A Field Experiment in Social Engineering to Understand the Elements for Effective Engineering Attacks

2846 words (11 pages) Essay

8th Feb 2020 Society Reference this

Tags:

Disclaimer: This work has been submitted by a university student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

Quantitative research

Abstract

Social engineering poses the biggest data security threat that plaque enterprises in the modern world. Whether organizations are willing to spend in technical security services and products, the element of the human in protecting the security is weak. Social engineers exploit the weaknesses in the behavior of humans to retrieve or gain access to confidential information of an organization. A lot of research has been committed to the field of information security on technical security services and products. However, straight field experiments that can unfold factors that cause social engineering to be less or more successful have been lacking in non-technical, physical environment. The purpose of this study is to explore by working in our social engineering investigation, the literature review, hypothesis, design, and experiment, analysis, and discussion on the reasons for this research (Kaufer, 2016).

Introduction

In the world today, social engineering (SE) is one of the main challenges that organizations are experiencing. By applying behavioral vulnerabilities, hackers can trick humans into leaking information unexpectedly. SE has extended into cyber security and other areas of information security. In the exploitation of computers information security, the investigation of penetration-testing practices and security-testing can be achieved using social engineering to get the basic information that can be applied later in the exploitation stage. There are many areas in which SE can occur. In most cases, however, identity fraud/theft where the attacker takes the identity of the owner after managing to obtain personal identity information of the victim. The results of SE are long lasting and can lead to financial, relationship, credit, and emotional distress.

People are more socially engineered when factors like a reward, context, and gender are combined. The purpose of this research is to study how reward, context, and gender influence the social engineering by making it less or more successful, and how those such factors influence the amount of individual information availed by the victim in the event of an attack. The research starts with an impression of social engineering. Following the hypothesis are the key to conducting the study in this field, the design, and the methodology of the in-field experiment.  The quantitative aspects are the main focus of the experiment.

Hypothesis

The main motivation for our hypothesis was the assumption for conduct when offered information and the likelihood for economic achievements. By applying the outcomes from Grosklags on people’s readiness to expose information, it was concluded that people will provide more information if they were approached with a set of factors that opened up for higher earnings. By analyzing our major effect factors with the elements highlighted in Grooklag’s paper, two major effects hypothesis were identified and collaboration effect hypothesis that might provide insight into unsuccessful or successful issues to exploit. 

Problem statement

When the in-person element of SE comes in, there is a difficulty in scheming an experiment that matches the rigor and the institutional assessment board intensifies. The major difficulties of achieving IRB approval in SE experiments can be identified by analyzing the problems with regulations and ethics, legal issues associated with personal privacy, and the effects to subjects as a result of experiment debrief.

Statement of purpose

The objective of this study is to examine the factors that make social engineering more successful through reward and context and to create an understanding of how to deceive subjects using RBA approval by designing an appropriate experiment.

Research questions

Why is it that individuals are more willing to expose more PII as they feel a survey for a charitable organization as compared to a research firm for a market? What are the reasons as to why people are more likely to expose their PII when dealing with a survey of a charitable organization which has a higher reward as compared to the one with a lower reward?

Research design

Firstly, the manipulative factors in the experiment were identified. The first observable interaction between a subject and a confederate would require the confederate to explain who he/she interacted with in the organization the work for.  Also by looking towards the individuals’ motivation that influence decision when payoffs are offered, several elements of behavioral economics were identified.

Methodology

The experiment was broken down into multiple sections. The steps included the aspects that would be needed in obtaining approval for the study, how the project would be executed, and the procedure of effecting the SE experiment. The results that were obtained in the quantitative study were broken down into regression analysis and summary statistics.

Figure 1: Statistical analysis of cyber security

Recommendations

The study recommends for the formation of advanced training in the public and corporate sectors that will also include a direct application in imposing policies.

Mixed research method

Internal Threats within Establishments and Social engineering

Abstract

 Organizations are spending too much capital in order to facilitate computer security by building defenses including firewalls, biometrics, anti-virus software, and identity access devices. Such measures have enhanced the efficiency of businesses by preventing external threats and create a difficult environment for hackers who pose a security threat to confidential information. However, threats that expose organizations to security problems are still encountered. This research is aimed at analyzing the internal threats in an enterprise, the reasons why people are vulnerable, and measures to protect our enterprises from internal security threats (Arenas, 2008).

Introduction

By the year 2016, reported cases of security threats had upsurge, with most of the security attacks originating from vulnerabilities that exist inside the internet browsers that permit intruders to obtain malicious codes or lure users to malicious websites through phishing or SPAM. Internal attacks are mostly underestimated as compared to external attacks and this has led to rising concerns around most organizations.  There are lots of tools provided in the market that can protect organizations against attacks if they are properly installed, updated and monitored. However, organizations are still experiencing security problems with most of such problems originating from within the security perimeter of the organization.

This research will investigate the technique that is applied in social engineering treats and attacks like spyware and phishing and explore the differences between untrained group and trained group within an organization, in which it will be identified whether security policies play an important role in protecting enterprises against external security threats or not.

Hypothesis

Internal security threats will be the main focus of this research and will be referred as the security threats in which employees or users plays a big role in contributing to the attack by being the primary focus of the attacker. It is assumed that internal attack cannot succeed in the absence of user’s participation. We will exploit the differences between internal threats and traditional threats.

