess passwords or to gain their trust in order to extract information

(Allsopp, 2009). The latter two techniques are part of what is called social engineering. We can

rely on the fact that employees have trouble distinguishing the boundary between their

professional and personal lives. They were not more aware of the many ways in which the

information they post online can be used.

1.2 Statement of the Problem

Cybercriminals are turning increasingly to companies including compromising intellectual

property (IP) attached to projects they are working. The mails are of course always preferred

entrance doors (Mann, 2008), for example the Trojan called "Hydraq" uses social engineering

emails targeted to an individual or a small group of employees to infect machines. If the attacker

is able to trick the user via his mail look legitimate-that is, if he manages to make him open a

link or attachment, Hydraq can then infect the machine and allow the hacker to take the remote

control. Hackers exploit the abundance of personal information available on social networking

sites to target their attacks on key individuals within targeted businesses (Huber et al, 2009). The

correlation between social engineering and growth of social networks is significant. Social

Engineering is one of the most serious threats for computer networks’ security. This is a type of

very powerful attack to the extent where no software or hardware used to defend themselves

effectively. Social engineering has to do with psychology, so it is the user who must learn to

expose and thwart his techniques.

In general the methods of social engineering are taking place according to the following scheme:


• A phase approach to put the user in confidence, posing a person of his superiors, the

company of his entourage or a customer, supplier, etc.;

• A word of warning, in order to destabilize and ensure its rapid reaction. It may for

example be a pretext of security or emergency;

• A diversion, that is to say a phrase or situation to reassure the user and prevent it focuses

on the alert. It may be for example a thank announcing that everything is back in order, a

trivial sentence or in the case of an email or a web site, a redirect to the website the

company (Long, 2008).

Even if a company is equipped with all the paraphernalia of digital defence, it appears that it

remains vulnerable. There are in fact two ways to break into a computer system. Either passes

through firewalls and intrusion detection systems, which may be too complex or exploit human

weaknesses. It is the human effect which is used as a tool of infiltration by hackers. Thus, an

employee may unwittingly transmit sensitive information that enables attackers to act with great

efficiency and discretion (Peltier, 2006). The idea is either to impersonate an employee to act

without arousing either the suspicions of the latteror those of management, or to use techniques

for handling the information is given voluntarily. Social engineering, phishing and social

networking applications are the most used tools to impersonate individuals (Huber et al, 2009).

The challenge of an attack residing in the acquisition of passwords, more and more companies

equip powerful security systems that prevent outside intrusion. But to circumvent these systems,

hackers are taking advantage of the ignorance of employees' phishing. These, by their credulity,

may provide sensitive information to outside parties thinking they are on a secure web site, or

they received the invitation to join a social network does not represent a danger. But once they

entered password to register, phishing occurs successfully. Indeed, most people use the same


password for all their accounts (Chantler & Broadhurst, 2006). Having obtained this sesame,

attackers can then be introduced into the records of the company under the name of the employee

who is the victim of phishing. In this type of attack, the employee remains passive, and it is his

lack of phishing techniques is a security for the company. This is why data security latter also

relies on employee awareness of techniques used by hackers.

Many companies fail to educate their staff to attacks that can undergo without their knowledge.

Thus, an awareness of the tools used by hackers would prevent data leakage and reduce the costs

(Mann, 2008). But knowledge of these tools is not enough, because attackers are also formidable

and manipulative and they have to be unmasked. For example, in order to trust their partner, they

use the jargon of the business or mention the names of the leaders in their discussions. In this

way, the listener is quickly convinced that the person is part of the business and responds to these

requests or advice. Indeed, the attacker plays with the feelings of guilt and compassion for his

victim support and observes discretion. Thus, an email from a so-called colleague calling for

help because he lost his password is a cause of empathy. At the risk of being fired, the employee,

to help his colleague, go to provide the password of the manager or another colleague. The

employee becomes an active participant in the attack, and that is why the security system of the

company should establish control mechanisms, in addition to awareness of phishing (Chantler &

Broadhurst, 2006).

In general, anyone can be a victim of social engineering. The attacks are always where there are

values that may be of interest to someone. However, it is in the workplace where the people are

particularly exposed. If only the smallest piece of critical information leak for the criminal is

perhaps becomes the biggest threat of the security plan of the organization. Even the family,


friends and colleagues could win the attention of spies because it is from third parties that often

try successfully to receive critical information.

The best way to protect against social engineering is to use common sense to not to disclose any

information which may affect the safety of the company. It is advised, regardless of the type of

information requested:

• To learn about the identity of the caller by asking specific information (name, company,

phone number);

• To verify any information provided;

• To consider the criticality of the information requested (Chantler & Broadhurst, 2006).

1.3 Aim of the Study

The purpose of this paper is to explain that social engineering is a threat for organizations’

security and something has to be done to manage this threat. The purpose of this paper is to

explain the impact which social engineering will create on the security and business policy of the

organizations. This paper will also discuss the methods of prevention which should be taught to

the employees to thwart the menace of social engineering.

1.4 Objectives

• To discuss and explain the security threat for organizations caused due to social engineering

• To discuss different techniques which can be used by the hackers in social engineering to get

the inside information of the company

• To identify the impact of social engineering on organizations

• To describe what is the best prevention strategy to avoid social engineering


1.5 Research Questions

• What is Social Engineering?

• What are the different methods of social engineering used to get inside information?

• What is the impact of social engineering on organizations?

• What are the steps required by the organizations to manage and prevent the threat of

social engineering?


Chapter 2Literature Review

2.1 Need for Information Security

Organisations must be fully aware and mindful to dedicate adequate resources for the security of

information to prevent crimes and maintain confidentiality in both government and business

sectors. A security breach is an unauthorised access to personal or business information of a

citizen, company or government entity. The most common hazard of a security breach is identity

or financial fraud (Murr, 2012). Notices are the most common method to report breach or

potential threat of breach at any point where a person is providing personal information. These

notices are means to create “awareness among the public,” and “allow the appropriate regulatory

bodies to perform their functions, provide advice and deal with complaints” (Chandra & Bensky,

2011). There must be a developed framework for information security governance. Even though

there are dedicated personnel in organisations to protect enterprise information systems (headed

by Chief Information Officer) it should be a collective effort and responsibility. The strategists

should incorporate the protection of the information and their assets at the core of their policies.

Information security is also required so that one has the confidence that his information cannot

be changed. There should be back-up copies of the information so that it is available whenever

one needs it. In an organization, information security performs four different functions (Maiden,

2010); 1) organization’s ability to function should be protected; 2) the safe operation of

applications implemented on the organization’s IT systems should be enabled; 3) the data that

organization collects and uses should be protected and 4) the technology assets that are in use at

the organization should be safeguarded.


To address the issue at hand several governments and organisations have introduced certain

standards and legislations to secure information and make sure that adequate level of security is

employed by organisations. Information security is huge and many casual users do not even

think about it, or if they do, only as an afterthought (Giorgini & Mylopoulos, 2011). Intruders

may come from a wide variety of places and could be someone as simple as user’s next door

neighbour stealing wireless internet from users. With the complexities of software these days

there will always be vulnerabilities to expose and utilise which is why every user needs to stay

on top of their own security (Maiden, 2010). This typically means applying the latest operating

system and software patches, maintaining a firewall and up to date virus scanning software,

being intelligent about where web surf and what click on, and just being as smart in the digital

world as users are in the physical world.

Study will cover some of the types of network attacks that are out there as well as various

computer security threats that may be encountered as well as various preventative measures that

can be utilized to minimize exposure to attack (Klevinsky et al, 2002). The number one rule

when it comes to information security is that the human is the first point of weakness. User can

have the most secure network, computer, or system and all it takes it for one person to fall victim

to a social engineering attack to compromise everything (Janczewski & Colarik, 2008).

With SSL the consumer can feel confident that their credit card and other personal information

will be transmitted safely from their internet device to the e-commerce business that their

purchase was performed at. The next logical step in security actually takes place at the web

server where the consumers data is now being stored which itself is vulnerable to attack from

outside forces, such as hackers, intent on gaining access to this valuable information for their

own personal gain and fortune (Grebmer, 2008). A way to minimize the merchants’ actual


involvement in holding this personal information was developed called Secure Electronic

Transaction (SET). This method was developed by Visa and MasterCard and uses PKI for

privacy and digital certificates to authenticate the merchant, consumer and bank. SET does not

make it possible for sensitive information to be seen by the merchant nor is anything stored by

them on their own servers.

The goal of implementing information security is to defend against probable threats and attacks

to the data/information of an organisation. It is essential for business survival and to minimise

the needs of the business to manage risk related to information security and system

vulnerabilities (Abraham, 2010). Information of an organization is considered as an asset in

modern management. With the growth of technology in information technology risks and threats

are also growing and organizations are very mindful to secure the information they have.

Numerous steps are under employed by the managements to prevent unauthorized access to

sensitive information and systems. Leakage or loss or both of the information of customer and

the corporation causes financial losses and compromises the reputation of the organization

(Maiden, 2010).

Due to the high rate of cybercrime laws and regulations are rising against them. Now it is

necessary to install and manage an information security system which has broadened the

umbrella of information security field and industry. Under present threatening and challenging

circumstances, the system provides growth to business by ensuring controlled flow of

information between two entities (Ashenden, 2008).

Companies heavily invest and concentrate on technological aspect and security to protect their

asset. They purchase and implement firewalls and antivirus software’s they hire security teams


but they fail to realize that there is always a weak link and that is human involvement. The

phenomenon of attacks on the information system using humans involved in organizations is

called social engineering.

To control the risk to information in an organization, there must be a security aware culture. This

culture can be the best defence against all possible threats posed by an employee and his/her

risky interaction with the information asset (Veiga, 2009).

