his.sePublikationer
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Securing Information Assets: Understanding, Measuring and Protecting against Social Engineering Attacks
Högskolan i Skövde, Institutionen för kommunikation och information. Högskolan i Skövde, Forskningscentrum för Informationsteknologi.
2008 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.

The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.

Ort, förlag, år, upplaga, sidor
Stockholm University, 2008. , s. 97
Serie
Report Series/Department of Computer & Systems Sciences, ISSN 1101-8526 ; 09-001
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Teknik
Identifikatorer
URN: urn:nbn:se:his:diva-2916ISBN: 978-91-7155-786-5 OAI: oai:DiVA.org:his-2916DiVA, id: diva2:209810
Disputation
(Engelska)
Anmärkning

Sammanläggning: 7 artiklar

Tillgänglig från: 2009-06-26 Skapad: 2009-03-27 Senast uppdaterad: 2018-01-13Bibliografiskt granskad
Delarbeten
1. Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned
Öppna denna publikation i ny flik eller fönster >>Social Engineering Audits Using Anonymous Surveys: Conning the Users in Order to Know if They Can Be Conned
2005 (Engelska)Ingår i: CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005, 2005Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

It is important to know the security readiness of any organization in order to strengthen it. One often neglected aspect of security is the human element, which is often attacked by social engineering” techniques. This paper studies to what extent users are aware and susceptible to common social engineering attacks, and if a quantitative approach to enetration testing of social engineering can be used. By employing a quantitative study under the false pretense of studying “micro efficiency”, an organization with above average skilled users was surveyed on three classic social engineering cons. The results indicate that the approach could be useful as a part of, or as a stand alone auditing technique. The human element is not only vulnerable, but vulnerable to the extent that it shadows most other security measures. The author argues for the necessity of education in order to counter the serious threat of social engineering, since it in many cases complies with the principle of adequate protection.

Identifikatorer
urn:nbn:se:his:diva-1714 (URN)0-9729562-5-5 (ISBN)
Konferens
4th Security Conference, Las Vegas, USA, March 30–31, 2005
Tillgänglig från: 2007-08-20 Skapad: 2007-08-20 Senast uppdaterad: 2017-11-27
2. User-centered security applied to the development of a management information system
Öppna denna publikation i ny flik eller fönster >>User-centered security applied to the development of a management information system
2007 (Engelska)Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 15, nr 5, s. 372-381Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose – This paper aims to use user-centred security development of a prototype graphical interface for a management information system dealing with information security with upper-level management as the intended users.

Design/methodology/approach – The intended users were studied in order to understand their needs. An iterative design process was used where the designs were first made on paper, then as a prototype interface and later as a final interface design. All was tested by subjects within the target user group.

Findings – The interface was perceived as being successful by the test subjects and the sponsoring organization, Siguru. The major conclusion of the study is that managers use knowledge of information security mainly for financial and strategic matters which focus more on risk issues than security issues. To facilitate the need of managers the study presents three heuristics for the design of management information security system interfaces.

Research limitations/implications – This interface was tested on a limited set of users and further tests could be done, especially of users with other cultural/professional backgrounds.

Practical implications – This paper presents a useful set of heuristics that can be used in development of management information systems as well as other practical tips for similar projects.

Originality/value – This paper gives an example of a successful user-centred security development process. The lessons learned could be beneficial in software development in general and security products in particular.

Ort, förlag, år, upplaga, sidor
Emerald Group Publishing Limited, 2007
Nyckelord
Data security, Information, Information systems, User interfaces
Nationell ämneskategori
Teknik och teknologier
Forskningsämne
Teknik
Identifikatorer
urn:nbn:se:his:diva-1451 (URN)10.1108/09685220710831116 (DOI)2-s2.0-34948879255 (Scopus ID)
Tillgänglig från: 2008-09-26 Skapad: 2008-09-26 Senast uppdaterad: 2017-12-13Bibliografiskt granskad
3. Why Humans are the Weakest Link
Öppna denna publikation i ny flik eller fönster >>Why Humans are the Weakest Link
2008 (Engelska)Ingår i: Social and Human Elements of Information Security: Emerging Trends and Counter-measures / [ed] Manish Gupta, Raj Sharman, Hershey, PA: IGI Global, 2008, s. 15-26Kapitel i bok, del av antologi (Refereegranskat)
Abstract [en]

 

This chapter introduces the concept of social psychology, and what forms of deception humans are prone to fall for. It presents a background of the area and a thorough description of the most common and important influence techniques. It also gives more practical examples of potential attacks, and what kind of influence techniques they use, as well as a set of recommendations on how to defend against deception, and a discussion on future trends. The author hopes that the understanding of why and how the deceptive techniques work will give the reader new insights into information security in general, and deception in particular. This insight can be used to improve training, to discover influence earlier, or even to gain new powers of influence.

