KE
Uploaded byKory Edwards
297 views

Social Engineering-The Underpinning of Unauthorized Access

This document discusses social engineering and how it enables unauthorized access. It begins by providing background on Edward Snowden's theft of classified NSA documents, which was enabled by social engineering tactics. It then explores the implications of social engineering attacks, why information security programs often fail to prevent them, and common types of social engineering attacks both from insiders and outsiders. Key social engineering tactics like exploiting human tendencies towards liking, authority, and scarcity are also examined. The document suggests training should focus on increasing social intelligence and empowering critical thinking to help inhibit social engineering attacks.

Embed presentation

Download to read offline
Social Engineering: The Underpinning of Unauthorized Access Kory W. Edwards Webster University
Abstract In May, 2013, perhaps the single most devastating loss of highly sensitive information occurred as Edward Snowden boarded a flight to Hong Kong. (MacAskill 2013) Whether Snowden is viewed as a whistleblowing hero, or as a traitor, the magnitude of this loss of highly sensitive information boiled down to a singular problem: a disgruntled employee who used social engineering to persuade 20-25 co-workers at NSA to give him unauthorized access. (Hosenball & Strobel 2013) Despite formal information security programs and employee training, today’s workplace continues to endure social engineering attacks. This paper explores the implications of social engineering attacks, the reason why information security programs fail, the common types of social engineering attacks and the social engineering tactics commonly used. It will suggest a new approach to inhibit these attacks by incorporating human intelligence concepts, critical thinking and social intelligence. Implications of Social Engineering Attacks Social engineering tactics using either face-to-face or online interactions are the leading cause of devastating information security failures. They can result in secret abduction of specific systems, service presentation rejection, sensitive data destruction or theft, hacker attack of a network, software security breaking and electronic wiretapping including destruction, abduction of telephone calls and other forms of attack. (Al-Johani, et al 2013) The theft of intellectual property or classified data can devastate an organization and result in major monetary losses or even loss of life in some cases. Aside from organizational losses, even the most competent and well-trained employees can be victims of social engineering as attackers use natural human scenarios. In the case of Edward
Snowden, highly intelligent NSA employees confidently gave their user id and password to an inside, cleared network administrator who sought to resolve a computer issue they were having. (MacAskill 2013) The social engineering attack happened in spite of frequent, routine training, stringent security plans and other precautions that were in place. The end result of this attack was several well-trained, confident, and intelligent employees losing their careers or having them severely impacted. If all these precautions and training cannot effectively prevent such social engineering attacks, what can? Why do information security programs fail? Companies spend substantial amounts of money, time and resources developing and implementing security and training plans to make employees aware of security threats. Their approach relies on the concept that an informed employee will not be as susceptible to social engineering attacks. Yet these attacks persist. Programs focusing on phishing attempts and spam emails become repetitive and are often ignored by the employees. The training fails to give employees a sense of added value that can be used in their everyday duties and not just when a suspicious email hits their inbox. This is because people do not always have the ability or motivation for deliberate, careful thinking. (Muscanell, et al 2014) Employees and their supervisors focus more on checking-the-box for required training than application of what they learned. Social engineering is defined as “a set of techniques used for making people do something or divulge secret information.” (Al-Johani, et al 2013) The description conjures up images of such as a scenario of a nefarious person conducting clandestine espionage operation rather than something the average employee might see on a daily basis. This scenario is not
relatable for someone who views their job as routine and less significant. In fact, in the human intelligence realm, those people most often targeted are the least conspicuous targets. The same goes for other social engineering attacks. Why would an attacker target the Director of Central Intelligence, raising alarms, when a disgruntled employee, secretary or janitor can provide information with less risk? Employees fail to understand that it is the access to a network they use that makes them a target, not what they do on that network. Current security plans, programs and training fail to provide a skill that can be applied to every aspect of a person’s job and interpersonal interactions. If the skills they are trained on are not practiced on a daily basis, they are easily forgotten. In order to understand how to improve security programs and training, we must first evaluate the types of social engineering attacks used and the tactics employed by the attackers. By identifying the commonalities, our new approach can be developed. Common Types of Social Engineering Attacks Insider Threats The example of Edward Snowden shows the grand scale at which an insider can wreak havoc by using social engineering to gain unauthorized access. But disgruntled employees represent only a portion of unauthorized access attacks and risks. Aside from disgruntled employees, unauthorized access attacks can result from poor information security training, improper badging and physical access control, and a lack of compartmentalization of the information. What makes an insider threat so difficult to detect and deter is that they already have legitimate access to the facility or system, know what they are looking for and know how to circumvent security protections. (Hau 2003)
Social engineering relies heavily upon people remaining true to social and cultural norms or a lack of awareness of the information’s value and their role in protecting the information. (Al- Johani, et al 2013) Social engineers exploit employees that have not been trained, have become complacent about their training or have failed to remember the training they were provided. Targets may be new employees that are eager to prove themselves valuable to the company, complacent employees that routinely have security incidents or personalities that are easily subject to intimidation or coercion. Even the happy, helpful employee is subject to exploitation due out of their desire to “help a friend”. A well-designed training program can curtail these issues and empower employees to stick to security protocol. Social engineers also exploit vulnerabilities resulting from improper badging and physical access controls. By not having strict badging standards and adherence to badging procedures, insiders can obtain unauthorized access. Locked desks can keep prying eyes from accessing office phone lists, notes, password reminders on sticky notes, email directories, printed papers, electronic media and other stores of information that can be stolen or copied. (Al-Johani, et al 2013) Guards and employees that check badges, even when they know the person, can keep recently fired or disgruntled employees from extending their access beyond its expiration or accessing areas where they are not properly authorized. Individual burn bags, the use of shredders and securely disposing of all paper can prevent social engineers from exploiting information found in recycle bins, trash cans and messy desktops. Lastly, proper compartmentalization of sensitive information can impede social engineering attempts to gain unauthorized access. This must include need-to-know barriers between management and their subordinates. Managers often need to know an overall situation, but do not need direct access to data used to reach assessments. A social engineer might use anti-social
engineering, which is a highly developed way to obtain sensitive information. The attacker claims to be authorized a high level of access and elicits information from employees by simply bringing up a subject and getting the employee to talk. (Al-Johani, et al 2013) Employees share information out of the belief that the insider is authorized. Information security managers can inhibit such attempts by carefully compartmenting information and granting access for each compartment to those employees that can prove a need-to-know. External Threats Insider threat attacks can facilitate external attacks. Seemingly non-sensitive information such as office phone and email directories can facilitate an external social engineering attack such as via email or phone calls. The attacker can use the company phone or email directory to target a specific individual. The attacker contacts them directly, already knowing their name and position, and builds their bona fides with the victim by seemingly knowing them or their associate. Phone calls to an employee posing as a system administrator with an urgent need can coerce employees into revealing sensitive information or taking actions on their computer that enable a technical attack. Phishing attempts through personal and company email addresses are also common methods of external social engineering attack. External attackers may use dumpster diving of dumpsters located outside of the secured area to find sticky notes with passwords, discarded documentation of initial passwords or details of password build requirements. By having such information, the external attacker can conduct dictionary attacks by comparing passwords against dictionary files, hybrid attacks using dictionary attacks combined with extra characters or brute