2.2 Types of Information Security Attacks

There are various types of information security attacks, such as intrusion or hacking, viruses and

worms, denial of service, sniffing, and spoofing. Each of the attacks is explained in detail below.

2.2.1 Intrusion or Hacking Hackers are people who gain access of a computer system without the knowledge of the system’s

owner. On getting the access of the targeted system successfully, the data available on those

systems are altered and private and confidential information is stolen. People, who are involved

in hacking, usually do it for various reasons; some do it for fun and curiosity, and some do it in

order to take revenge (Klevinsky et al 2002). The process of hacking takes place, once the

hackers has the required information about the targeted systems and they know the strengths and

weaknesses of the system, operating systems used, unsecured folders, shared folders, and

configuration files. When the information is collected, analysis of how to compromise the

targeted website or system is done. The techniques or loopholes that hackers use are poor

implementation of shopping carts; hidden fields in the html forms; client-side validation scripts;

direct SQL attack; session hijacking; buffer overflow forms; and port scan.


2.2.2 Viruses and Worms Viruses and Worms are computer programs that do not allow the computer systems to function

properly. Both the programs can replicate themselves, however, a minor difference between both

the programs are that viruses cannot travel on its own and requires a network to attach on and

perform its function, while worms can travel on its own and function independently (Hadnagy,

2010). The goal of the viruses and worms it to malfunction the working system. In the past years,

viruses use to spread through floppy diskettes, but now viruses spread through Internet, which

reaches millions of computer systems in a snap. If the virus enters an organizational network,

then all the systems connected to the network will be affected in a minute, thus, creating millions

of dollars loss for the organization.

Figure 1

2.2.3 Denial of Service (DoS) The denial of service is an attack that brings down the targeted network and makes it to deny the

service for legitimate users. To perform a DoS attack, the attacker need not be an expert; this

attack can be performed with a simple ping command. The experienced hackers, who want to


perform the DoS attack, would not do it from their own system (Shoniregun, 2005). A small

program known as zombies is installed on some computers that have intermediate level access in

a network; whenever the attack needs to be performed, the zombies program will be run remotely

and the computers having this program installed will launch the attacks simultaneously. The

attacker doesn’t need username or password in these cases. A known weakness or link in the

system can provide the opportunity for such attacks. These attacks usually disable the network

and/or corrupt the critical information. The target system crashes or goes into a state where it

can’t work efficiently and services provided by the system are halted.

2.2.4 Sniffing Sniffing means seeing all packets, which are passed through wires or sometimes through air for

wireless networks? This type of technique was used for fixing network problems, because

network packets can be watched through this, and hackers now use sniffing to scan login ids and

passwords over the wires. UNIX based systems are the major targeted systems for sniffing.

Encryption is one way to avoid sniffing attack (Grebmer, 2008). Sensitive information, such as

bank details or other personal details, is encrypted before they are sent to wires, and then hackers

really can’t understand what the information is. In order to understand the information, they

would need to decrypt the information which can take a lot of time and money.

2.2.5 Spoofing Spoofing means to deceive others; it is fooling other computer users that the information they are

getting from a source, it is being provided by a legitimate user. Spoofing can take place several

ways, such as IP Spoofing, DNS Spoofing, and ARP (Address Resolution Protocol) Spoofing.

2.2.6 IP Spoofing IP Spoofing is about changing the source-address of an IP packet to portray to other users that

the source is legitimate, when in reality it’ll be coming from a hacker. Therefore, the hacker


attacks the system and at the same time hides his IP address from firewalls. IP Spoofing targets

UNIX systems and RPC services. IP Spoofing targets those services specifically, which require

IP authentication.

2.2.7 DNS Spoofing DNS Spoofing directs the users to incorrect location. This means, the users are directed to a

different website and personal information are collected through web forms illegally. DNS

Spoofing is regarded as a dangerous threat, due to that fact that anyone can manage domain

names and create equivalent IP addresses.

2.2.8 ARP Spoofing ARP Spoofing is also known as ARP Poisoning. A table of MAC addresses of all the computers

that are connected in a network are maintained in ARP. Information that comes to ARP is

forwarded to respective computer based on the mappings available on the ARP’s tables. Example

can be, ARP is not able to find MAC address for a message, so it broadcasts a message to all

systems to get a response from the precise destination-machine with its MAC address; when it

receives the destination-machine’s MAC address, and it is updated on the MAC table. At this

stage, ARP Spoofing can take place (Janczewski & Colarik, 2008). The process of ARP works in

this way; the hacker sends a reply to the ARP’s broadcasted message saying that the hacker’s

machine is the legitimate one. Then, ARP gets hacker’s MAC address and adds it to the table. As

a result, the hacker gains a legitimate connection to the network illegally. Once connected to

network, hacker can do all sorts of things.

2.3 Social Engineering

Social engineering involves techniques to manipulate humans and bypass the security instead of

using technology (Margaret). Social engineering is a collection of techniques and malware


viruses plus manipulation of people and exploitation of their unawareness of information security

policies and procedures. These people are usually end users with little knowledge of computers

and IT. According to Joan the system firewalls and intrusion detection system do not ensure

safety of the data and information. A smart single social engineer can bypass all (Verma, 2011).

Social engineering threats and incidents are rapidly increasing since last few years. According to

(Abraham, 2010) the number of social engineering incidents are increasing at a very fast pace.

Figure 2

Social engineering is particularly concentrated on the human aspect. The attacker can be an

insider.

2.4 Social Engineering Types:

Social engineering has several forms and techniques. Following are some common methods

which are used by Hackers and Crackers.


2.4.1 User Impersonate A special scenario is created with the target that is unaware of the situation. The attacker

pretends to be someone inside from the company and resets the password using telephonic

conversation or emails.

2.4.2 Staff Sympathy In this technique a false error is generated and then the attacker pretends to be one of the helping

staff and obtains user information while trying to help the target log on into the system

2.4.3 Intimidation Pretending to be a part of high management or misusing available authority on a junior employee

to get unauthorized information is called Intimidation. Electronic devices can be used to disguise

voices and pretend to be authorized personnel to extract personal information of the employees.

2.4.4 Dumpster Diving This related to identity theft. It includes credit card’s information, accessing documents which

are not supposed to be read anyone but the intended, organizational rosters and charts etc. A

disposal policy to shred documents and erase of storage media before recycling is recommended.

(Rouse)

2.4.5 Reverse Social Engineering Social engineers create an environment that people contact them and share their personal info by

themselves. Especially this has become very common after the launch of social networking web

sites

2.4.6 Shoulder Surfing The main purpose of shoulder surfing is to gain the usernames and passwords of the system. It is

very easy if the target person is unaware of the technological details or if a level of trust is built

up between the two and they share information.


Most favourite methods of social engineers are social networking web sites and phishing emails.

With the ease and time efficiency provided by the internet and social networking websites people

now prefer to manage their relationships through Facebook, and twitter etc. they are also

ignorant/careless to the security of the information and measures to prevent violation; therefore,

companies are incurring costs subject to the security of the information (Michael Workman)

Figure 3


2.5 Online Social Engineering

Social Engineering is using non-technical means to gain unauthorized access to information or

system (Chandra & Bensky, 2011). Normally a hackers would use exploit a systems

vulnerabilities and run scripts to gain access. When hackers deploy social engineering they

exploit human nature. Social Engineering is represented by building trust relationships with

people who work in the inside of the organisation to gain access or who are privilege to sensitive

information such as usernames, passwords, and personal identification codes which are needed to

get access networks, information and equipment (Janczewski & Colarik, 2008).

Social networking websites are most popular websites today. The numbers of users are growing

by leaps and bounds. They provide excellent services to make new friends, find old friends and

share pictures and videos. These websites have become one of the most entertaining tools on the

internet. The registered users must share some basic information about themselves but they have

options to share unlimited personal and family information on the internet. Users share this

information with their friends and relatives and to make their web pages interesting and funny.

Social engineers use these websites to prey for potential targets. SE attacks are easy to attempt,

have low cost and very difficult to trace back. Online SE attacks are usually variants of

traditional information security hacking programs such as malware, worms etc. but in case of a

social networking website social engineers exploit the trust factor among victim and friends of

the victim to obtain sensitive and valuable information (Podgórecki et al, 2006).

Social Engineering tools are designed by hacker and crackers to hack the target machine by

spreading virus and malware applications. Following are some other forms of online social

engineering methods commonly used by attackers.


• Piggybacked software installation: it is usually an offer on the internet to download and

install free software such as a game or a media player. Hidden within the program are

some spywares that monitor your activities on that system and has the ability to temper

and extract information from your system (Murr, 2012);

• Mail: these are email alerts either from one of your friends or an unknown well-wisher

informing about something mysterious or a warning about system. As soon as user open

the file or any attachment a spyware is downloaded into the system unnoticed (Murr,

2012);

• Fake anti Spyware: these are utilities and software available on the internet for free and

they are supposed to protect you from spywares. But actually they are the spywares. They

are very attractive and sensibly planned and advertised on the internet. So be very

careful;

• Spam Mail: you often receive an email that tells you that you have won a lottery or you

are the millionth visitor of the website therefore you have an earned a gift. Subjects are

usually “You won the lottery”. Another method is to make offers of huge discounts or

supply of a very valuable product on low prices so that you may provide them your

account information.

The number of internet users is increasing day by day. Individuals and companies are using

internet for correspondence and social websites and internet messaging to get connected.

Information about companies and its executives are easily available on facebook and LinkedIn

and employees follow them regularly. In profile building people share their personal information

even contact numbers and addresses hobbies and activities which make it easier for social

engineers to exploit them using their personality traits.


