Mitigating Social Engineering attacks, using the University of Ilorin as a case study.
This presentation describes some common social engineering methods and how it is carried out and also suggests some methods for preventing and mitigating social engineering attacks in a school/university setting.
(Cyber Security)
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
MITIGATING SOCIAL ENGINEERING ATTACKS.pptx
1. 1
A SEMINAR REPORT
UNIVERSITY OF ILORIN,
ILORIN, KWARA STATE.
NAME: SUCCESS ZION ONORUOIZA
MATRIC NO.: 18/52HA139
SUPERVISOR: DR. MRS. MABAYOJE
MITIGATING SOCIAL ENGINEERING
ATTACKS: PENETRATION TESTING
METHODS IN COMPUTER SCIENCE
DEPARTMENT AT THE UNIVERSITY OF
ILORIN.
3. 3
INTRODUCTION
01
The advancements in modern information
technologies have revolutionized various aspects of
our lives, including business, communication, and
access to services. While these advancements bring
convenience and connectivity, they also expose us
to risks, particularly cyberattacks. Cyberattacks pose
a significant threat to sensitive information and
personal data, with social engineering attacks being
a prevalent method. Cyberattacks, especially social
engineering attacks are not limited to individuals and
can target organizations, schools, and governments.
Effective security measures, such as penetration
testing, are crucial to protect against these threats.
“The education sector experiences the
highest number of malware attacks,
primarily attributed to a significant
prevalence of social engineering attacks,
as stated in the recent report by
Microsoft's Threat Intelligence Platform.”
4. 4
STATEMENT OF
PROBLEM
The tertiary education sector is highly vulnerable
to cyberattacks, particularly social engineering
attacks due to lack of attention to security which
increases the risk of malware attacks and
compromises sensitive information.
Unauthorized access to student and staff data
can lead to severe consequences and result
manipulation. The University of Ilorin
(UNILORIN) utilizes a web-based management
system that requires penetration testing
regularly, specifically targeting social engineering
techniques, to identify and address security
loopholes.
02
“Amateurs hack systems,
professionals hack people.”
- Bruce Schneier
5. 5
THE
AIMS AND
OBJECTIVES OF THE
STUDY
This project aims to investigate
the role of social engineering in
penetration testing, and
suggesting methods to mitigate
social engineering attacks using
the University of Ilorin’s
computer science department as
a case study.
03 - 04 To review some existing literature on
social engineering in penetration testing,
including the types of social engineering
techniques that are commonly used, the
effectiveness of such techniques, and how
to avoid or mitigate such attacks.
To conduct a penetration test on the
UNILORIN students and staff portal using
phishing, tailgating, pretexting, and Quid
Pro Quo social engineering techniques.
To analyze the results of the penetration
test and assess the effectiveness of social
engineering in breaching the security of
the UNILORIN portal.
To provide recommendations for
improving the security of the UNILORIN
portal against social engineering attacks.
7. 7
05_ LITERATURE REVIEW
As proposed by Khonji, Iraqi, & Jones (2013),
phishing attacks are semantic attacks that
leverage electronic communication channels,
including E-Mails, HTTP, SMS, VoIP, etc. The
objective of these attacks is to deliver socially
engineered messages persuading victims to
undertake specific actions without imposing
limitations on the nature of these actions,
ultimately benefiting the attacker.
Phishing
A. Related Concepts
8. 8
05_ LITERATURE REVIEW
Impersonation is considered a highly effective
strategy in social engineering due to its ease of
execution and the ability to conceal the true
identities of the perpetrators (Redmon, 2005).
Pretexting, a widely employed impersonation
technique, involves obtaining information through
deceptive means. It goes beyond mere
falsehoods, requiring extensive research on the
targeted individual prior to the execution of the
attack (Ivaturi & Janczewski, 2011).
Pretexting
9. 9
05_ LITERATURE REVIEW
Baiting shares similarities with phishing
attacks but employs enticing strategies to lure
victims. In baiting, hackers entice users by
promising rewards or goods in exchange for
surrendering their login credentials to a
specific website. Baiting schemes extend
beyond digital and online methods and can also
be executed using physical media (Conteh &
Schmick, 2016).
Baiting
10. 10
05_ LITERATURE REVIEW
Social engineers apply the principles of
psychological manipulation and persuasion to
deceive people into performing actions and giving
out confidential information that they normally
wouldn’t do or give out. Robert Cialdini, a
psychologist, stated six principles of persuasion
that work on the human mind based on
observations and research which include;
reciprocation, commitment and consistency,
social proof, liking, authority, and scarcity.