force attacks that compare every possible combination until eventually one works on the system. (Al-Johani, et al 2013) Lastly, physical security flaws can allow an external attacker to place devices or programs on a system using free flash drive or software giveaways to employees with access. The device or program then conducts sniffing, wiretapping or eavesdropping on the network. (Al-Johani, et al 2013) It is essential that employees safeguard company computers, cellphones and other electronic devices when traveling, staying in hotels or passing through customs and security checkpoints in order to prevent such attempts. Even foreign governments conduct economic espionage! Social Engineering Tactics We have all likely had some form of information security training in our careers. Most victims of social engineering attacks are intelligent people. How then do so many intelligent, security conscious people fall prey to social engineering exploitation? The answer lies in unique qualities that humans possess and build upon from birth. Of all the creatures on the planet, humans have the longest development periods. We are born exceedingly vulnerable and defenseless. The long period from birth to adulthood allows the human brain to develop a much deeper level of consciousness, but also has significant draw backs. (Greene, R. 2012) Humans are highly dependent upon others for their growth and protection during these early years. We grow to view our parents and caretakers as infallible, intelligent and strong. If we had the realization of their flaws and our weaknesses, we would not be able to bear the anxiety it would bring upon us. (Greene, R. 2012) When we enter the workforce, these views often follow us and are applied to our teachers, friends, confidants, mentors and bosses. (Greene, R. 2012) We do so at a much greater risk though. The knowledge
of the attributes, emotions and motivations is known as “social intelligence”. It is often referred to as “street smarts”. (Riggio, R. 2014) The failure to increase one’s social intelligence leads to what Robert Greene, in his book Mastery, called “Naïve Perspective”. Greene explains that “With colleagues in the work environment, we fail to see the source of their envy or the reason for their manipulations; our attempts at influencing them are based on the assumptions that they want the same things as ourselves. With mentors and bosses, we project onto them our childhood fantasies, becoming unnecessarily adoring or fearful of authority figures…We think we understand people, but we are viewing them through a distorted lens. In this state, all of our empathic powers are rendered useless.” (Greene, R. 2012) Now that we understand why people fall prey to social engineering, we’ll now explore those tactics used by social engineers. Social engineering attackers use what Robert Cialdini outline as the social influence framework. The attacker uses one of the 6 weapons of influence: Liking, Authority, Scarcity, Social Proof, Reciprocity and Commitment and Consistency. How can a trained, intelligent person still fall prey to these weapons of influence though? Individuals are often quite busy in their personal and professional lives and as a result are unable or unmotivated to avoid heuristics, or mental shortcuts. (Muscanell, N. et al 2014) Liking Throughout our society, likeability is placed in high value. Everyone knows of a neighbor, co-worker, family member, friend or celebrity that they admire and respect because they are likeable. Our culture idolizes the celebrity that is “such a good person”, we vote for the most likeable candidate and seek to be likeable ourselves. People trust a likeable person and view
them with a higher degree of credibility. Likeability plays into social engineering attacks in two ways; our desire to be liked and our desire to assist a likeable person. Recently, a well-known email scam involved receiving an email that appears to be from a friend or family member using what is called the “stranded traveler” approach. This social engineering attack preyed on the desire to assist a familiar person by sending them money because they had fallen into a difficult situation while traveling and needed financial assistance, while promising to repay the victim once they had returned home from their travels. (Muscanell, N. et al 2014) The approach plays directly into a person’s desire to help a liked person and to feel appreciated for doing so. Some online scams prey on victims by impersonating well-liked companies. People often view the Better Business Bureau (BBB) as a likeable, trustworthy consumer protection advocate. Recent social networking attacks using a friend request on Facebook from the BBB have entrapped many people. Once the request is accepted, the social engineer initiates a conversation and encourages the victim to apply for a Federal grant. The form used to collect their personal information for the alleged grant is then used in identity theft. (Muscanell, N. et al 2014) Aside from online social engineering attacks, face-to-face attacks or data spillage can result using the likeability tactic. A co-worker, friend or family member might ask someone working for the government for indirect access to sensitive or restricted information. A recent example of such approach happened when a secret service agent, a seemingly trustworthy person, approached a good friend who had access to U.S. visa information. The agent, out of sincere desire to help someone he knew, asked the friend to see if he could look up the visa information of the 3rd party to see why it was taking so long to process the 3rd party’s visa. When the friend with visa data access explained that doing so would be a violation of both policy and
Federal law, the secret service agent pressured the employee using likeability as a means to get his friend to circumvent the restrictions. This placed the friend in the position of protecting the information and avoiding personal career jeopardy, but alienating his friend, or violating the law to remain liked by the secret service agent friend. Ultimately, fear (a much stronger motivator than the possibility of gain) kept the friend from violating the law and the information remained protected. But what if the fear of search audits or being caught was not taken seriously or had not been engrained through information security training? Would the data have been protected? Could the attempt to gain unauthorized access be a means of verifying the employee’s access for use in future attacks? Assuaging the desire to be liked by an unauthorized employee must be incorporated into every information security plan. Authority As previously mentioned people often place naïve trust in or fear the authority figures in our lives. Especially when faced with the dominating presence of a supervisor or significant other, people often comply with demands from the authority figure rather than suffer the consequences of their non-compliance. They pursue the path of least resistance. Online scams involving Federal government entities demanding immediate response with personal information have become very well-known in recent years. If the Internal Revenue Service demands an immediate response concerning a tax refund, a victim can easily feel pressured to comply with the emailed demands and reveal their personal information. (Muscanell, N. et al 2014) In the case of Edward Snowden, Snowden was not in an supervisory position but managed to elicit passwords and user ids from co-workers under the guise that as a system
administrator, he had the need and authority to request such information in the performance of his duties. This goes to show that authority does not need to be real. Perceived authority is enough to get a victim to let their guard down and succumb to the attack. Uniforms can give the same perception without verification of credentials. A lab coat can make the attacker be perceived as a doctor, a police uniform alone implies authority and even a person confidently following a badged employee into a secure area can circumvent security precautions. The unauthorized person appears to be authorized access to the secure area by their body language and confident demeanor. To retard the effect of a social engineer using authority or perceived authority to conduct an attack, information security plans and training must empower the employee to challenge the need-to-know or need-for-access of those in authority positions. While it may not be desirable to have employees challenge their supervisors all the time, the supervisors must be counseled and expect to be challenged when requesting information outside of their normal need-to-know. They must understand the intent is to protect the information and not to challenge their authority. Scarcity The idea of scarcity in social engineering relies on the concept that things that are limited in supply or a limited opportunity have higher value or level of importance than something that is more commonly available. Scarcity is used most commonly in thee sales profession where “limited time offers” or sale pricing and discounts motivate people to buy whether they need the product or not. The same concept can be applied to social engineering attacks on an organization or networks.
Employees operating on systems with access to the internet may come across scarcity opportunities for sales, raffles, or as often seen on Facebook “We have a limited supply of iPads to give away to the first 500 people that request one” scams. The employee clicks on the advertisement which can either install malware or have the employee enter personal information onto a form. Local businesses might have “Win a Free Lunch” offers if you place your business card into the jar with all your company information on them. Drawings and raffles of vacations, motorcycles, cars and other opportunities provide another vehicle to collect personal information. Scarcity may come in the form of a rare and enticing employment opportunity making an unsolicited email request for a system administrator’s resume. Once the resume is sent, the social engineer can emphasize the vast competition for the position and the need to find out exactly what programs, hardware and cybersecurity methods are used by the employee in order to prove they are experienced enough for the job. In these cases, the employee is even less likely to report the solicitation out of fear their employer will know they have been looking for employment elsewhere. Training employees to be aware of such attempts, limiting who has business cards and encouraging employees to resist such attempts to pursue these opportunities on company computer systems can deter such attacks. Social Proof Social proof is most commonly called “peer pressure”. Our human desire to fit in with other leads to a follow-the-leader mentality. Nearly everyone has seen the co-worker selling Girl Scout cookies for their daughter, the office NFL football pool, or unauthorized installation of games/music/videos on a work computer. When several people we know are all doing