2.6 Earlier Work

2.6.1 Social Engineering Attack Model Hacking and malicious soft wares are the earliest version of attack on information security but

their efficiency and results are decreasing because companies are investing heavily to acquire

cutting edge technology to counter technical attacks. Therefore, intruders are developing non-

technical methods to do their dirty work. Social engineering as an alternative and this method is

more successful because it uses psychological weaknesses and vulnerabilities (Chitrey, 2012).

Social Engineering attack cycle explains in4 steps model:

STEP

#

STEP DESCRIPTION

1 INFORMATION

GATHERING

Social Engineers accumulate information about their

targets such as nature of job, position, privileges, authority

and powers and weaknesses.

2 DEVELOPMENT OF

RELATIONSHIP

Social engineers then try to build relation of trust. Once

they gain contact and trust of the target it is easier for

them to exploit the weaknesses and pursue their real goals.


3 EXPOLITATION OF

RELATIONSHIP

In this phase he manipulates primary information and

relationship with the target and weaknesses to get the real

information he after.

4 EXECUTION TO

ACHIEVE OBJECTIVE

After obtaining sensitive and private information from the

target they use that information to plan and execute the

real attack on the organization.

Figure 4: Social Engineering attack cycle

A concept model proposed by (Janczewski)

Figure 5: A Concept


(Oosterloo) Proposed an attack structure comprises of four phases that has been derived from

basic attack cycle.

Figure 6: Attack Structure

Following are the some possible tactics that can gain the psychological attention of humans

− Profiling,

− Piggybacking

− Identity theft

− Item dropping

Following psychological principles are also discussed

− Overloading

− Strong effect

− Deceptive relationship

− Authority


− Integrity

2.6.2 Social Engineering Trust Model A trust model has been designed by Laribee that explains how a social engineer develops

relationship with the target. After development of the relationship how he/she gets the relevant

information to design and execute the actual attack on the organization.

Figure 7: Trust Model

Social engineers build a trust relationship with the target primarily because people can only be

deceived when they trust social engineers otherwise they not share sensitive information with

them. Once the trust is developed the collection of information is easier and faster. They

information can be collected directly or indirectly. "By design, social engineering involves the

abuse of trust relationships." (htt)


2.7 Social Engineering Risk Management

Every organization has to manage risk to continue operations. Therefore, the higher management

introduces a process to keep the risk and vulnerabilities at minimal level (Oosterloo)

Social engineering risk management model is specifically built to deal with the threats and

attacks and to prevent leaks and theft of information. Organizations must plan and implement

social engineering risk management model within the scope of company’s information and

security policy. This model help to

• reduce the redundancy of risk

• prevent uncertain loss

• risk identification

• update information security policy for smooth operations

2.7.1 Insider Inside threats and weaknesses are as disastrous as technological attacks. Organization should not

depend on technological aspect solely. On the other hand viruses and hackers can be identified

and eliminated easier as compared to the detection and prevention of an inside leakage of

information or accidental loss of data. An insider can cause far more damage and has numerous

opportunities to cause the damage (Colwill).


Figure 8: Types of Network Security Threats

Insiders do not need to do research. They have access to major areas and information of the

company. They have access to the sensitive information and he is trusted. It is a very difficult

task to draw a line to split an employee using IT resources and a person who misuse his

authorities. (Magklaras, 2001).

Figure 9: Size of Companies


The security policy holds restrictions on the access and usage of the information stored in the

organization but it becomes very complex if more than one employee or high level managers are

using, entering and manipulating of same information.

Misuse can be either accidental or intentional. Former is ignorable and may save the day for the

employee but intentional misuse is absolutely different. There may be one or more reasons for

the intentional reason for example data theft or may be the employee is just not willing to follow

the rules it’s their habit. Accidental misuses are prevented by introducing protocols and code of

conduct for example if an employee might plug-in his/her usb device and endup corrupting

system it is called accidental

Liu has reported that two-thirds of the security breach indents are inside employees and insiders

(Liu, 2008). It widely observed that organizations focus more on technological tactics like

installing firewalls and software to protect the network from outside attacks but insufficient

efforts and resources are available to counter social engineering. The biggest reason is

organizations do not realize or recognize that it is happening. Even if they know that they a have

a social engineering attack it is easier to stay in denial and protect reputation in peers, public and

competition (Colwill, 2009).


Figure 10: Types of misuse and reporting frequency

Situation crime prevention theory’s ypothesis states that to prove crime elements of intention and

opportunity should be there. (Theoharidou, 2005). ISO17999. (ISO/IEC: 2000) and other

organizations have proposed Proposes security controls to protect Information System from an

insider threat. But before such controls and policies are implemented a risk analysis survey is

necessary. These controls includes

• Roles and responsibilities

• Staff personal Screening

• Non-disclosure agreement about confidentiality

• Training of Information Security for awareness purposes


The social engineering risk management model defines the risk management process and as a

result of careful planning and execution yields to control of attacks and risks involved therein. It

is designed to defend against the attacks and secure information as much as possible. There are

several international standards defined by numerous governments as a touchstone or guide to the

design and implementation of the model in an organisation (Janczewski & Colarik, 2008).

The social engineering risk management can be categorized as a figure shown below. It

categorizes the risks based on significance level and likelihood (because “risk impact” =

significance level * likelihood).

Figure 11: Social Engineering Risk Management

When there is high significance and low likelihood risk, the risk should be transferred. During

the low significance and low likelihood risk, the risk should be accepted. A high significance and

high likelihood risk indicates that the risk should be avoided. Lastly, the low significance and

high likelihood risk shows that the risk should be mitigated.

http://cmu95752.files.wordpress.com/2011/11/risk.png�


2.8 Social Engineering Attack Vectors A Social Engineering attack can be initiated from many different vectors. A phone call could be

made by an attacker to extract data. Email phishing attacks can be composed to look like a

legitimate request for sensitive information or a physical intrusion into the building by someone

claiming false credentials. The reality is a skilled Social Engineering attack can fool even the

most paranoid “tin foil hat” wearers (Klevinsky et al, 2002).

Alarmingly when it comes to Social Engineering, people’s curiosity seems often kill the cat. The

most common and well known issue would be that user that clicks on a rogue link in an email or

social media site that propagates malware. Malware originating from social media sites are

growing at an alarming rate (Long, 2011). Everyone seems to want to see “the guy who was on

fire or a day and was not burnt” or answer the “100 facts about me” questionnaires that can

easily be used to recover personal accounts.

Successful Social Engineers research their target thoroughly. The more information the attacker

has the more questions they can answer thus the more convincing they can be. Remember the

goal of a Social Engineering attack is to get the information/data needed, or to convince the

target to perform an action that benefits the intruder.

A good penetration testing company that has landed a contract to thoroughly test the security of

an organisation without many “off limit areas” will normally spend days of performing passive

research before the pen testers fire their first gun (Tolman, 2008). They will find everything they

can, and trust me it can be rather shocking the amount public information that’s available if you

know where and how to find it. With just a simple crafted search engine string you could find

information about yourself that you might have thought was private.


There are many vectors for a Social Engineering attack. Each is very dangerous and has an

alarming success rate. The more information available to the attacker the more threatening the

attack will be. Know users organisations weaknesses and what information is available

publically (Podgórecki et al, 2006). Only then will you know where to begin to eliminate

sensitive information if possible, or to better know what to educate your employees to be on the

lookout for and give examples of inquiries that should set off flags. Hire professionals to perform

an assessment on your organisations current level of security awareness if possible. Lastly and

most importantly, nothing will be effective against an attack if your employees simply do not

care. Be creative find a way to keep security on their mind.

2.9 Incident Management An incident is an unexpected and disruptive event that affects an organisation. An incident may

be intentional or unintentional and it is important to deal with an incident at a good way. One

incident does not lead to bad consequences for an organisation. An intrusion or an attempt to

steal information, but failure is an incident.

An organisation must have defined procedures for how to document the incident. The purpose of

documenting all incidents is to create a bank of experience that can used to improve the

organisation's information security (Hadnagy, 2010). When an incident occurs, the organisation

should have a process where they are investigating what happened and what or who was in the

scene put it. It is then to impose a disciplinary sanction against the employee who violated the

safety rules. When an incident with malicious consequences occurring should also make new risk

analysis.

The challenge is to discover an incident, react after documented procedures and then neutralize

the threat, to the will not happen again. Incident management must be an on-going process,


which consists of six steps. The six steps are the cornerstones of a cycle, which is an important

part of organisation's security (Grebmer, 2008). Step one is protection and that means you should

be able act before an incident has occurred and if it occurs, the damage to be minimal.

Protection also includes the development of guidelines for incident management. Step two is

identification and where it is important to find out what happened or what caused the incident. It

can be problematic for that one incident can trigger a dynamic chain of events and it can be

difficult to know exactly what it was that started the chain. Step three is reporting and is the

foundation for how to proceed in incident handling (Mann, 2012).

It is also a basis for further investigation of what really caused the incident. Step four is to

control or reduce the cause of the incident. Step five is to restore the system and its information,

after user has corrected the problem as incident caused, or that in any case, has reduced the risk

of it happening again (Hadnagy, 2010). Step six in the cycle is up and it is an important step

when it comes to preventing future incidents with adverse consequences. The monitoring covers

the knowledge gained to prevent identical and similar incidents. Each step of this process

provides the input to the next step, the step 6 provides input to step 1.

2.10 Resolution Approach Organisations occasionally hire companies to invest in improving information security. It can

include hardware and software and to train staff and implement various safety procedures. The

most important thing is that user can continually make updates to its safety procedures and its

hardware and software. The problem may be that forget or they do not bother to update their

security; because it can involve a large expense without physically can see what has been

improved. If user purchases new hardware or software, the investment becomes more apparent in

the everyday work.