Psychological Manipulation
11. 11
05_LITERATURE REVIEW
B. RELATED WORKS
TITLE OF
PAPER/JOURNAL &
YEAR
LIMITATIONS OBJECTIVES METHODOLOGY RESULTS
PENETRATION
TESTING THROUGH
SOCIAL
ENGINEERING
(1996)
John P. Ceraolo
The researcher did not
carry out attacks on
multiple organizations
but on different
departments of a single
organization; hence,
the result is not really
comprehensive.
To conduct six case
studies of different
social engineering
attack scenarios using
vishing and its
effectiveness in
penetration testing of
an organization.
Quantitative research
method by carrying out
attacks through vishing
in six different cases in
the organization.
The penetration tests
were successful in each
of the six cases where
they were carried out,
showing that the staffs
of the organization did
not have any form of
awareness.
SOCIAL
ENGINEERING AND
CYBER SECURITY
(2017)
Breda F., Barbosa H.,
Morais T.
Suggested that further
research should be
carried out on how
social engineering
attacks can be reduced
to the bare minimum
and to advise good
practices for
individuals and
organizations
To examine recurrent
social engineering
techniques used by
attackers, as well as
revealing a basic
complementary
technical methodology
to conduct effective
exploits
Using the social
engineering toolkit
provided on Kali
Linux, a basic
credential harvesting
attack using phishing
was carried out.
The cloned website
created by the social
engineering toolkit
worked and returned
the authentication
credentials to the
attacker
12. 12
05_LITERATURE REVIEW
B. RELATED WORKS CONTD.
TITLE OF
PAPER/JOURNAL &
YEAR
LIMITATIONS OBJECTIVES METHODOLOGY RESULTS
PENETRATION
TESTING FOR
INTERNET OF
THINGS AND ITS
AUTOMATION
(2018)
Ge Chu and Alexei
Lisitsa
Could not carry out
real-life attacks and
tests. Simulated
attacks were carried
out, but the results of
the attacks are not as
reliable as real-life
attacks.
To analyze the security
problems of IoT and
propose a penetration
testing approach and its
automation based on
belief-desire-intention
(BDI) model to evaluate
the security of the IoT.
Information gathering
process, which
involved social
engineering methods,
analysis, and
exploitation using
social engineering
attack vectors and other
attack vectors with the
BDI.
The BDI agent
successfully breached
the SSH password and
gained user privileges.
However, it was unable
to execute a local buffer
overflow attack to
obtain root privileges
due to insufficient
randomization.
PENETRATION
TESTING: A
REVIEW (2014)
Kumar Shravan,
Bansal Neha, and
Bhadana Pawan
The researchers could
not find any means of
identifying false
positives in
penetration testing
using methods like
social engineering and
others.
Investigate Penetration
Testing tools and
techniques, and teach a
Network and System
Administrator how they
can utilize Penetration
Testing to understand,
analyze and address
Research on the
processes required to
conduct a successful
penetration test and the
various techniques
used, including social
engineering, phases and
methods.
Taught the network and
system administrators
on the ethics of hacking
and procedures to
follow.
13. 13
05_LITERATURE REVIEW
B. RELATED WORKS CONTD.
TITLE OF
PAPER/JOURNAL &
YEAR
LIMITATIONS OBJECTIVES METHODOLOGY RESULTS
PENETRATION
TESTING: A
ROADMAP TO
NETWORK
SECURITY (2009)
Nitin A. Naik, Gajanan
D. Kurundkar, Santosh
D. Khamitkar, Namdeo
V. Kalyankar
Could not devise a
solution for the
penetration testers to
constantly conduct
tests on the network to
prevent newer forms of
attacks and security
loopholes. Did not also
explain in detail the use
of social engineering in
the process.
The objective of this
paper is to explain the
methodology and
methods behind
penetration testing
(including social
engineering) and
illustrate remedies for
it, which will provide
substantial value for
network security
because it will model
real-world attacks as
closely as possible.
Researched on the
preliminary steps
needed to conduct a
successful penetration
test on a network, how
to exploit
vulnerabilities, and
how all the phases in
the preparation stage
work together.
Highlighted that it
should only be
professionals in
penetration testing that
conduct penetration
tests; they should also
be constantly
monitoring the system
for all kinds of attacks,
including social
engineering attacks.