something, we have a tendency to go along with it and do the same thing in order to prove we are part of the social group. The justification is often that “everyone is doing it”. In an office setting, one person may decorate their cubicle and install a funny screen saver or wallpaper on their system, thus exposing the computer and network to malware. Other employees see it and decide to do the same or install their own. Viruses are launched and passed through email communications to other employees with a subject line such as “Check this video out”. Within a short amount of time, the desire to be like everyone else can spread attacking software throughout the entire network and steal sensitive information or impact the system. Security training must encourage employees to avoid the group-think mentality and not following the pack when cybersecurity rules might be broken. Reciprocity Reciprocity approaches make use of the societal norm that when someone does something for you, you should return the favor and do something for them in return. (Muscanell, N. et al 2014) Taking into account the aforementioned example involving a secret service agent making an unlawful request for sensitive information, imagine if the secret service agent had previously done a favor for the employee with the data access. The favor may or may not have been work related. Perhaps the secret service agent helped the employee move into their new home. Would the social norm of reciprocity make it more difficult for the employee to turn down the request for the information? Online reciprocity attacks are common. One such reciprocity attack is known as the “Nigerian Prince” attack. In this attack, a person claims to be a wealthy Nigerian prince or a businessman seeking a way to exhilarate their fortune from a precarious situation in exchange for
giving the victim part of the money. (Muscanell, N. et al 2014) The attacker sends the victim a fraudulent check and asks the victim to deposit the check and wire the money, less the victim’s portion, to an intended recipient. Once the victim does so, the check then bounces a few days later leaving the victim stuck paying the full amount of the check back to the bank. Social engineers use reciprocity in either a quid pro quo manner, or they may take a slightly different approach. Cialdini once described this alternate approach as the “door-in-the- face” approach. Participants of a study were found to be much more likely to comply with a request after first being presented with a substantially larger or more difficult request. At times, these two requests might be asked in an either/or scenario. (Muscanell, N. et al 2014) For example, the secret service agent might ask the employee “Could you either print off a copy of my friend’s visa information for me or just read me the details I need to know?” The idea of actually printing off the information and delivering it to the agent presents a much riskier means of helping a friend. Because the request is presented as an either/or format, it gives the perception that no other option exists and the less risky option is the clear choice for the employee. In a case like Edward Snowden, the system administrator might tell the victim employee that they can fix their computer issue remotely, which would take much longer, or the employee could provide their user id and password to the administrator, both helping the administrator and themselves to resolve the problem much faster. The employee feels compelled to help the administrator do their job easier because the administrator is helping the employee as well. Commitment and Consistency It is human nature for individuals to strive to be reliable, consistent and dependable in their dealings with others. Value is placed on those that are committed and consistent in their
actions involving supervisors, co-workers, friends, family and love interests. Inconsistency in one’s dealings gives the impression that a person is unreliable. Social engineers exploit this desire to be consistent. They use what is called the foot-in-the-door approach. (Muscanell, N. et al 2014) This approach is incremental and often the first step is something very innocuous or small. If the attacker can get even the smallest of initial commitment, the process for exploitation begins and the ability to resist the attacker’s requests becomes harder and harder. In the cyber realm this might be a friend request on Facebook. Once the victim accepts the request they have subconsciously made a commitment to the attacker. The victim and attacker are now cyber “friends”. From there, the attacker may begin a conversation and ask for personal information intertwined with less sensitive conversation. This is called masking. In normal conversation, people often remember the beginning of a conversation and the end, but rarely remember details about the middle of the conversation. The probing question is inserted into the middle of less probing conversation. By answering the less sensitive questions, the victim feels obliged to be consistent and keep answering. A great example might be a social engineer seeking to find out possible words used in a employee’s password. The attacker sends a friend request, which is accepted by the victim. A benign conversation ensues and the victim feels the need to be consistent and to keep answering and participating in the conversation. The conversation may touch on several topics such as favorite sports team, family details, work position, networks used, the weather, vacation plans and ultimately some other benign subject. Out of that conversation, the victim when asked about it will likely only recall discussing sports, family, and vacation plans. Out of that conversation,
the attacker can identify a target system and likely words used in a password. We often create passwords we remember involving such subjects. The need to be consistent and committed to the online “friendship” encourages the victim to keep sharing information. As long as the attacker does not overreach in their discussions, the victim will remain consistent in their actions. Training should provide employees examples of such elicitation attempts and be assured that just because one mistake was made, does not obligate them to keep making security mistakes. Conclusion The most common factor in all the aforementioned attacks and tactics is that the person falling for such an attack fails to employ critical thinking skills or social intelligence skills. Critical thinking is the “intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning or communication, as a guide to belief and action.” (Scriven, M. et al 1987) In our social engineering context, it can be summarized by three words: why, how and what. People remember snippets of information, which is why slogans, theme songs and other advertising devices are so effective. To improve the recollection of information security highlights, the keys of information security should be taught in such a manner. Focus employees on remembering three simple questions:  Why does this person need the information?  How can I help them without divulging sensitive information?  What damage could be done if the information is released?
The “why” portion of our solution is applied by the employee when dealing with sensitive information such as passwords, personally identifying information, financial data, etc. The employee must be conditioned so when these bits of information are brought up, they ask themselves “Why does this person need the information?” Once the “why” is identified, the employee must ask them self “How can I resolve this situation without divulging sensitive information?” Lastly, employees must learn to understand the value of the information they possess and the possible damage that could be done if it is shared with an unauthorized employee. As Samuel T.C. Thompson stated in his article Helping the Hacker? Library Information, Security and Social Engineering, once a social engineer has established the trust of the contact, all security barriers are effectively voided and the attacker can gather whatever information they require. After avoiding social engineering attack, the threat may still exist as the attacker simply moves on to the next target. Reporting of suspected attacks is a key component of information security. (Thompson, S. 2006) The concept of social intelligence can inhibit follow on attacks or identify the insider threat. Unlike intelligence, or IQ, which is primarily the product of genetics, social intelligence (SI) is mostly learned. (Riggio, R. 2014) Social intelligence is the product of experiences, successes and failures, in a social setting. It is commonly called tact, common sense or street smarts. (Riggio, R. 2014) The employee’s knowledge of the person, gut feeling or street smarts let them interpret possible motives for the behavior of an insider or external threat. As cybersecurity directors develop their security plans, training focused on critical thinking and social intelligence offer the value-added solution that serves the security training needs but also can be used in everyday management and employee relations.
References MacAskill, E. (2013) Edwards Snowden: how the spy story of the age leaked out. TheGuardian.com Hosenball, M. & Strobel, W. (2013). Exclusive: Snowden persuaded other NSA workers to give up password - sources. Reuters.com Al-Johani, A.; Al-Msloum, A. (2013). Social Engineering Risks in the Contemporary Reality and Methods of Fighting These Risks. (Vol. 5 No. 6) International Journal of Academic Research Muscanell, N.; Guadagno, R.; Murphy, S. (2014). Weapons of Influence Misused: A Social Influence Analysis of Why People Fall Prey to Internet Scams. (Vol. 8 No. 7, pp. 388-396) Social and Personality Psychology Compass, John Wiley & Sons Ltd. Hau, D. (2003). Unauthorized Access – Threats, Risk and Control. (Version 1.4b, Option 1) Globald Information Assurance Certification Paper, SANS Institute Greene, R. (2012). Mastery. (pp 134-135) Penguin Books Riggio, R. (2014). What Is Social Intelligence? Why Does It Matter? www.psychologytoday.com, Psychology Today Thompson, S. (2006). Helping the Hacker? Library Information, Security and Social Engineering,(pp 222 – 225) Information Technology and Libraries Scriven, M. & Paul, R. (1987). Critical Thinking as Defined by the National Council for Excellence in Critical Thinking 1987 Statements published on www.criticalthinking.org, The Critical Thinking Community