The threat posed by social engineering is mainly against an organisation or person economy, but

it is also a major threat to a person or body jerked. It may be about to spread a fake shrugged, to

an organisation's success is absent. The person who entered social-engineering attack did this

action personal financial gain, or to another organisation could take advantage of that the

affected organisation losing market share. The most commonly stolen by Social engineering is

information or money (Shoniregun, 2005). The information being stolen is the one who can

provide financial returns, or the information that may harm the company information that an

organisation does not want unauthorized people to be able to access. To attack the social-

engineering does not lead to some very negative consequences, one can take some action. Most

important of all is that the management of an organisation is aware of how important it is to train

their staff, and to keep their safety procedures and its information security policy to date.

Management must be prepared to provide financial assistance in order to be able to work

continuously with training and safety procedures and the proper functioning of information

security policy.


Chapter 3: Methodology

3.1. Introduction This is a methodology section facilitate with the comprehensive details about theoretical

framework of this study and the suitability for identifying the point of the study whereas talking

about the design of research, researcher’s role, questions and sub questions answered in the

study, method of data collection and analysis.

3.2. Research Methodology The major task of any science is getting insight and selecting the most appropriate method that

enables us to understand the actual fact is therefore important one. The issue appears in believing

the erroneous skills or vice versa (Dawson, 2002). Deductive and Inductive methods have both

diverse objectives and perhaps summed up as theory analysis and theory development,

respectively. Usually, inductive method is connected with qualitative way of research whereas

the deductive method is frequently connected with quantitative way of research (Kothari, 1985).

Dawson (2002) describe qualitative approaches of study as “a collection of interpretive

approaches, which look for describe, decode, interprets and otherwise come to terms with the

meaning, not the incidence, of sure more or less naturally according term in the society world.”

About all research will contain some numerical information that could usefully be quantified to

guide responses, study questions and to complete main goals (Dawson, 2002). Quantitative

information defines to all those information and can be a product of all study plans. This style is

an easy approach to accumulate suitable information from an important numbers of samples.

Research in primary care can combine qualitative and quantitative mutually enriching. Ways to

combine are multiples. Qualitative research may precede quantitative research generating

hypotheses for generating and / or test items a quantitative questionnaire. Symmetric sorting,


quantitative work can facilitate qualitative research identifying subjects participating in

qualitative approach. Both researches can be used together towards a coordinated approach

broader and richer (Guba &Lincoln, 1988).

The use of these two methods in the study could likely assist correct the biases inbuilt in each

method, but the reality that quantitative approach is the most common applied is not

unintentionally but from the development of the scientific method during the years. It is believed

that logic that quantification enhanced the understanding about the world around us. Qualitative

method of research is recognized to be descriptive, employing words and images, instead of

numerical figures to convey the outcomes of the research study (Greene, 2002). Therefore, the

secondary approach for research will be selected as the better approach to conduct this research

study.

3.3. Research Philosophy A researcher can choose one of two major philosophies for a research study that he undertakes,

namely the positivist and the interpretivist philosophies (Meyer & Redd, 2004). The researcher

adopts a more scientific perspective when employing a positivist philosophy, seeking to establish

law-like generalizations when working with observable social occurrences. On the other hand,

the interpretivist school of thought considers the society and the happenings therein much more

complex to be generalized or interpreted as simplistic (or even complex) equations connecting a

set of independent variables to a dependent variable. The interpretivist or the phenomenological

standpoint is thus more focused on studying the reality behind the details and developing a better

understanding of these occurrences. Given that the present study seeks to gain a deeper insight

into the future sustainability in the competitive business environment, the research philosophy


underpinning the current study is the interpretivist one, rather than the positivist school of

thought (Meyer, & Redd, 2004).

3.4. Research Approaches The methodology refers to the set of rational procedures used to achieve a range of objectives

governing in scientific research, a doctrinal exposition two or tasks that require skills, knowledge

or specific care. Alternatively you can define the methodology as the study or choice of an

appropriate method for a given purpose (limat.org, 2012). There are two ways to analyse the

research data they are as follow:

The qualitative research or qualitative methodology is a research method used primarily in the

social sciences that is based on methodological cuts based on theoretical principles such as

phenomenology , the hermeneutic , the social interaction using data collection methods that are

not quantitative, with In order to explore the social and describe reality as experienced by their

corresponding characters (Dawson, 2002). The quantitative methodology is one that allows you

to examine data from a scientific, or more specifically in numerical form, generally using tools

from the field of statistics. For quantitative methodology exists that is required between the

elements of research problem exists regarding the nature of which is represent able by a

numerical model linear, exponential or similar. This means that there is clarity between the

elements that make up the research problem, it is possible to define, limit and know exactly

where the problem starts, in which direction and what kind of impact between its elements

(limat.org, 2012).

This research requires mixed research approach of both qualitative and quantitative approach.

This approach enables researchers to mingle depth and breadth in experimental investigation.

This enhances the legitimacy of research findings (Modell, 2010)


A qualitative and quantitative approach was used in this study to determine the importance of

future sustainability in for businesses within the context of an emerging competitive

environment. As the literature review is based on the qualitative research whereas the data is

collected through survey/questionnaire.

3.5. Research Design A research design devotes the steps and figure to the research approach to determine the ways in

which data can be placed or designed. It is one of the most important steps in developing the data

and the right way in doing the same. The research design has to be well suited to the questions

being determined. This makes the process more easy and convenient and the research more

feasible to understand.

3.5.1. Descriptive Design

Descriptive research provides a description of the state of affairs as it exists at present. It gives

descriptions on the variables which are more relevant on the conclusions (Goddard & Melville,

2007).

3.5.2. Experimental design

Experimental research is primarily concerned with cause and effect. Research identifies the

variable of interest, and tries to determine if changes in one variable (called the independent

variable or cause) result in changes in another (called the effect). Experimental research might be

used to determine if a certain material is fire-resistant or if a new teaching method achieves

better results (Goddard & Melville, 2007).


3.5.3. Surveys by Questionnaire

Questionnaire is a set of questions pertaining to the field of the study distributed amongst the

professional or as well as to the general public as per the case, whichever is required for the

subject (Dawson, 2002). It is more crucial to cover the breadth of the subject. It is undertaken to

come to a research conclusion based on the data which is collaborated (Goddard & Melville,

2007). It is more of a generalization of the research data based on the questionnaire.

Confidentiality must be imposed on certain questionnaires. Another method that will be used is

e-mail survey. A questionnaire will be prepared and will be emailed to the staff. That staff will

have to fill in and return it to the researcher within given time. Questionnaire has to be designed

as simple as possible. Because to fill questionnaire literacy is required and it has to be filled

personally. (FAO)

Questionnaires will contains multiple choices and will have open ended questions. So a hybrid

approach will be used here as interviews. Advantage to conducting surveys by e-mail is that it’s

quick and time saving. And disadvantage can be with the people who do not use computers.

(Pierce)

3.5.4. Interview

Interviewing is also known as first-hand information collection technique. Interview is the

primary source of information. It is known as 2way systematic conversation between researcher

and source (Alemayehu)

In our case interviews will be conducted individually. People seem more willing to speak than to

write. Interviews will be documented so that it can be used as future referenced. Also there is a

possibility that interviews may be recorded because it will be time saving and sometimes it


makes hard to take notes and ask questions at the same time. A mix approach of directive and

non-directive will be used. For busy officials and senior managers who might not be in office

their interviews can be conducted on telephone. Interviewing process will be consisting of

following stages. Interview preparation will be done before conducting the interview. After

introduction and explaining the purpose of conducting interview will be carried forward. Notes

will be taken and interview will be recorded as needed and then interview will be closed.

3.5.5. Phishing To observe the behaviour of employee’s phishing will be used as technique. E-mails will be sent

to employees to their official e-mail address. This will be done with taking executives permission

to analyse the level of risk and threats to organization. Whether staffs gives details of sensitive

data or password sharing.

3.6. Action Research The research gathers the comparative data about the specific performance and the general topic.

This is more practical and on the face kind of a research wherein the research is performed

taking into consideration the professionals already excelling in their respective fields. This kind

of research id carried out to approach the individuals for an immediate feedback to improve or

bring change in the practices in a systematic manner (Kothari, 2006). This research formation

was used with selective professionals of the working in TESCO as well as few employees.

3.6.1. Primary Data

The study of subject through first-hand observation and investigation is the term referred as

primary data. This is what I have done in my project but to conduct primary research I also have

taken my background of work. Primary research in my research data has come from my

observation and my experience. This data collection procedure was obtained within the context


of employees on manager positions by mailing surveys. Questionnaire has been helpful in

collecting and collaborating with the basic data through the people, interviewing them and

coming to some important conclusions from the surveys (Dawson, 2002). This collected data

overlooks the sustainability plan of TESCO for future.

3.6.2. Secondary Data

Secondary data refers to data which have already been collected and analysed by someone else.

Secondary data involves the data which is already available in public by the means of book,

journals, census data, articles, books, magazine, reports, newspaper, tourism websites, scholar

articles, internet, databases etc. this involves the collection of data then other researcher had

made of the subject (Kothari, 2006). In my research I had used secondary data which was

already collected and analysed by someone else. In my research I have collected the related data

on importance of sustainability in the competitive world of today.

3.7. Analysis of Data The descriptive analysis methodology has been used to analyse the findings of the survey. The

main reason for this is that the nature of the research is predominantly exploratory in nature, and

it is generally accepted that, for inductive and exploratory research, qualitative methods are most

suitable, as they can lead us to hypothesis building and explanations (Tony, 2011).

