Social Engineering: I-E based Model of Human Weakness to Investigate Attack and Defense

Volume 1, Issue 2, December 2016     |     PP. 34-57      |     PDF (274 K)    |     Pub. Date: December 20, 2016
DOI:    329 Downloads     8142 Views  

Author(s)

Wenjun Fan, Department of Telematics Engineering, ETSI Telecommunication Technical University of Madrid, Madrid, Spain
Kevin Lwakatare, Department of Computer Science, TUT Centre for Digital Forensics and Cyber Security Tallinn University of Technology, Tallinn, Estonia
Rong Rong, IE Business School, Madrid, Spain

Abstract
Social engineering is the attack aimed to manipulate dupe to divulge sensitive information or perform actions to help the adversary bypassing the secure perimeter in front of the information-related resources in order to complete attacking goals. Though there are a number of security tools, such as firewalls and intrusion detection systems, which can be used to protect the machines from being attacked, there is a lack of widely accepted mechanism to prevent dupe from fraud. However, the human element is often the weakest link in an information security chain, particularly, in a human-centered environment. In this paper, we reveal that the human psychological weaknesses result in the main vulnerabilities that can be exploited by social engineering attacks, and also, we capture two essential levels, internal characteristics of human nature and external circumstance influences, to discover the root cause of the human weaknesses. We unveil that the internal characteristics of human nature can be converted into weaknesses by external circumstance influences. So, we propose the I-E based model of human weakness for social engineering investigation. Based on this model, we analyzed the vulnerabilities exploited by different techniques of social engineering, and also, we conclude several defense approaches to strengthen the human weaknesses. This work can help the security researchers to gain insights into social engineering from a different perspective, and especially, enhance research for the current and future social engineering defense mechanisms.

Keywords
Social Engineering, Semantic Attacks, Information Security, Data Privacy, Hacking Techniques, Human Weaknesses

Cite this paper
Wenjun Fan, Kevin Lwakatare, Rong Rong, Social Engineering: I-E based Model of Human Weakness to Investigate Attack and Defense , SCIREA Journal of Information Science and Systems Science. Volume 1, Issue 2, December 2016 | PP. 34-57.

References

[ 1 ] Hossein Bidgoli. Handbook of Information Security, Information Warfare, Social, Legal, and International Issues and Security Foundations (Handbook of Information Security). John Wiley & Sons, Inc., New York, NY, USA, 2006.
[ 2 ] Ji-Xuan Feng and Janet Hughes. Analyzing privacy and security issues in the information age - an ethical perspective. WSEAS Trans. Info. Sci. and App., 6(1):126–135, January 2009.
[ 3 ] RC Joshi and Anjali Sardana. Honeypots: a new paradigm to information security. CRC Press, 2011.
[ 4 ] Kevin D Mitnick and William L Simon. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.
[ 5 ] Verizon RISK Team. 2015 data breach investigations report. 2015.
[ 6 ] Ponemon Institute. The cost of phishing and value of employee training, Aug 2015.
[ 7 ] Symantec Enterprise. Internet security threat report 2015, 2015.
[ 8 ] Christopher Hadnagy. Social engineering: The art of human hacking. John Wiley & Sons, 2010.
[ 9 ] Ian Mann. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd., 2012.
[ 10 ] A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1(1):11–33, Jan 2004.
[ 11 ] Simon Hansman and Ray Hunt. A taxonomy of network and computer attacks. Computers & Security, 24(1):31 – 43, 2005.
[ 12 ] Chris Simmons, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, and Qishi Wu. Avoidit: a cyber attack taxonomy. Technical Report CS-09-003, University of Memphis, Aug 2009.
[ 13 ] RP Van Heerden, Barry Irwin, ID Burke, and L Leenen. A computer network attack taxonomy and ontology. International Journal of Cyber Warfare and Terrorism (IJCWT), 2(3):12–25, 2012.
[ 14 ] Katharina Krombholz, Heidelinde Hobel, Markus Huber, and Edgar Weippl. Advanced social engineering attacks. Journal of Information Security and Applications, 22(C):113–122, June 2015.
[ 15 ] Ryan Heartfield and George Loukas. A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv., 48(3):37:1–37:39, December 2015.
[ 16 ] CERT-UK. Common cyber attacks: Reducing the impact, 2015.
[ 17 ] Francois Mouton, Louise Leenen, and H.S. Venter. Social engineering attack examples, templates and scenarios. Computers & Security, 59:186 – 209, 2016.
[ 18 ] Marcus Nohlberg and Stewart Kowalski. The cycle of deception: a model of social engineering attacks, defenses and victims. In Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008), pages 1–11, Plymouth, UK, July 8-9 2008.
[ 19 ] F. Mouton, M. M. Malan, L. Leenen, and H. S. Venter. Social engineering attack framework. In 2014 Information Security for South Africa, pages 1–9, Aug 2014.
[ 20 ] Francois Mouton, Louise Leenen, Mercia M. Malan, and H. S. Venter. Towards an ontological model defining the social engineering domain. In 11th IFIP TC 9 International Conference on Human Choice and Computers (HCC11 2014), pages 266–279, Turku, Finland, July 31 – August 1, 2014.
[ 21 ] Jose J. Gonzalez, Jose M. Sarriegi, and Alazne Gurrutxaga. A framework for conceptualizing social engineering attacks, pages 79–90. Samos, Greece, August 31 - September 1, 2006.
[ 22 ] Pekka Tetri and Jukka Vuorinen. Dissecting social engineering. Behaviour & Information Technology, 32(10):1014–1023, 2013.
[ 23 ] Sherly Abraham and InduShobha Chengalur-Smith. An overview of social engineering malware: trends, tactics, and implications. Technology in Society, 32(3):183 – 196, 2010.
[ 24 ] Richard Dawkins. The selfish gene. 1976.
[ 25 ] Dale Carnegie. How to win friends and influence people. Simon and Schuster, 2010.
[ 26 ] R. Bhakta and I. G. Harris. Semantic analysis of dialogs to detect social engineering attacks. In Semantic Computing (ICSC), 2015 IEEE International Conference on, pages 424–427, Feb 2015.
[ 27 ] Tolga Mataracioglu, SevgiÖzkan, and Ray Hackney. Towards a security lifecycle model against social engineering attacks: SLM-SEA. CoRR, abs/1507.02458, 2015.
[ 28 ] Andrew Mathews. Why worry? the cognitive function of anxiety. Behaviour Research and Therapy, 28(6):455 – 468, 1990.
[ 29 ] M. Bezuidenhout, F. Mouton, and H. S. Venter. Social engineering attack detection model: SEADM. In 2010 Information Security for South Africa, pages 1–8, Aug 2010.
[ 30 ] Francois Mouton, Mercia M Malan, and Hein S Venter. Development of cognitive functioning psychological measures for the seadm. In HAISA, pages 40–51, 2012.
[ 31 ] F. Mouton, L. Leenen, and H. S. Venter. Social engineering attack detection model: Seadmv2. In 2015 International Conference on Cyberworlds (CW), pages 216–223, Oct. 2015.