More Related Content

PDF
Cyber Threat to Public Safety Communications
byKory Edwards
 
PDF
Social Engineering-The Underpinning of Unauthorized Access
byKory Edwards
 
PDF
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
byCSCJournals
 
PDF
Cyber Threat to Public Safety Communications
byKory Edwards
 
PDF
The Evolving Landscape on Information Security
bySimoun Ung
 
PDF
EXPLORING HISTORICAL AND EMERGING PHISHING TECHNIQUES AND MITIGATING THE ASSO...
byIJNSA Journal
 
PDF
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
byijmvsc
 
PDF
Mark Lanterman - The Risk Report October 2015
byMark Lanterman
 
Cyber Threat to Public Safety Communications
byKory Edwards
 
Social Engineering-The Underpinning of Unauthorized Access
byKory Edwards
 
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
byCSCJournals
 
Cyber Threat to Public Safety Communications
byKory Edwards
 
The Evolving Landscape on Information Security
bySimoun Ung
 
EXPLORING HISTORICAL AND EMERGING PHISHING TECHNIQUES AND MITIGATING THE ASSO...
byIJNSA Journal
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
byijmvsc
 
Mark Lanterman - The Risk Report October 2015
byMark Lanterman
 

What's hot

PDF
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
PDF
Social engineering
byBola Oduyale
 
PPTX
Social Engineering Attacks in IT World
byAkshay Mittal
 
PDF
Social Engineering Role in Compromising Information/Network Security
byOladotun Ojebode
 
PDF
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
byIJNSA Journal
 
PDF
Ce hv8 module 09 social engineering
byMehrdad Jingoism
 
PDF
Report on Mobile security
byKavita Rastogi
 
PDF
Comparative review dele
byyoboy7
 
PDF
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...
byIJNSA Journal
 
PPTX
Social Engineering
byCyber Agency
 
PDF
Social Engineering Audit & Security Awareness
byCBIZ, Inc.
 
PDF
Symantec Website Security Threat Report 2014 - RapidSSLOnline
byRapidSSLOnline.com
 
PDF
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
byCSCJournals
 
PDF
Symantec's Internet Security Threat Report for the Government Sector
bySymantec
 
PDF
CYBER AWARENESS
byEDUJIE DOMINIC IGHODALO
 
PDF
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
PDF
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
byPuneeth Puni
 
PDF
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 
DOCX
Insider Attacks: Theft of Intellectual and Proprietary Data
byLindsey Landolfi
 
Case Study On Social Engineering Techniques for Persuasion Full Text
bygraphhoc
 
Social engineering
byBola Oduyale
 
Social Engineering Attacks in IT World
byAkshay Mittal
 
Social Engineering Role in Compromising Information/Network Security
byOladotun Ojebode
 
SYSTEM END-USER ACTIONS AS A THREAT TO INFORMATION SYSTEM SECURITY
byIJNSA Journal
 
Ce hv8 module 09 social engineering
byMehrdad Jingoism
 
Report on Mobile security
byKavita Rastogi
 
Comparative review dele
byyoboy7
 
A LITERATURE SURVEY AND ANALYSIS ON SOCIAL ENGINEERING DEFENSE MECHANISMS AND...
byIJNSA Journal
 
Social Engineering
byCyber Agency
 
Social Engineering Audit & Security Awareness
byCBIZ, Inc.
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
byRapidSSLOnline.com
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
byCSCJournals
 
Symantec's Internet Security Threat Report for the Government Sector
bySymantec
 
CYBER AWARENESS
byEDUJIE DOMINIC IGHODALO
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
byPuneeth Puni
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 
Insider Attacks: Theft of Intellectual and Proprietary Data
byLindsey Landolfi
 

Similar to Social Engineering-The Underpinning of Unauthorized Access

PDF
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
PDF
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
byijmvsc
 
PPTX
Social engineering
byAlexander Zhuravlev
 
PPTX
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
PPTX
Social engineering
byVîñàý Pãtêl
 
PPTX
Social engineering
byHHSome
 
PDF
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
PPT
Social Engineering threats and concern.ppt
byasalahuddin317
 
PDF
Hacking the Helpdesk: Social Engineering Risks
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PDF
Hacking the Helpdesk, Craig Clark
byService Desk Institute
 
PPTX
Social engineering presentation
bypooja_doshi
 
PDF
02 presentation-christianprobst
byInfinIT - Innovationsnetværket for it
 
PDF
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
PPTX
sec.This includes policy settings that prevent unauthorized people
byJuliusECatipon
 
PPTX
Social engineering-Attack of the Human Behavior
byJames Krusic
 
PPTX
Issa Vancouver 6 09 Pareto's Revenge
byMike Murray
 
PDF
Social engineering-Sandy Suhling
bysuhlingse
 
PDF
Course 2012 Social Engineering Deceptions And Defenses Randy W Williams And W...
bymudiwaheggum
 
PDF
The human factor
byKoen Maris
 
PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
socialengineering-100519023327-phpapp02.pdf
byPradmohanSinghTomar1
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
byijmvsc
 
Social engineering
byAlexander Zhuravlev
 
ethical hacking in motion MODULE - II.ppt
byShivaniSingha1
 
Social engineering
byVîñàý Pãtêl
 
Social engineering
byHHSome
 
Airport IT&T 2013 John McCarthy
byRussell Publishing
 
Social Engineering threats and concern.ppt
byasalahuddin317
 
Hacking the Helpdesk: Social Engineering Risks
byCraig Clark ITIL, CIS LI,EU GDPR P
 
Hacking the Helpdesk, Craig Clark
byService Desk Institute
 
Social engineering presentation
bypooja_doshi
 
02 presentation-christianprobst
byInfinIT - Innovationsnetværket for it
 
- Social Engineering Unit- II Part- I.pdf
byRamya Nellutla
 
sec.This includes policy settings that prevent unauthorized people
byJuliusECatipon
 
Social engineering-Attack of the Human Behavior
byJames Krusic
 
Issa Vancouver 6 09 Pareto's Revenge
byMike Murray
 
Social engineering-Sandy Suhling
bysuhlingse
 
Course 2012 Social Engineering Deceptions And Defenses Randy W Williams And W...
bymudiwaheggum
 
The human factor
byKoen Maris
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 

Social Engineering-The Underpinning of Unauthorized Access

  • 1.
    Social Engineering: The Underpinningof Unauthorized Access Kory W. Edwards Webster University
  • 2.
    Abstract In May, 2013,perhaps the single most devastating loss of highly sensitive information occurred as Edward Snowden boarded a flight to Hong Kong. (MacAskill 2013) Whether Snowden is viewed as a whistleblowing hero, or as a traitor, the magnitude of this loss of highly sensitive information boiled down to a singular problem: a disgruntled employee who used social engineering to persuade 20-25 co-workers at NSA to give him unauthorized access. (Hosenball & Strobel 2013) Despite formal information security programs and employee training, today’s workplace continues to endure social engineering attacks. This paper explores the implications of social engineering attacks, the reason why information security programs fail, the common types of social engineering attacks and the social engineering tactics commonly used. It will suggest a new approach to inhibit these attacks by incorporating human intelligence concepts, critical thinking and social intelligence. Implications of Social Engineering Attacks Social engineering tactics using either face-to-face or online interactions are the leading cause of devastating information security failures. They can result in secret abduction of specific systems, service presentation rejection, sensitive data destruction or theft, hacker attack of a network, software security breaking and electronic wiretapping including destruction, abduction of telephone calls and other forms of attack. (Al-Johani, et al 2013) The theft of intellectual property or classified data can devastate an organization and result in major monetary losses or even loss of life in some cases. Aside from organizational losses, even the most competent and well-trained employees can be victims of social engineering as attackers use natural human scenarios. In the case of Edward
  • 3.
    Snowden, highly intelligentNSA employees confidently gave their user id and password to an inside, cleared network administrator who sought to resolve a computer issue they were having. (MacAskill 2013) The social engineering attack happened in spite of frequent, routine training, stringent security plans and other precautions that were in place. The end result of this attack was several well-trained, confident, and intelligent employees losing their careers or having them severely impacted. If all these precautions and training cannot effectively prevent such social engineering attacks, what can? Why do information security programs fail? Companies spend substantial amounts of money, time and resources developing and implementing security and training plans to make employees aware of security threats. Their approach relies on the concept that an informed employee will not be as susceptible to social engineering attacks. Yet these attacks persist. Programs focusing on phishing attempts and spam emails become repetitive and are often ignored by the employees. The training fails to give employees a sense of added value that can be used in their everyday duties and not just when a suspicious email hits their inbox. This is because people do not always have the ability or motivation for deliberate, careful thinking. (Muscanell, et al 2014) Employees and their supervisors focus more on checking-the-box for required training than application of what they learned. Social engineering is defined as “a set of techniques used for making people do something or divulge secret information.” (Al-Johani, et al 2013) The description conjures up images of such as a scenario of a nefarious person conducting clandestine espionage operation rather than something the average employee might see on a daily basis. This scenario is not
  • 4.
    relatable for someonewho views their job as routine and less significant. In fact, in the human intelligence realm, those people most often targeted are the least conspicuous targets. The same goes for other social engineering attacks. Why would an attacker target the Director of Central Intelligence, raising alarms, when a disgruntled employee, secretary or janitor can provide information with less risk? Employees fail to understand that it is the access to a network they use that makes them a target, not what they do on that network. Current security plans, programs and training fail to provide a skill that can be applied to every aspect of a person’s job and interpersonal interactions. If the skills they are trained on are not practiced on a daily basis, they are easily forgotten. In order to understand how to improve security programs and training, we must first evaluate the types of social engineering attacks used and the tactics employed by the attackers. By identifying the commonalities, our new approach can be developed. Common Types of Social Engineering Attacks Insider Threats The example of Edward Snowden shows the grand scale at which an insider can wreak havoc by using social engineering to gain unauthorized access. But disgruntled employees represent only a portion of unauthorized access attacks and risks. Aside from disgruntled employees, unauthorized access attacks can result from poor information security training, improper badging and physical access control, and a lack of compartmentalization of the information. What makes an insider threat so difficult to detect and deter is that they already have legitimate access to the facility or system, know what they are looking for and know how to circumvent security protections. (Hau 2003)
  • 5.
    Social engineering reliesheavily upon people remaining true to social and cultural norms or a lack of awareness of the information’s value and their role in protecting the information. (Al- Johani, et al 2013) Social engineers exploit employees that have not been trained, have become complacent about their training or have failed to remember the training they were provided. Targets may be new employees that are eager to prove themselves valuable to the company, complacent employees that routinely have security incidents or personalities that are easily subject to intimidation or coercion. Even the happy, helpful employee is subject to exploitation due out of their desire to “help a friend”. A well-designed training program can curtail these issues and empower employees to stick to security protocol. Social engineers also exploit vulnerabilities resulting from improper badging and physical access controls. By not having strict badging standards and adherence to badging procedures, insiders can obtain unauthorized access. Locked desks can keep prying eyes from accessing office phone lists, notes, password reminders on sticky notes, email directories, printed papers, electronic media and other stores of information that can be stolen or copied. (Al-Johani, et al 2013) Guards and employees that check badges, even when they know the person, can keep recently fired or disgruntled employees from extending their access beyond its expiration or accessing areas where they are not properly authorized. Individual burn bags, the use of shredders and securely disposing of all paper can prevent social engineers from exploiting information found in recycle bins, trash cans and messy desktops. Lastly, proper compartmentalization of sensitive information can impede social engineering attempts to gain unauthorized access. This must include need-to-know barriers between management and their subordinates. Managers often need to know an overall situation, but do not need direct access to data used to reach assessments. A social engineer might use anti-social
  • 6.
    engineering, which isa highly developed way to obtain sensitive information. The attacker claims to be authorized a high level of access and elicits information from employees by simply bringing up a subject and getting the employee to talk. (Al-Johani, et al 2013) Employees share information out of the belief that the insider is authorized. Information security managers can inhibit such attempts by carefully compartmenting information and granting access for each compartment to those employees that can prove a need-to-know. External Threats Insider threat attacks can facilitate external attacks. Seemingly non-sensitive information such as office phone and email directories can facilitate an external social engineering attack such as via email or phone calls. The attacker can use the company phone or email directory to target a specific individual. The attacker contacts them directly, already knowing their name and position, and builds their bona fides with the victim by seemingly knowing them or their associate. Phone calls to an employee posing as a system administrator with an urgent need can coerce employees into revealing sensitive information or taking actions on their computer that enable a technical attack. Phishing attempts through personal and company email addresses are also common methods of external social engineering attack. External attackers may use dumpster diving of dumpsters located outside of the secured area to find sticky notes with passwords, discarded documentation of initial passwords or details of password build requirements. By having such information, the external attacker can conduct dictionary attacks by comparing passwords against dictionary files, hybrid attacks using dictionary attacks combined with extra characters or brute
  • 7.