Statement of the problem

The biggest threats to security matters originate from the people because the possess abilities that enable them to violate or choose the rules. Humans can also be tricked, compelled, or forced to violate aspects of security rule in order to allow access to unauthorized individuals. Organizations can only take measures against security threats if they realize that they are the main target of social engineering. However, the more a user believes that his/her position in an organization is minor and that they might not be a valuable target, the more they become the favorite target of social engineering.

Statement of purpose

Security risks that originate from human behavior have been underrated by organizations, unlike the traditional threats such as buffer overflow, virus, and unauthorized admittance attacks. Thus, social risks entail a different attitude during the implementation of security defenses in organizations.  Majority of security solutions that exists in the modern world only includes technological mechanisms to counteract attacks from traditional threats and thus a big gap exists in this area. A different approach is required where security policies and user training are the key tools in preventing internal threats.

Research questions

How can user training assist in preventing social engineering? How can we prevent social engineering internal threats and attacks? How do different environments within organizations affect the reaction of users to security threats?

Research designs

The focus of this research is to identify the roles of security awareness and user training in the complicated environment of cyber security and how crucial it can be in reducing the extent of social engineering threats. This will be achieved by combining mixed methods and conducting a sequential process, trying to derive knowledge through an organized review of existing research on computer threats and social engineering and through a study of human conducts by steering a questionnaire in which questions will be asked to identify weaknesses in the conduct of the user.

Methodology

To make sure that the user does not notice our main purpose, mixed questions will be used. The information acquired from the questionnaires will be applied in a qualitative manner, as opposed to quantitative.  A mixed research method will be applied because there is a need to obtain data from external experience on the information technology security topic as well as human observation. In that case, potential unsafe behavior in users can be identified from the observation process and the behavior in recommendations by the user can be identified by applying the prominent literature. 

Recommendations

As for a future study, the case study could be done in a company without formal user training on security and are unfamiliar with security policies, and by taking this research as the main reference, we can design security policies and training programs to the specific company and evaluate the user before and after the program. 

Qualitative Research

Social Engineering Popularity and Defense in Norway

Abstract

Social engineers attack the human users in an organization by influencing the users into doing things they are not conversant with. The results for social engineering in an organization can be very devastating. While hackers apply their technical knowledge to retrieve passwords from a computer, social engineers apply their social skills to convince the user to reveal the password. While different papers and books have been written on different styles of attackers, and even methods that defend such threats, most of them are views and experiences of individuals, rather than being scientific. Thus, comprehensiveness is missing on the topic of social engineering defenses and attacks. This thesis will discuss the most common vectors of attack and their effectiveness in Norway as well as the defense techniques that should be implemented to counteract these threats (Henningsen, 2013).  

Introduction

Social engineering is one of the dominant vectors of attack in the modern cyber security systems. History tells about actions where individuals, and mostly end-users are fooled into revealing information that they shouldn’t. It is easy to blame the user, but the techniques used by adversaries make it difficult for anyone to spot an impending attack. For example, a malicious web that looks exactly like the genuine one, tricking individuals to reveal confidential security information.  Whether someone I skilled in identifying such attacks, it becomes tricky to differentiate real from fake websites. For example, when a police come to your house, most people do not bother to ask them to provide their IDs and therefore we are unable to know if they are genuine or fake.

Hypothesis

Awareness training could help in reducing the losses experienced by organizations as a result of adversities associated with social engineering. However, phishing mails, economic losses, or giving away passwords is not the main concern but the information distributed to individual and specifically targeted toward the recipient will be the main focus. 

Problem statement

People are naïve and born with the instinct of innocently trusting others for good reasons. However, there are individuals who take advantage of this trust for personal gain. This may be achieved by applying attack-vectors like phoning, phishing, physical letters, and direct conversations. Designing methods of defending the organizations against attacks might be a difficult task, but failing to do might results in big losses.  According to research in Norway, losses associated with phishing attacks is estimated to be around $2.4 million and $9.4 million. Thus, a campaign to create awareness could aid in reducing such loses.

Statement of the purpose

The main purpose of this research is to identify the attacks that are experienced and the attack styles that are most common, and design ways through which individuals and organizations can defend themselves against them. This will be crucial in enhancing user-awareness plans, reduce losses and instill confidence to employees.

Research questions

What factors make social engineering to be successful? To what level is social engineering popular as a vector of attack in Norway? What are the most common effective methods of social engineering? How can an organization prevent social engineering?

Research design

To achieve our objectives, we are going to apply both qualitative research method. We found it necessary to focus on an organization, as opposed to an individual because it is more disastrous when an organization is attacked.

  Research Methodology

We will use a questionnaire to investigate the popularity of social engineering in Norway as an attack vector. A review of past literature and research will be used to identify the most effective and common social engineering procedures applied today. A questionnaire, using the past literature and research materials, will be used to find the methods organizations can apply to defend themselves against social engineering.

Recommendations

In the context of social engineering, the preventive methods should involve either technical procedures or measures that limit a threat from occurring. For example, the technological system that checks and authenticates the character and blocks any suspect of social engineering actions. The systems can also be designed to allow only the authenticated E-mails to be sent through websites. 

References

  • Arenas, M. T. (2008). Social Engineering and Internal Threats in Organizations.
  • Henningsen, E. K. (2013). The Defense and Popularity of Social Engineering in Norway (Master’s thesis).
  • Kaufer, I. (2016). Human Exploits in Cybersecurity: A Social Engineering Study. University of Arizona Master’s Report.

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please:

Related Lectures

Study for free with our range of university lectures!