1

Social Engineering-Based Attacks:Model and New Zealand Perspective

By Lech Janczewski and Lingyan (René) FuThe University of Auckland, New Zealand

2010 Proceedings of the International Multiconference on Computer Science and

Information Technology

Presented by Brad Kaufmann

2

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

3

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

4

What is Social Engineering?

• Technique to gain access to confidential, proprietary, personal information

• Primarily human-based attack method– Impersonation– Dumpster diving– Shoulder surfing– Vishing

• Technology-based methods exist– Phising

5

Why Use Social Engineering?

• Effectiveness of traditional hacking attacks has decreased

• Technological security solutions being adopted more and more

• Attackers turning to alternative methods• Social engineering targets vulnerabilities

of both people and technology

6

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

7

Background and Motivation

• Social engineering is overlooked because awareness is low– Lacks conceptual model

• Determine major aspects and constructs of social engineering– Identify relations between them

• Design case study to understand social engineering phenomenon– Gather insights from IT professionals

8

Background and Motivation [2]

Conceptual Model of Major Aspects of Social Engineering-Based Attacks

9

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

10

Study Objectives

• Explore significant entities and relations within social engineering attacks– People– Security awareness– Psychological weaknesses– Technology– Defenses– Attack Methods

11

Study Objectives [2]

• Five research questions:– What are existing security vulnerabilities which

can be exploited by attacks? (RQ1)– What are the methods of attack? (RQ2)– What are the consequences of a successful

attack? (RQ3)– What can be done to mitigate attacks? (RQ4)– What is New Zealand's perspective of attacks?

(RQ5)

12

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

13

Study Setup

• Conducted 25 interviews with individuals with IT backgrounds and experiences– IT architect, IT consultant, IT educator, etc.

• Individuals from 17 different organizations– 7 local, 10 international– Cross-section of industries

• Security advisory services, government, consulting firms, education, etc.

14

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

15

RQ1: Existing Vulnerabilities

• People are the weakest link– 64% lack understanding of security issues– 40% appearance can influence perceived

trustworthiness

• Technology issues– 16% flaws in security design– 12% social engineering bypasses technical

controls– 12% growing trend toward malicious misuse of

technology products

16

RQ1: Existing Vulnerabilities [2]

• Security process issues– Social engineering depends on uncertainty

• Putting processes into place works to minimize

– 40% organizations had poor security processes because people issues were overlooked

17

RQ2: Methods of Attack

• Human-based– Based on deception in person or on phone

• Impersonation, shoulder surfing, questionnaire, etc.

– Phone attacks most widespread mode• Attacker can disguise voice• Easier for attacker to cover his/her tracks

• Technology-based– Trick users into belief they are using authentic

computer systems• Popup windows, email attachments, fishing, etc.

18

RQ3: Consequences of Attack

• Primary damages– Breach of CIA

• Gain authorized access to resources• Preparation and information gathering for attack

• Secondary damages– Reputation damage– Financial damage

19

RQ4: Mitigation Strategies

• Physical security properly implemented– Different control mechanisms based on

security classification

• Proper technical controls– Multifactor authentication

• Security policy– Most important and effective element– Takes away uncertainty– Supplement with education and training

20

RQ5: New Zealand Perspective

• Shares similar trend with other countries– Technology adoption– Security risks

• Behind in awareness of security issues and implementation of countermeasures

• Insufficient understanding of security risks– 64% of survey participant responses– 28% due to lack of major security disasters– 44% due to high level of social trust

21

RQ5: New Zealand Perspective [2]

• Lack of well-defined security strategy– 40% of participant responses– 16% due to small country and small businesses– 20% due to lack of standards and legislation– 40% due to immature strategies that expose

vulnerabilities that can be exploited

• Participant examples showed diversity and complexity– Need for multifaceted defense approach

22

Revised Conceptual Model

Revised Conceptual Model of Major Aspects of Social Engineering-Based Attacks

23

Road Map

• Introduction• Background and Motivation• Study Objectives• Study Setup• Analysis and Findings• Summary

24

Summary

• Social engineering depends on uncertainty– Manipulates, influences people's actions

• Security strategy and policy is key to preventing social engineering– Eliminates uncertainty

• Advice– Do not give out passwords – Ever!– Be dubious of people who look suspicious– Do not hold doors open

25

Questions

???

26

Bibliography

• Lech Janczewski and Lingyan Fu, “Social Engineering-Based Attacks: Model and New Zealand Perspective”, Proceedings of the International Multiconference on Computer Science and Information Technology 2010”, IEEE, Wisla, Poland, October 2010, pp. 847-853