    force attacks thatcompare every possible combination until eventually one works on the system. (Al-Johani, et al 2013) Lastly, physical security flaws can allow an external attacker to place devices or programs on a system using free flash drive or software giveaways to employees with access. The device or program then conducts sniffing, wiretapping or eavesdropping on the network. (Al-Johani, et al 2013) It is essential that employees safeguard company computers, cellphones and other electronic devices when traveling, staying in hotels or passing through customs and security checkpoints in order to prevent such attempts. Even foreign governments conduct economic espionage! Social Engineering Tactics We have all likely had some form of information security training in our careers. Most victims of social engineering attacks are intelligent people. How then do so many intelligent, security conscious people fall prey to social engineering exploitation? The answer lies in unique qualities that humans possess and build upon from birth. Of all the creatures on the planet, humans have the longest development periods. We are born exceedingly vulnerable and defenseless. The long period from birth to adulthood allows the human brain to develop a much deeper level of consciousness, but also has significant draw backs. (Greene, R. 2012) Humans are highly dependent upon others for their growth and protection during these early years. We grow to view our parents and caretakers as infallible, intelligent and strong. If we had the realization of their flaws and our weaknesses, we would not be able to bear the anxiety it would bring upon us. (Greene, R. 2012) When we enter the workforce, these views often follow us and are applied to our teachers, friends, confidants, mentors and bosses. (Greene, R. 2012) We do so at a much greater risk though. The knowledge
  • 8.
    of the attributes,emotions and motivations is known as “social intelligence”. It is often referred to as “street smarts”. (Riggio, R. 2014) The failure to increase one’s social intelligence leads to what Robert Greene, in his book Mastery, called “Naïve Perspective”. Greene explains that “With colleagues in the work environment, we fail to see the source of their envy or the reason for their manipulations; our attempts at influencing them are based on the assumptions that they want the same things as ourselves. With mentors and bosses, we project onto them our childhood fantasies, becoming unnecessarily adoring or fearful of authority figures…We think we understand people, but we are viewing them through a distorted lens. In this state, all of our empathic powers are rendered useless.” (Greene, R. 2012) Now that we understand why people fall prey to social engineering, we’ll now explore those tactics used by social engineers. Social engineering attackers use what Robert Cialdini outline as the social influence framework. The attacker uses one of the 6 weapons of influence: Liking, Authority, Scarcity, Social Proof, Reciprocity and Commitment and Consistency. How can a trained, intelligent person still fall prey to these weapons of influence though? Individuals are often quite busy in their personal and professional lives and as a result are unable or unmotivated to avoid heuristics, or mental shortcuts. (Muscanell, N. et al 2014) Liking Throughout our society, likeability is placed in high value. Everyone knows of a neighbor, co-worker, family member, friend or celebrity that they admire and respect because they are likeable. Our culture idolizes the celebrity that is “such a good person”, we vote for the most likeable candidate and seek to be likeable ourselves. People trust a likeable person and view
  • 9.
    them with ahigher degree of credibility. Likeability plays into social engineering attacks in two ways; our desire to be liked and our desire to assist a likeable person. Recently, a well-known email scam involved receiving an email that appears to be from a friend or family member using what is called the “stranded traveler” approach. This social engineering attack preyed on the desire to assist a familiar person by sending them money because they had fallen into a difficult situation while traveling and needed financial assistance, while promising to repay the victim once they had returned home from their travels. (Muscanell, N. et al 2014) The approach plays directly into a person’s desire to help a liked person and to feel appreciated for doing so. Some online scams prey on victims by impersonating well-liked companies. People often view the Better Business Bureau (BBB) as a likeable, trustworthy consumer protection advocate. Recent social networking attacks using a friend request on Facebook from the BBB have entrapped many people. Once the request is accepted, the social engineer initiates a conversation and encourages the victim to apply for a Federal grant. The form used to collect their personal information for the alleged grant is then used in identity theft. (Muscanell, N. et al 2014) Aside from online social engineering attacks, face-to-face attacks or data spillage can result using the likeability tactic. A co-worker, friend or family member might ask someone working for the government for indirect access to sensitive or restricted information. A recent example of such approach happened when a secret service agent, a seemingly trustworthy person, approached a good friend who had access to U.S. visa information. The agent, out of sincere desire to help someone he knew, asked the friend to see if he could look up the visa information of the 3rd party to see why it was taking so long to process the 3rd party’s visa. When the friend with visa data access explained that doing so would be a violation of both policy and
  • 10.
    Federal law, thesecret service agent pressured the employee using likeability as a means to get his friend to circumvent the restrictions. This placed the friend in the position of protecting the information and avoiding personal career jeopardy, but alienating his friend, or violating the law to remain liked by the secret service agent friend. Ultimately, fear (a much stronger motivator than the possibility of gain) kept the friend from violating the law and the information remained protected. But what if the fear of search audits or being caught was not taken seriously or had not been engrained through information security training? Would the data have been protected? Could the attempt to gain unauthorized access be a means of verifying the employee’s access for use in future attacks? Assuaging the desire to be liked by an unauthorized employee must be incorporated into every information security plan. Authority As previously mentioned people often place naïve trust in or fear the authority figures in our lives. Especially when faced with the dominating presence of a supervisor or significant other, people often comply with demands from the authority figure rather than suffer the consequences of their non-compliance. They pursue the path of least resistance. Online scams involving Federal government entities demanding immediate response with personal information have become very well-known in recent years. If the Internal Revenue Service demands an immediate response concerning a tax refund, a victim can easily feel pressured to comply with the emailed demands and reveal their personal information. (Muscanell, N. et al 2014) In the case of Edward Snowden, Snowden was not in an supervisory position but managed to elicit passwords and user ids from co-workers under the guise that as a system
  • 11.
    administrator, he hadthe need and authority to request such information in the performance of his duties. This goes to show that authority does not need to be real. Perceived authority is enough to get a victim to let their guard down and succumb to the attack. Uniforms can give the same perception without verification of credentials. A lab coat can make the attacker be perceived as a doctor, a police uniform alone implies authority and even a person confidently following a badged employee into a secure area can circumvent security precautions. The unauthorized person appears to be authorized access to the secure area by their body language and confident demeanor. To retard the effect of a social engineer using authority or perceived authority to conduct an attack, information security plans and training must empower the employee to challenge the need-to-know or need-for-access of those in authority positions. While it may not be desirable to have employees challenge their supervisors all the time, the supervisors must be counseled and expect to be challenged when requesting information outside of their normal need-to-know. They must understand the intent is to protect the information and not to challenge their authority. Scarcity The idea of scarcity in social engineering relies on the concept that things that are limited in supply or a limited opportunity have higher value or level of importance than something that is more commonly available. Scarcity is used most commonly in thee sales profession where “limited time offers” or sale pricing and discounts motivate people to buy whether they need the product or not. The same concept can be applied to social engineering attacks on an organization or networks.
  • 12.
    Employees operating onsystems with access to the internet may come across scarcity opportunities for sales, raffles, or as often seen on Facebook “We have a limited supply of iPads to give away to the first 500 people that request one” scams. The employee clicks on the advertisement which can either install malware or have the employee enter personal information onto a form. Local businesses might have “Win a Free Lunch” offers if you place your business card into the jar with all your company information on them. Drawings and raffles of vacations, motorcycles, cars and other opportunities provide another vehicle to collect personal information. Scarcity may come in the form of a rare and enticing employment opportunity making an unsolicited email request for a system administrator’s resume. Once the resume is sent, the social engineer can emphasize the vast competition for the position and the need to find out exactly what programs, hardware and cybersecurity methods are used by the employee in order to prove they are experienced enough for the job. In these cases, the employee is even less likely to report the solicitation out of fear their employer will know they have been looking for employment elsewhere. Training employees to be aware of such attempts, limiting who has business cards and encouraging employees to resist such attempts to pursue these opportunities on company computer systems can deter such attacks. Social Proof Social proof is most commonly called “peer pressure”. Our human desire to fit in with other leads to a follow-the-leader mentality. Nearly everyone has seen the co-worker selling Girl Scout cookies for their daughter, the office NFL football pool, or unauthorized installation of games/music/videos on a work computer. When several people we know are all doing
  • 13.