3.8. Ethical Issues

Gathering reliable and appropriate knowledge about the world is, definitely, a valuable target in

itself. Though, it is not unavoidably the only or eventual goal in the average people’s lives Guba

& Lincoln, 1989). Other objectives usually every day aspirations of human life comprise

innumerable practices of daily life, or in general: personal happiness, security, harmony and

peace, benefit from autonomy of action and of other different human privileges, and for some the


personal deliverance of the soul. The knowledge collected by research, to accomplish any of

these, can assist in certain occasions, but not always. It must be needless to indicate that in

science one of the most damaging unlawful activities is distortion of data its outcomes. The most

unpleasant damage is being led to the malefactor faultily a degree; the worst is that may be

fantasy information will be employed in good faith to others that can cause to much fruitless

work. Thus, it was made sure that the data or information employed in the study is suitable and

reliable.


Chapter Four: Result and Discussion

4.1. Result

4.1.1 Survey The questionnaire survey was filled by 54 respondents within an organization. The questionnaire

focused on analysing the awareness regarding social engineering within organizations and its

employees and to examine the actions undertaken to manage risk.

Figure 12: Respondents by Profession

The IT professionals, when asked to rate their awareness level regarding security threats,

reported a high degree of 86 percent out of which 39 percent described themselves as aware and

47 percent said that they are highly aware. Whereas among security professionals whose job is

primarily focused on ensuring the security of organization’s systems, was as high as 97 percent

in which 62 percent were highly aware and 35 percent were aware.

31

23

Respondents by profession

Security Professional

IT Professionals


Figure 13: Awareness of Social Engineering

The participants were asked to mention how many times they have been targeted to social

engineering. Around 43 percent of the participants said that they had been targeted where as 16

percent were confident that they had been targeted. The participants who were not aware of any

such attacks were up to 41 % however they could not say definitely if there had been attacks or

not.

47

39

12

2

0 10 20 30 40 50 60 70

Highly Aware

Aware

Somewhat aware

Never heard of it

Security Professionals

IT Professionals


Figure 14: Social Engineering Attack Experience

Those participants who said that they have been victims of social engineering were then asked if

they believed that what were the reasons behind such attacks and financial gain was the most

voted answer by 51 %, which was then followed by the 46 percent of respondents saying

proprietary information and competitive advantage by 40 percent. Revenge was only voted by

14 percent of the respondents which is fortunately lower then what expected.

Figure 15: Motivation for Social Engineering Attacks

41

43

16

Social Engineering Attack Experience

Not that I am aware of

Yes

Never

51 4640

144

0102030405060

Financial Gain Access to proprietary information

Competitive Advantage

Revenge Other

Motivations for Social Engineering Attacks


The participants who reported to be attacked by social engineering attacks tracked these

incidences through their frequency. There as a frequent occurrence of these social engineering

attacks. 25 or more attacks were reported by 32 percent of the respondents in past two years.

There was no surprise that large organizations faced more frequent attacks.

Figure 16: Attacks Frequency

The participants who had been attacked by social engineering scams were also asked regarding

the financial aspects of these attacks and how they typically each incident costs. The costs

include the disruption of business, customer outlays and revenue loss including labour cost and

other overhead. Around 48 respondents said that per incident cost is around $25,000 whereas

larger organisations said that the cost for an incident is around $ 100,000.

33

15

32

20

0 10 20 30 40

More than 50 times

25-50

5 to 24

Less than 5 times

More than 5000 employees

All companies


Figure 17

Participants were asked that whether or not new employees are greater threats for social

engineering within an organisation when asking about the social engineering techniques and 60

percent gave positive response towards new employees followed by contractors which were

voted by 44 percent of the respondents. 38 percent of the respondents said executive assistants

who have access to executive calendars.

0 10 20 30 40

More than $ 100,000

$50,000-$1000,000

$25,000-$50,000

Less than $10,000

More than 5000 employees

All Companies


Figure 18

When the participants asked about the most common type of social engineering said that the

most typical source was identified as phishing by 47 percent of the respondents followed by sites

such as LinkedIn by new employees (39%).

Figure 19: Most Common Threats

34

46

5356 56 55

0

10

20

30

40

50

60

70

New Employees Contractors Executive Assistants

Human Resources

business leaders

IT Personnel

47

39

12

2

Most common source of social engineering threats

Phishing Emails

Social Networking

Insecure Mobile Device

Other


4.1.2 Interviews a. Can social engineering attacks be defended?

Interviewee 1: To attack an organization, the hackers dedicated to social engineering exploit the

gullibility, laziness, good manners, and even the enthusiasm of company personnel. So it is

difficult to defend a social engineering attack because victims may not realize they have been

deceived or may prefer not to admit it in front of other people.

Interviewee 2: An attacker who plays a social engineering attack attempts to persuade your staff

to provide information, so that you may use the systems or system resources company. This

approach is traditionally known as scam plan. This can never be defended in any way possible.

b. Can we relate politics with social engineering?

Interviewee 2: Politics, as a social that engineering management, human masses, reducing

uncertainty in people's behaviour, therefore relies first on a phase descriptive, consists of

modelling these popular behaviours in order to define the general structures and constants.

c. What is the relation between economics and risk analysis?

Interviewee 1: The current economic crisis is obviously not escaping these manoeuvres

rebuilding the destruction, which are usually aimed at a more centralized system to simplify the

control. The economist F. William Engdahl describes on his blog Ins and Outs of a programmed

phenomenon: "Use panic to centralize power.”

4.1.3 Phishing The phishing involves the use of e-mail to get from one user personally identifiable information

or confidential information. For example, attackers can send e-mail messages that appear to

come from valid organizations, such as banks or partner companies.


As the term phishing (a fish to bite the bait), these approaches are usually speculative and

contain a general request for information for a client. The realistic camouflage used in e-mail

messages, logos and fonts and even business toll free phone numbers of care that truly come to

life, make the message more credible. Within each phishing message contains a request for

information about the user, often targeted to facilitate an upgrade or the provision of an

additional service. There is also the spear-phishing, an extension of phishing, in which the attack

is directed at a target or a specific group within a department. It is a much more sophisticated

approach, since your personal information and related activities that are essential to make

credible deception. To carry out an attack of this type is necessary to have a better understanding

of the objective, but the information obtained will be more specific and detailed.

Even in this case the e-mail message may contain hyperlinks that can grope a staff member to

breach the security company.

A phishing email was sent to 10 randomly selected employees in the organization. None of these

employees clicked or opened the scam link given in the email.

4.2. Discussion The goals of an attacker dedicated to social engineering, or a person who attempts to gain

unauthorized access to computer systems are similar to those of any other hacker: get the money,

information and IT resources attached.

Many small and medium-sized believe that hacker attacks are a problem because of the large

multinational companies and organizations may offer greater financial rewards. Although this

may have been true in the past, the increase in cyber-crime to understand that, today, attackers

are aimed at all sectors of the community, from multinational corporations, to

individuals. Criminals can steal from a company directly, shifting funds or resources, but they


can also use a company like abutting point from which perpetrate crimes against other

people. Faced with a similar approach, the authorities more difficult to trace the culprits.

The culture of inequality is not confined to the economic sphere. It affects as the configuration of

the perceptual field. Indeed, the basis of theories monitoring, as summarized by the panoptic

principle of Jeremy Bentham, is the dissociation the couple "see" and "be seen".

This radical constructivism, from of Palo Alto and very popular in the mid consultants, do not

hesitate to consider that the perception may be detached from any real referent goal. The

engineering perceptions become almost demiurgic construction activity hallucinations collective,

shared, standardized and defining the common reality, ie an all stabilized causal relationships

forged. And advance in the famous essay hacker Kevin Mitnick, social engineering is the art of

deception, more precisely the art mislead others and exercise power over him by playing on the

failures and blind spots of its collection system and defence. Illusionism and conjuring applied to

the whole social field, so to build a living space sham, a fake reality that the real rules were

intentionally camouflaged.

These manipulation techniques rely on what is called "science management "Nebula disciplines

began to form a coherent corpus from 1920s and whose information theory and cybernetics

summarize the major ideological lines: namely, living beings and subjects are aware systems

information that can be modelled, monitored or pirated as well as the non-living information and

objects composed of non-conscious systems. For most known, these disciplines are marketing

managers, management, robotics, cognitive, social and behaviourist psychology (behavioural),

programming Neuro-Linguistic Programming (NLP), storytelling, social learning, the reality-

building. The point common of these disciplines lies in their relation to the uncertainty, they are

still trying to minimize if possible to zero. The world is thus perceived only in terms of exchange


systems and information processing need to effectively manage the best possible, that is to say,

by reducing the uncertainty of their operation by controlling the accurately as possible. In

addition, unlike the humanities and social sciences, these science managers not only to observe

and describe their object of study, they above also occur in the sense of engineering, therefore a

reconfiguration work a given. When she is done without the knowledge of the reconfigured

system reconfiguration becomes Stealth rape integrity of the system and is called hacking, or

hacking. And when he applies to humans, this interventionism configured pirate usually gives

reconfiguring the given purpose in the human sense of a reduction in the uncertainty of given

that human behaviour, individual or group.