14. 14
05_LITERATURE REVIEW
B. RELATED WORKS CONTD.
TITLE OF
PAPER/JOURNAL &
YEAR
LIMITATIONS OBJECTIVES METHODOLOGY RESULTS
PANNING FOR
GOLD:
AUTOMATICALLY
ANALYSING
ONLINE SOCIAL
ENGINEERING
ATTACK SURFACES
(2017)
Edwards, M., Larson,
R., Green, B., Rashid,
A., & Baron, A.
Open Source
Intelligence (OSINT)
requires more attention
and development than
what is typically
required for a research
on social engineering.
To showcase the
passive and automated
collection of key
information for social
engineering attacks on
organizations. It
addresses the problems
of identifying
employees using public
information and
linking their profiles
across multiple social
networks for more
effective attacks.
Study on the
effectiveness of the
Open Source
Intelligence (OSINT)
to boost the
effectiveness of
deceptive ploys
delivered in a social
engineering attack.
Presented a tool that
penetration testers can
utilize to assess an
organization's
vulnerability in a
passive manner. This
tool can be employed
to evaluate the actual
effectiveness of
organizational
mitigation strategies,
including training
events and updated
policies.
15. 15
05_LITERATURE REVIEW
B. RELATED WORKS CONTD.
TITLE OF
PAPER/JOURNAL &
YEAR
LIMITATIONS OBJECTIVES METHODOLOGY RESULTS
PREVENTION OF
SOCIAL
ENGINEERING IN
ELECTRONIC MEDIA
(2022)
Vika Fransisca,
Komarudin
The literature did not do
an extensive research on
the different ways and
methods of preventing
social engineering
attacks.
To analyze the methods
that can be used to
prevent social
engineering attacks, and
to provide methods for
correcting security
loopholes after a person
has suffered an attack.
Research by scoping
existing literatures on
prevention and solution
to social engineering.
Suggested steps that can
be taken after social
engineering has occurred
and steps to prevent the
attack from happening.
SYSTEM
PENETRATION:
CONCEPTS, ATTACK
METHODS, AND
DEFENSE
STRATEGIES (2023)
Mohammad Tabrez
Quasim, Ahmed Nasser
Al Hawi
The literature did not
explain in details how to
use the specified tools,
edge cases, and
interpretation of the
penetration testing
results.
Investigates different
penetration testing tools
in Kali Linux, how to use
and deploy them for
different kinds of attacks,
and defense strategies
using a private network.
Carried out different
penetration testing and
social engineering
attacks using the tools
provides by the Kali
Linux suite
Suggested penetration
testing attack tools and
stages needed to carry
out the tests successfully.
17. 17
06_ RESEARCH METHODOLOGY
Methodology
Take
permission
To ensure legal compliance, obtain
necessary permissions before
conducting penetration testing.
Submit request to faculty subdean
and department adviser for approval.
Proceed upon authorization.
Mitigates unauthorized access risk.
Information
gathering
Gather information about potential
victims for successful penetration
testing. Methods include passive
reconnaissance (using social media),
active reconnaissance (engaging in
conversations), and open source
intelligence (OSINT). Active
reconnaissance will be used.
Attack
Vector
scoping
Select attack methods based on
information gathered. Staff will be
targeted using tailgating, phishing,
and pretexting. Students will be
targeted using phishing, pretexting,
and quid pro quo. Additional attack
vectors may be used to assess staff
and student awareness levels.
18. 18
06_ RESEARCH METHODOLOGY
Methodology Contd.
Proposed
tools
The tools that will be used in this
penetration testing campaign include
Kali Linux, the Social Engineering
Toolkit, Wifi Phisher, and Wget.
These tools will enhance the
effectiveness of the testing process.
Data
recording
During the attack phase, a JSON
document will be used to record
important details including the attack
date, attack vector, success rate,
victim, psychology of influence used,
and additional notes. Victim names
will be anonymized to protect
privacy, using labels such as Victim
1, Victim 2, etc., for individual-
specific attacks.
Data
interpretation &
Report generation
The collected data from the social
engineering penetration testing
campaign will be parsed and
visualized in a pie chart using
Chart.js. Additionally, JavaScript
will be used to generate an HTML
page displaying the statistics of the
penetration testing exercise.
19. 19
07_ SIGNIFICANCE OF STUDY
SIGNIFICANCE OF
STUDY
The significance of this study lies in the fact that it aims to
improve the security of the university's online system. By
conducting penetration testing using social engineering
techniques, potential vulnerabilities can be identified and
remedied. This study will also create awareness among staff and
students about the dangers of social engineering attacks and how
to protect against them. The study's findings and
recommendations will be helpful for other universities and
organizations that want to secure their online systems against
cyberattacks.
99%
07