    something, we havea tendency to go along with it and do the same thing in order to prove we are part of the social group. The justification is often that “everyone is doing it”. In an office setting, one person may decorate their cubicle and install a funny screen saver or wallpaper on their system, thus exposing the computer and network to malware. Other employees see it and decide to do the same or install their own. Viruses are launched and passed through email communications to other employees with a subject line such as “Check this video out”. Within a short amount of time, the desire to be like everyone else can spread attacking software throughout the entire network and steal sensitive information or impact the system. Security training must encourage employees to avoid the group-think mentality and not following the pack when cybersecurity rules might be broken. Reciprocity Reciprocity approaches make use of the societal norm that when someone does something for you, you should return the favor and do something for them in return. (Muscanell, N. et al 2014) Taking into account the aforementioned example involving a secret service agent making an unlawful request for sensitive information, imagine if the secret service agent had previously done a favor for the employee with the data access. The favor may or may not have been work related. Perhaps the secret service agent helped the employee move into their new home. Would the social norm of reciprocity make it more difficult for the employee to turn down the request for the information? Online reciprocity attacks are common. One such reciprocity attack is known as the “Nigerian Prince” attack. In this attack, a person claims to be a wealthy Nigerian prince or a businessman seeking a way to exhilarate their fortune from a precarious situation in exchange for
  • 14.
    giving the victimpart of the money. (Muscanell, N. et al 2014) The attacker sends the victim a fraudulent check and asks the victim to deposit the check and wire the money, less the victim’s portion, to an intended recipient. Once the victim does so, the check then bounces a few days later leaving the victim stuck paying the full amount of the check back to the bank. Social engineers use reciprocity in either a quid pro quo manner, or they may take a slightly different approach. Cialdini once described this alternate approach as the “door-in-the- face” approach. Participants of a study were found to be much more likely to comply with a request after first being presented with a substantially larger or more difficult request. At times, these two requests might be asked in an either/or scenario. (Muscanell, N. et al 2014) For example, the secret service agent might ask the employee “Could you either print off a copy of my friend’s visa information for me or just read me the details I need to know?” The idea of actually printing off the information and delivering it to the agent presents a much riskier means of helping a friend. Because the request is presented as an either/or format, it gives the perception that no other option exists and the less risky option is the clear choice for the employee. In a case like Edward Snowden, the system administrator might tell the victim employee that they can fix their computer issue remotely, which would take much longer, or the employee could provide their user id and password to the administrator, both helping the administrator and themselves to resolve the problem much faster. The employee feels compelled to help the administrator do their job easier because the administrator is helping the employee as well. Commitment and Consistency It is human nature for individuals to strive to be reliable, consistent and dependable in their dealings with others. Value is placed on those that are committed and consistent in their
  • 15.
    actions involving supervisors,co-workers, friends, family and love interests. Inconsistency in one’s dealings gives the impression that a person is unreliable. Social engineers exploit this desire to be consistent. They use what is called the foot-in-the-door approach. (Muscanell, N. et al 2014) This approach is incremental and often the first step is something very innocuous or small. If the attacker can get even the smallest of initial commitment, the process for exploitation begins and the ability to resist the attacker’s requests becomes harder and harder. In the cyber realm this might be a friend request on Facebook. Once the victim accepts the request they have subconsciously made a commitment to the attacker. The victim and attacker are now cyber “friends”. From there, the attacker may begin a conversation and ask for personal information intertwined with less sensitive conversation. This is called masking. In normal conversation, people often remember the beginning of a conversation and the end, but rarely remember details about the middle of the conversation. The probing question is inserted into the middle of less probing conversation. By answering the less sensitive questions, the victim feels obliged to be consistent and keep answering. A great example might be a social engineer seeking to find out possible words used in a employee’s password. The attacker sends a friend request, which is accepted by the victim. A benign conversation ensues and the victim feels the need to be consistent and to keep answering and participating in the conversation. The conversation may touch on several topics such as favorite sports team, family details, work position, networks used, the weather, vacation plans and ultimately some other benign subject. Out of that conversation, the victim when asked about it will likely only recall discussing sports, family, and vacation plans. Out of that conversation,
  • 16.
    the attacker canidentify a target system and likely words used in a password. We often create passwords we remember involving such subjects. The need to be consistent and committed to the online “friendship” encourages the victim to keep sharing information. As long as the attacker does not overreach in their discussions, the victim will remain consistent in their actions. Training should provide employees examples of such elicitation attempts and be assured that just because one mistake was made, does not obligate them to keep making security mistakes. Conclusion The most common factor in all the aforementioned attacks and tactics is that the person falling for such an attack fails to employ critical thinking skills or social intelligence skills. Critical thinking is the “intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning or communication, as a guide to belief and action.” (Scriven, M. et al 1987) In our social engineering context, it can be summarized by three words: why, how and what. People remember snippets of information, which is why slogans, theme songs and other advertising devices are so effective. To improve the recollection of information security highlights, the keys of information security should be taught in such a manner. Focus employees on remembering three simple questions:  Why does this person need the information?  How can I help them without divulging sensitive information?  What damage could be done if the information is released?
  • 17.
    The “why” portionof our solution is applied by the employee when dealing with sensitive information such as passwords, personally identifying information, financial data, etc. The employee must be conditioned so when these bits of information are brought up, they ask themselves “Why does this person need the information?” Once the “why” is identified, the employee must ask them self “How can I resolve this situation without divulging sensitive information?” Lastly, employees must learn to understand the value of the information they possess and the possible damage that could be done if it is shared with an unauthorized employee. As Samuel T.C. Thompson stated in his article Helping the Hacker? Library Information, Security and Social Engineering, once a social engineer has established the trust of the contact, all security barriers are effectively voided and the attacker can gather whatever information they require. After avoiding social engineering attack, the threat may still exist as the attacker simply moves on to the next target. Reporting of suspected attacks is a key component of information security. (Thompson, S. 2006) The concept of social intelligence can inhibit follow on attacks or identify the insider threat. Unlike intelligence, or IQ, which is primarily the product of genetics, social intelligence (SI) is mostly learned. (Riggio, R. 2014) Social intelligence is the product of experiences, successes and failures, in a social setting. It is commonly called tact, common sense or street smarts. (Riggio, R. 2014) The employee’s knowledge of the person, gut feeling or street smarts let them interpret possible motives for the behavior of an insider or external threat. As cybersecurity directors develop their security plans, training focused on critical thinking and social intelligence offer the value-added solution that serves the security training needs but also can be used in everyday management and employee relations.
  • 19.
    References MacAskill, E. (2013)Edwards Snowden: how the spy story of the age leaked out. TheGuardian.com Hosenball, M. & Strobel, W. (2013). Exclusive: Snowden persuaded other NSA workers to give up password - sources. Reuters.com Al-Johani, A.; Al-Msloum, A. (2013). Social Engineering Risks in the Contemporary Reality and Methods of Fighting These Risks. (Vol. 5 No. 6) International Journal of Academic Research Muscanell, N.; Guadagno, R.; Murphy, S. (2014). Weapons of Influence Misused: A Social Influence Analysis of Why People Fall Prey to Internet Scams. (Vol. 8 No. 7, pp. 388-396) Social and Personality Psychology Compass, John Wiley & Sons Ltd. Hau, D. (2003). Unauthorized Access – Threats, Risk and Control. (Version 1.4b, Option 1) Globald Information Assurance Certification Paper, SANS Institute Greene, R. (2012). Mastery. (pp 134-135) Penguin Books Riggio, R. (2014). What Is Social Intelligence? Why Does It Matter? www.psychologytoday.com, Psychology Today Thompson, S. (2006). Helping the Hacker? Library Information, Security and Social Engineering,(pp 222 – 225) Information Technology and Libraries Scriven, M. & Paul, R. (1987). Critical Thinking as Defined by the National Council for Excellence in Critical Thinking 1987 Statements published on www.criticalthinking.org, The Critical Thinking Community