These modelling update programs, routines, and algorithms, behavioural and psychological

conditioning which obey human groups. The computer is the perfect tool, for example in the

complex calculation (probability and stochastic) movement of crowds, which is used to manage

risks in occupational hygiene and safety bodies (evacuation buildings), but also the police and

the army to supervise and prevent any demonstration could destabilize the government. In

addition, the espionage work of a population in the optical model what she thinks and thus

defuse critical new trends requires monitoring work, intelligence, information collection and

record-keeping greatly facilitated by the development of "ubiquitous computing" (or ambient and

diffuse into the environment, as theorized by Mark Weiser) and by public crossing of electronic

databases local "expert systems" and private (interception of communications, payment cards,

etc..). The intersection of those gleaned information on digital networks to calculate by profiling

an estimate of the danger that a population (or individual) is for power, it is understandable since

the computerization of society, in order to make the switch many elements of people's lives, a

policy priority contemporary.


In his book, Global Monitoring, Eric Sadin us lists almost exhaustive of these new forms of

power-oriented rather than punitive but anticipatory and whose hold is coextensive with that

strictly technological sphere. In the U.S., in the wake of the "Patriot Act", appeared government

programs electronic monitoring such as "Total Information Awareness" (TIA) and the

"Multistate Anti-Terrorism Information Exchange "(MATRIX). In France, in 1978, Simon Nora

and Alain Minc had their famous report on the computerization of society. In the continuity, the

Ministry of Education is engaged for several years in a scan discussion forums on the Internet,

subcontracted by the company in 2008 specialist opinion "i & e" strategies. The tender for 2009

includes missions following: "Identify strategic issues (sustainable, predictable and emerging).

Identify and analyse strategic or structural sources of opinion. Identify opinion leaders, whistle-

blowers and analyse their potential impact and their ability to be in network. Deciphering the

sources of debate and propagation modes. Identify meaningful information (especially weak

signals).

Track information meaningful in time. Addressing quantitative indicators (volume contributions,

number of comments, hearing, etc.). Bringing this information and interpret. Anticipate and

assess the risks of contagion and crisis. Alert and recommend accordingly. Meaningful

information relevant are those which precede debate a "risk opinion "potential crisis or hard

times to come in which departments find involved. (...) The Internet monitoring will focus on

strategic sources Online: Sites "commentators" of the news, protest, informative, participatory,

political, etc. She and focus on online media sites unions, political parties, thematic or regional

portals, sites militants associations, movements protest or alternative, opinion leaders. The day

will also include engines general, the general public and specialized forums, blogs, personal


pages, social networks, as well as calls and online petitions, and other formats diffusion (videos,

etc.).

4.2.1. The Shock Doctrine Social engineering work as reconfiguring a given human precedes still inflicting systematic

shocks. Indeed, reconfiguring a system to make more secure and predictable requires prior erase

its current configuration mode. The Resetting a human group therefore requires its cause amnesia

by founder trauma, opening a window for action on the group's memory and allowing an outsider

to work on it to reformat, rewrite, recompose. The term "shock strategy" to describe this method

of social hacking was popularized by Naomi Klein. In The Shock Doctrine: the rise of capitalism

disaster, the author highlights the homology procedures of liberal capitalism and scientific

torture as theorized in the manuals of the CIA (with great fanfare psychiatric therapies references

to the trauma), ie production intentional regressive impact in the form of economic crises and

planned or methodical emotional trauma, to destroy the data structures to a clean slate allowing

to implement new.

We know the story of that broadcast software developer himself viruses to then sell anti-virus

owners of infected computers. In the field economic, we also talk about deregulation or

liberalization to evoke by these intentional understatement de-structuring. Naomi Klein gives

multiple examples, supported by theoretical considerations of Milton Friedman, who all

converge for the purpose of destroying local economies, national or even lower level in the

deregulating and liberalizing for re-regulate by placing trust companies private multinational or

transnational organizations such as the International Monetary Fund (IMF). It is every time to

lose an entity its sovereignty, self-control, to be put under outside control. The major obstacle in

this process is the level of health of the entity stands in the level of political autonomy and


sovereignty, which naturally resists this attempt by a reconfiguration decision external control,

the "hostile takeover" felt as alienation and transgression integrity. Violence inflicted shocks will

measure the level of health and sovereignty of the entity, its resistance level.

In addition, in a social engineering framework, it is not necessary that the shocks inflicted are

still real and can only be dramatized in the field of perceptions. Systematic shocks can therefore

meet the hoax and pure illusion, or yet interweave real and illusion, as Alain Minc note in Ten

Days that shake the world: "Only a traumatic event awaken us, as the effect of the September 11,

2001 fainted. This may be a false alarm in London, the appearance of a cyber-virus may block

the global computer networks or the worst act of a psychopath who considers himself in terms of

the number of its victims. Democracies do not anticipate but they react. The opinion forbids

preventive measures scrambling the daily life but accepts that following a traumatic event

decisions. Nothing would be better to put us on alert, a gigantic hoax, when it will raise panic: a

fake nuclear blackmail would be good pedagogy.

To protect personnel from social engineering attacks, you need to know what to expect,

understand what the hacker wants to get and evaluate the value of losses for the

organization. With this information, you can increase the effectiveness of security policies also

include defences against social engineering. This document assumes that the company has

security policies that define the objectives, practices and procedures recognized, necessary to

protect the resources, information assets and staff from the technological and physical

attacks. Changes to security policies allow you to provide employees with information on how to

react to a person or a computer application that attempts to coerce or persuade them to expose

corporate resources or disseminate safety information.

Threats of social engineering and related defences


The hacker who creates a social engineering attack has five major carriers:

• Internet

• Phone

• Waste Management

• Personal approaches

• Reverse social engineering

In addition to recognizing these entry points, you must also know what they hope to get the

hackers. Their goals are focused on achieving important elements for all, meaning the money,

social advancement and self-esteem. The hackers want to steal the money and the resources of

others and be recognized within the company or its group of colleagues, in essence feel

important. Unfortunately, these goals are achieved illegally through theft or damage to computer

systems. Any kind of attack has costly consequences as it involves loss of money, income,

resources, information, or availability of corporate credibility. When you design your defences

against such threats is important to assess the costs of a possible attack.

Online threats

In today's business world, more and more networked, staffs often responds to requests

electronically and uses information from inside and outside the company. Such connectivity

allows hackers to get closer to the corporate staff from the relative anonymity of the

Internet. Often the press disseminates news online attacks carried out by e-mail, pop-up and

instant messaging applications that launch and Trojan horses, worms and viruses, collectively

referred to as malware in order to harm or violate the computing resources. By implementing the

powerful anti-virus defences can counteract the attacks of malware.


The hacker dedicated to social engineering could persuade a staff member to provide information

using a ruse or it could infect a computer with malware by means of a direct attack. An attack

can give the attacker the information that will enable a further attack with malware, but this

result does not belong to social engineering. It is therefore important to suggest to the staff the

best way to identify and avoid online attacks social engineering.

4.2.2. E-Mail Threats Many members of staff receive dozens or hundreds of emails every day, both from the corporate

mail systems that by private systems. It becomes difficult to pay close attention to every message

due to the volume of e-mail messages. This fact facilitates the intervention instead of an attacker

dedicated to social engineering. In most cases, users of electronic mail are happy to manage

correspondence that is the electronic equivalent of moving sheets of paper from the cassette of

their incoming and outgoing. If the attacker is able to make a simple request that is easy to

please, the victim will satisfy this request without even thinking about what he's doing.

For example, a very simple attack could be sending an e-mail message to a staff member on a

claim that the boss would like to receive the full schedule of holidays in a meeting and wants the

names in the list is copied into the message. It is easy to slide an external name in the list copied

and fake (spoof) the sender's name so that the message appears to come from an internal

source. This scam is called "spoofing" and is particularly simple if an attacker gains access to a

computer company, as this does not involve the violation of perimeter firewalls. Know the

schedule of the leave of a department might not seem like a real threat to security; however,

mean that the hacker knows when a staff member is absent. An attacker can impersonate the

employee on leave running less risk of being discovered.

Over the past decade, the use of email as a tool of social engineering has become endemic.


There are a number of other options that the hacker uses a phishing scam, including images,

which are hyperlinks that which is downloaded malware, such as viruses or spyware, but also the

text presented in an image that allows you to bypass filters for the protection of hyperlinks.

Most of the protection measures keep out unauthorized users. However, an attacker can bypass

many defences if he can cheat a user and enter in company a Trojan horse, worm or a virus from

a link. The hyperlink may also lead a user to a site that uses pop-up applications to request

information or to offer assistance.

You can use a matrix of vectors of attack, the target of attack, descriptions, with costs for the

company similar to those shown in the following table, in order to facilitate the classification of

the attacks and determine the risk to the company. Sometimes a threat can result in more of a

risk. If this is the case, the following examples highlight in bold risks and serious risks.

Table 1: Online attacks via e-mail and related costs


As in most of these scams, you cannot resist more effectively to social engineering attacks

approaching with scepticism to anything that arrives without notice in the mailbox on the way. In

order for this approach is supported within an organization, it is important to include in the

criteria for protection of specific guidance on the use of e-mail those interests:

• The Annexes to documents.

• The hyperlinks in documents.

• Requests for personal and business information from within the company.

• Requests for personal and business information from outside the company.

In addition to these guidelines, it is important to bring examples of phishing attacks. If a user

recognizes a fraud based on phishing will be much easier to note those of another type.

4.2.3. Change Management Resistance to change, this is the main problem to overcome engineering social. The question that

always arises the practitioner is "How to cause the least resistance to my work reconfiguration,

how to ensure that the shock inflicted not provoke a backlash?” So how to accept change, and if

possible how should desire, how to join shock and reformatting that in following? How like

instability, movement, insecurity. In short, how to inoculate the Stockholm syndrome to entire

populations? Is a prelude to prepare the minds of promoting in the public space of keywords such

as "Nomadism", "dematerialization", "deteritorialization", "mobility", "flexibility" "Break",

"reform", etc? But it is by no means sufficient. In all cases, the attack direct, whose visibility

causes reactive against-productive rotation, must be abandoned in favour of an indirect tactic,

known bypass in the military vocabulary (SunTzu Clausewitz).

The famous words of Jean Monnet, one of the founding fathers of the European Union, "People

only accept change in necessity and they do not see the need in the crisis "could be a motto for


all social engineers. A line of change well done and consists of three steps: the thin "frozen"

structures of group by injecting factors disorders and disruptive factors leading to crisis - this is

Step 1 of creating the problem, the intentional destruction or "Controlled demolition" and this

inevitably causes a destabilization reaction confusion in the group - this is the step 2, the

difficulty is to measure carefully disorders caused a total panic that might make the system

beyond the control of the experimenter, and finally step 3, provides a solution to re-stabilization

group heteronymous solution enthusiastically welcome the group to calm his anxiety, without

realizing that in doing so, he comes to outside interference.

Internal leaks are responsible for nearly a loss of information on two (Theft Barometer and

information loss in 2010, studies KPMG). Accidental deletion of data, loss or theft of computers

or industrial espionage, the employees are the heart of the problems related to the loss of

strategic information to businesses. We cannot think to protect their information without going

through the control of risk posed by employees.

Employees are the first owners of the information and know-how of the company, and the risk of

loss of information lies in the very nature of human beings: we cannot predict the behaviour of

employees and error is soon here. The human risk can thus take many forms.

The internal malicious accounted for 21% of incidents causing loss of information in 2010,

according to the Barometer KPMG, an increase of 20% over three years (recorded between

January and June 2010 incidents). Whether it is industrial espionage in order to sell information

to the competition or just the resignation of an employee who goes to work for a competitor,

taking with him his expertise and possibly key data now, the consequences can be dramatic. For

example, the company CCM Leather saw its turnover divided by three in ten years as a result of


poaching of new employees by a competitor. I work satisfaction, frustration, disappointment,

need money, playfulness ... the list of reasons pushing employee malice is long. Internal risk is

even stronger than the economic crisis, the need for money, uncertainty about the future and

frustrations situations are increasingly common and weaken employees.

Another type of human risk is on social networks, which cannot be overemphasized, represent a

powerful means of information leakage for companies, either because the employees go online

confidential information about their work, or because hackers use data collected on employee

profiles to guess passwords or to gain their trust in order to extract information. The latter two

techniques are part of what is called social engineering. A test performed on the occasion of the

Defcon hacking conference in July 2010 submitted 135 employees of 17 large companies (Coca-

Cola, Ford, Wal-Mart etc.). The result is alarming: 96% of these employees contacted through

phone or by mail, have disclosed sensitive information (version of the operating system,

antivirus software, browsers used in the company, etc.). Then explain the boom of social

engineering and including the fact that so much information coming to filter through social

networks? We can rely on the fact that employees have trouble distinguishing the boundary

between their professional and personal lives. They were not more aware of the many ways in

which the information they post online can be used.

They fall under the social engineering or otherwise, the art attempts to approach employees are

many and varied and are an important factor to take into account. Risk Fake job interviews,

journalists, researchers, etc.., the There are many excuses to get employees to disclose

information. They can also be approached through them (family, friends, and lovers). These

approaches attempts sometimes rely on complex psychological principles and methods, which

make them very difficult to prevent. And often, the employee realizes nothing! The human


being, by its very nature, full of flaws and is therefore extremely manipulated. The naivety of

employees who deliver information without realizing it by need to talk, to be heard is to blame.

Feelings of frustration employees also represent real gold mine to be exploited for intelligence

specialists human. Finding flaws in the employee, they will manage to handle letting him see a

future satisfaction to deliver confidential information.

More simply, an employee may commit negligence leading to leakage of sensitive information.

Whether conversations in public places, working on a laptop on a train or a plane, or even a

seemingly trivial discussion with a potential client at a trade show, employees usually a lot about

their work, regardless of where they are or who they have in front of them. They did indeed

realize that we cannot listen to them. Overconfidence, typically French attitude is also involved:

people tend to easily talk to people they barely know. Yet competitors are constantly on the

lookout and there is always someone to collect strategic information left breakaway. The loss or

theft of documents or computer media is also a major vector of information leakage, as well as

the misuse of computer resources. The latter is often due to poor knowledge of the procedures

and risks.

Most of the time, information incriminables employees leaks occur unintentionally, but the

consequences can be dramatic, especially for SMEs whose balance is fragile and are equipped

with little means of protection.

In general, employees do not feel involved in the protection of information; they do not think

they have important information. The need to protect the information is not something they have

in mind, and they are not aware of the damage that the information leak can cause to their

business.


The first thing to do is to consider the welfare of employees at work. Cultivating listening,

recognizing and valuing employees, managers develop a sense of employee loyalty to the

company and they will protect against deviant behaviour. It will be much easier to detect leaks of

information: employees feeling confident, they dare to speak to their manager more of a mistake

they may have committed or doubts they would feel in relation to a given situation. The welfare

of employees at work grows through the behaviour of the hierarchy, but can also be boosted by

the introduction of seminars teams to strengthen the bonds of trust between the team and line

management.

Then it is important to educate all employees of the company with the need to protect

information. We must make them aware of the risks related to information and methods used by

the "prey" of information leaks. They must also know the many situations in which they must be

vigilant and safe behaviours. The best way is to use concrete examples, the daily close of the

employee, and regularly repeat the message of awareness. A simple implementation of oral care

from hierarchy may prevent the company leaked information. The members of the management

team have also a role to play to such employees. Companies knowing cultivate trust increase the

responsiveness of their employees awareness message.

Parallel to these actions, the company must establish a legal protection in contracts clauses,

discretion, non-competition, patents etc. This protects legally in case of proven information

leakage and also has the merit of raising awareness and empowering employees.

Similarly, the procedures and technical help to protect the company's human risks, including the

computer system: Automate the locking sessions and regular change of password forcing

employees to take these basic safeguards, whether they like it or not.


In general, to guard against the human risk to leak sensitive information is neither complicated

nor expensive when it was realized that management is the cornerstone of any approach.

Focused on the development and employee recognition, it should allow establishing a climate of

confidence and wellbeing in the company that will develop the sense of belonging.


Conclusion From experience, it is very complementary to reason about the levers and risks: drive is both

seek to improve and seek to limit the occurrence or the impact of the deterioration factors. We

can therefore recommend, in all steering it bears on a project, process or any other object, to

review for each objective continued not only the levers, but also the risks and devices control.

This is probably one aspect underdeveloped management control; it must integrate risk

management strategy in its range of tools and approaches. Moreover, the proposed approach

would win, no doubt, to be supported by experimenting with similar approaches in other cases.

The case we have presented has, in fact, some limitations: from the model presented. we have

discussed in the case of implementation of this method risk for type 1 (Control of an activity

within a framework of experience: e.g. work maintenance), type 2 (control activity in an

innovation framework: example activities in the field of the safety), type 3 (control of a process

within a framework of experience: an example of the marketing process) and type 5

(coordination a set of processes related to the same value chain, such as the steering a regional

transport corridor). Other experiments are to be carried out in a context change.

One can also note that in terms of risk management, the claim to completeness is illusory. The

answers are procedural rather than substantive: it is establish a regular listening environment, an

update to a maximum of relevant risks and develop management methods that one can do first

discuss the risks and then implement the terms of collective research manage these risks. In this

sense, an organization in some way "chooses" its risks in terms of attention and priorities. Risk

analysis and action on risk go through a strategic study "focused" action system, resources and

skills that mobilizes the environment in which it operates, which requires an active participation

of stakeholders, owners of much of the knowledge required by this type study. Factors

awareness, accountability and incentives are essential in the management of risk. They have an


individual dimension, but also often collective as much risk is present at more or coordination

less comprehensive (activity, process, value chain). Like many disciplines (Ergonomics, quality,

safety), risk management must address the dimension specifically organizational action, for

which the concepts of process and project can play a pivotal role.

These two complementary approaches have helped to give the management of the company:

- Firstly risk mapping on a sample of activities. This mapping helped to raise awareness of the

importance of certain risks and identify improvements to the control device which served as the

basis for the new organization of management audits (definition of missions and means). The

mere fact of driving a process of this type requires players the company to perform a kind of

"reflexive return" on their own activity and its risks. Such a practice has an important educational

purpose. More than outcome of the investigation at time t, by definition temporary, imperfect,

questionable is setting recurring implementation of this type of approach, with the frequency

fixed and a well-established method to better identify risks operational and better communicate

about them;

- Secondly process analysis showed the feasibility of a steering process with a risk component

and has served element of reflection the organization of the management of the company. It turns

out that on one axis Geographic transportation given the various internal stakeholders

"producers, designers, controllers, commercial ... "and external" other carriers local authorities,

event organizers for drain flow visitors "are a true value chain. This chain is structured "design

provides transportation process, production delivery transportation, marketing, ". Explicit

modelling of the entire value chain and building process helps each actor to better understand its

role in meeting the needs of the customer, to better understand the risks which it may give birth


by its action, or the risks he may help control, even if the effects are being felt quite elsewhere in

the chain. It turns and lack of coordination is a determinant of operational risks. Unfortunately, it

would seem easy to solve and control in a limited geographical focus becomes more complex

when it is viewed in the overall context of a large company. The debate on organizational

choices and the opportunity to segment the business units autonomous geographic has an

obvious impact on the management of risk.

Recommendations

Reverse social engineering is a concept that indicates a situation in which the victim or victims

make the initial approach and offer the hacker the information you want. A similar scenario may

seem unlikely, however the authority figures, especially from the point of view of technical or

social, are able to receive personal information of vital importance, such as user IDs and

passwords, just because they seem above any suspicion. For example, no support person would

ask a caller ID or password, since it is able to solve problems without this information. Many

users who experience difficulties with the computer may voluntarily provide this data, vital to

the protection, in order to accelerate the resolution of the problem. An attacker should not even

ask. The social engineering attacks are not reactive, as suggested by this scenario.

A social engineering attack creates a situation, recommends a solution and provides assistance

when required, perhaps in a simple way described in the following scenario.

A colleague at work, which is actually an attacker, renames or moves a file so that the victim

may believe that you lost. The hacker assumes that may be able to recover the file. The victim,

eager to continue his work, or worried that the loss of data could be his fault, immediately

accepted the offer of help. The hacker claims that the operation can be performed if you log in

with your personal information (victim) and could, however, argue that corporate security


policies forbid it. The victim asks the attacker with access to its data to try to restore the file. The

hacker showing accepts reluctantly restores the original file and robs the victim of user ID and

password. In this way, the hacker has created a reputation and may receive more requests for

assistance from colleagues. This approach can bypass the regular channels of IT support and

facilitates maintaining the anonymity of the attacker.

It is not always necessary to know a victim or meet to make a reverse social engineering

attack. The imitation problems using dialog boxes can be effective in a reverse social

engineering attack nonspecific. The dialog box announces that there is a problem or you need to

perform an upgrade to continue. The window offers a download that fixes the problem. Once the

transfer is complete, the problem disappears and the user continues to work, oblivious to the fact

that the protection has been violated and that you have downloaded a malware program.

Having realized the vastness of existing threats, three steps are necessary to design a defence

against the threats of social engineering aimed at the corporate staff. An effective defence is the

design activities. Often the defences are reactive: it turns a violation and erects a barrier to ensure

that the problem does not happen again. Although this approach demonstrates a level of

awareness, the solution arrives late if the problem is severe or involves high costs. To avoid this

scenario, you must take the following three actions.

• Develop a framework for security management. The company must define a set of

objectives for protection against social engineering and determine which staff members

are responsible to take care of these goals.

• Conducting evaluations of risk management. Threats of this kind do not exhibit the

same level of risk for different companies. It is therefore necessary to re-examine each


threat from social engineering and rationalize the danger that each of them can account

for the individual organization.

• Implement defences against social engineering in the field of security policy. Must be

processed in writing of the criteria and procedures which are established for the

administration, from the staff, the situations that could be categorized as social

engineering attacks. This step assumes the existence of security policies, beyond the

threat of social engineering. If the company does not have a security policy, you must

process them. The elements identified in the assessment of the risks of social engineering

kick off the company; however you must also consider other potential threats.


Bibliography Abraham, S. (2010). An overview of social engineering malware: Trends, tactics, and

implications. Technology in Society, 183.

Alemayehu. (n.d.). Basics of Marketing research Methods. Retrieved from http://www.globusz.com/ebooks/MarketingResearch/00000016.htm

Allsopp, William (2009). Unauthorised access: Physical penetration testing for it security teams.

Hoboken, NJ: Wiley.

Ashenden, D. (2008). Information Security management: A human challenge? Information Security Technical Report.

Berr. (n.d.). BIS Information Security Brreaches 2008. Retrieved from BIS: http://www.bis.gov.uk/files/file45714.pdf

Colwill, Carl (2009). The insider threat. Information Security Technical Report , 191.

Chandra, Praphul & Bensky, Dan (2011). Wireless Security: Know It All: Know It All. Publisher Newnes.

Chantler, A. & Broadhurst, R. (2006).Social Engineering and Crime Prevention in Cyberspace.

Queensland University of Technology.

Chitrey, A. (2012). A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model. International Journal of Information and Network Security, 46.

Dawson, C. (2002). Practical Research Methods: A User-friendly Guide to Mastering Research Techniques and projects (1st ed.). Oxford: Cromwell Press.

FAO. (n.d.). Data Collection Techniques. Retrieved from UN Food and AgricultureOrganization:

http://www.fao.org/docrep/003/X2465E/x2465e09.htm

Goddard, W., & Melville, S. (2007). Research Methodology: An Introduction (Second ed.). Lansdownw: Juta & CoLtd.

Grebmer, Andreas Von (2008). Information and IT Risk Management in a Nutshell: A Pragmatic Approach to Information Security. Publisher. BoD – Books on Demand. 58-74

Hadnagy, Christopher (2011).Social Engineering: The Art of Human Hacking.NJ: Wiley

Hermansson, M. (2005). Fighting Social Engineering. Stockholm: Royal Institute of Technology.

Huber, M., Kowalski, S., Nohlberg, M.& Tjoa, S. (2009). Towards Automating Social

Engineering Using Social Networking Sites.Computational Science and Engineering, Volume: 3, 117 – 124

http://www.globusz.com/ebooks/MarketingResearch/00000016.htm�

http://www.bis.gov.uk/files/file45714.pdf�

http://www.fao.org/docrep/003/X2465E/x2465e09.htm�


Hughes, C. (n.d.). QUALITATIVE AND QUANTITATIVE APPROACHES. Retrieved AUG 2012, from http://www2.warwick.ac.uk/fac/soc/sociology/staff/academicstaff/chughes/hughesc_index/teachingresearchprocess/quantitativequalitative/quantitativequalitative/

ISO/IEC:2000. (n.d.). ISO. Retrieved from

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=33441

Janczewski. (n.d.). Social Engineering Base Attacks. Retrieved from http://www.proceedings2010.imcsit.org/pliks/36.pdf

Janczewski, Lech, J. & Colarik, Andrew, Michael (2008). Cyber Warfare and Cyber Terrorism. Publisher Idea Group Inc

Joan, G. (n.d.). Social Engineering: The Basics. Retrieved from http://www.csoonline.com/article/514063/social-engineering-the-basics

Klevinsky, T. J., Laliberte, Scott & Gupta, Ajaya, K. (2002). Hack I.T.: Security Through Penetration Testing. Publisher Addison-Wesley Professional.

Kothari, C. (2006). Research Methodology (Second ed.). New Delhi: New Age International (P) Ltd.

Laribee, L. (n.d.). Development of methodical social engineering taxonomy PROJECT. Retrieved from

http://faculty.nps.edu/ncrowe/oldstudents/laribeethesis.htm

limat.org. (2012, 09 14). http://www.limat.org/data/research/Research%20Methodology.pdf

Liu, D. (2008). Game-theoretic modelling and analysis of insider threats. International Journal of Critical Infrastructure Protection, 77.

Long, Johnny (2008). No Tech Hacking – A Guide to Social Engineering, Dumpster Diving, and

Shoulder Surfing.Syngress Publishing Inc.

Magklaras, G. (2001). Insider Threat Prediction Tool: Evaluating the probability of IT misuse. Computers & Security, 63.

Maiden, Neil (2010). Social Engineering. Publisher General Books LLC.

Mann, Ian (2008). Hacking the Human: Social Engineering Techniques and Security

Countermeasures. Gower Publishing Ltd.

Margaret, R. (n.d.). Social engineering. Retrieved from http://searchsecurity.techtarget.com/definition/social-engineering

http://www2.warwick.ac.uk/fac/soc/sociology/staff/academicstaff/chughes/hughesc_index/teachingresearchprocess/quantitativequalitative/quantitativequalitative/�



http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=33441�

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=33441�

http://www.proceedings2010.imcsit.org/pliks/36.pdf�

http://www.csoonline.com/article/514063/social-engineering-the-basics�

http://faculty.nps.edu/ncrowe/oldstudents/laribeethesis.htm�

http://www.limat.org/data/research/Research%20Methodology.pdf�

http://searchsecurity.techtarget.com/definition/social-engineering�


Meyer, P., &Redd, S. (2004). Every breath we take. Forum for Applied Research and Public Policy, vol. 14 no. 4: pp.43–49.

Michael Workman. Gaining Access with Social Engineering: An Empirical Study of the Threat. Florida Institute of Technology.

Mitnick, Kevin, Simon, William, L. & Wozniak, Steve (2002). The Art of Deception: Controlling the

Human Element of Security. NJ: Wiley

Modell, S. (2010). Bridging the paradigm divide in management accounting research. Management Accounting Research, 129.

Murr, Mike (2012). Human Compromise: The Art of Social Engineering. Publisher Elsevier Science & Technology Books.

Oosterloo, B. (n.d.). Managing Social Engineering Risk. University of Twente.

Podgórecki, Adam, Alexander, Jon & Shields, Rob (2006).Social Engineering. Publisher McGill-Queen's Press

Peltier, T. R. (2006). Social Engineering: Concepts and Solutions. Information Systems Security,

15, 13-21.

Rouse, M. (n.d.). Dumpster diving. Retrieved from techtarget.com: http://searchsecurity.techtarget.com/definition/dumpster-diving

Shoniregun, Charles, A. (2005). Impacts and Risk Assessment of Technology for Internet Security: Enabled Information Small-medium Enterprises. Publisher. Springer.

Theoharidou, M. (2005). The insider threat to information systems and the effectiveness of ISO 17799. Computers & Security, 479.

Tolman, William, Howe (2008). Social Engineering. Publisher BiblioBazaar.

Veiga, A. D. (2009). A framework and assessment instrument for information security culture.

Computers & Security, 209.

Verma, Nina (2011). Social Engineering: A Means to Violate a Computer System. Publisher Global Vision Publishing House.

http://searchsecurity.techtarget.com/definition/dumpster-diving�

Documents

SOCIAL ENGINEERING 1 - Dissertation Help & Writing … · SOCIAL ENGINEERING 1 Topic:Social Engineering Risk and Management in Organisations