 

 

Ort, förlag, år, upplaga, sidor
Hershey, PA: IGI Global, 2008
Forskningsämne
Teknik
Identifikatorer
urn:nbn:se:his:diva-2579 (URN)978-1-60566-036-3 (ISBN)
Tillgänglig från: 2009-01-22 Skapad: 2009-01-22 Senast uppdaterad: 2017-11-27Bibliografiskt granskad
4. The cycle of deception: a model of social engineering attacks, defenses and victims
Öppna denna publikation i ny flik eller fönster >>The cycle of deception: a model of social engineering attacks, defenses and victims
2008 (Engelska)Ingår i: Proceedings of the Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008) / [ed] Nathan Clarke, Steven Furnell, University of Plymouth , 2008, s. 1-11Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

In this paper we propose a model for describing deceptive crimes in general and social engineering in particular. Our research approach was naïve inductivist and the methods used were literature study and interviews with the lead investigator in a grooming case, as we see many similarities between the techniques used in grooming, and those used in social engineering. From this we create cycles describing attacker, defender, and the victim and merge them into a model describing the cycle of deception. The model is then extended into a possible deception sphere. The resulting models can be used to educate about social engineering, to create automated social engineering attacks, to facilitate better incident reporting, and to understand the impact and economical aspects of defenses.

Ort, förlag, år, upplaga, sidor
University of Plymouth, 2008
Nyckelord
Social engineering, fraud, deception, security models, computer crime
Forskningsämne
Teknik
Identifikatorer
urn:nbn:se:his:diva-3622 (URN)978-1-84102-189-8 (ISBN)
Konferens
Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008), Plymouth, UK, 8-9 July 2008
Tillgänglig från: 2010-02-01 Skapad: 2010-02-01 Senast uppdaterad: 2019-08-22Bibliografiskt granskad
5. Non-Invasive Social Engineering Penetration Testing in a Medical Environment
Öppna denna publikation i ny flik eller fönster >>Non-Invasive Social Engineering Penetration Testing in a Medical Environment
2008 (Engelska)Ingår i: Proceedings of the 7th Annual Security Conference [CD-ROM], 2008, s. 22.1-22.13Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This paper proposes a soft approach for social engineering penetration testing. By using the SBC model as a foundation, questions related to the social element of security were asked in semi-structured interviews to a group of subjects. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.

Nyckelord
Social Engineering, SBC model, Penetration Tests
Forskningsämne
Teknik
Identifikatorer
urn:nbn:se:his:diva-3624 (URN)978-1-935160-01-4 (ISBN)
Konferens
7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008
Tillgänglig från: 2010-02-01 Skapad: 2010-02-01 Senast uppdaterad: 2019-08-23Bibliografiskt granskad
6. Measuring Readiness for Automated Social Engineering
Öppna denna publikation i ny flik eller fönster >>Measuring Readiness for Automated Social Engineering
2008 (Engelska)Ingår i: Proceedings of the 7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008 [CD-ROM], 2008, s. 20.1-20.13Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This paper presents the result of a case study of the readiness of four large Swedish multinational corporations to deal with automated social engineering attacks. A preliminary study to review how the security policy of a large corporation deals with social engineering attacks was performed. The results from this study were combined with a conceptual model of social engineering when constructing a new interview protocol and a grading scale. This interview protocol was designed to measure the readiness of an organization to deal with social engineering attacks in general, and in this case with automated social engineering in particular. Four interviews were conducted with senior security managers and senior employees. Results indicate that no organization was over 60% on the readiness scale and thus all are considered at risk of attack.

Nyckelord
Automated social engineering, social engineering, readiness, security readiness measurements, web 2.0 security, cycle of deception, onlnine social networks
Forskningsämne
Teknik
Identifikatorer
urn:nbn:se:his:diva-3623 (URN)978-1-935160-01-4 (ISBN)
Konferens
7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008
Tillgänglig från: 2010-02-01 Skapad: 2010-02-01 Senast uppdaterad: 2019-08-22Bibliografiskt granskad
7. Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment
Öppna denna publikation i ny flik eller fönster >>Phishing with Gifts as Bait: Measurement and Analysis of Phishing Attacks within a University Environment
(Engelska)Manuskript (preprint) (Övrigt vetenskapligt)
Identifikatorer
urn:nbn:se:his:diva-7229 (URN)
Tillgänglig från: 2013-02-13 Skapad: 2013-02-13 Senast uppdaterad: 2013-02-14Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

http://urn.kb.se/resolve?urn=urn:nbn:se:su:diva-8379

Personposter BETA

Nohlberg, Marcus

Sök vidare i DiVA

Av författaren/redaktören
Nohlberg, Marcus
Av organisationen
Institutionen för kommunikation och informationForskningscentrum för Informationsteknologi
Systemvetenskap, informationssystem och informatik

Sök vidare utanför DiVA

GoogleGoogle Scholar

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 1199 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf