| 1. |
- Huber, Markus, et al.
(författare)
-
Towards Automating Social Engineering Using Social Networking Sites
- 2009
-
Ingår i: 2009 International Conference on Computational Science and Engineering. - : IEEE Computer Society. - 9780769538235 ; , s. 117-124
-
Konferensbidrag (refereegranskat)abstract
- A growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a users’ privacy and arising implications are often neglected. In this paper we introduce a novel attack called automated social engineering which illustrates how social networking sites can be used for social engineering. Our approach takes classical social engineering one step further by automating tasks which formerly were very time-intensive. In order to evaluate our proposed attack cycle and our prototypical implementation (ASE bot), we conducted two experiments. Within the first experiment we examine the information gathering capabilities of our bot. The second evaluation of our prototype performs a Turing test. The promising results of the evaluation highlightthe possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering bots.
|
|
| 2. |
|
|
| 3. |
- Nohlberg, Marcus, et al.
(författare)
-
Ask and you shall know : Using interviews and the SBC model for social-engineering penetration testing
- 2008
-
Ingår i: IMETI - Int. Multi-Conf. Eng. Technol. Innov., Proc.. - Orlando : International Institute of Informatics and Systemics. - 1934272434 - 9781934272435 ; , s. 121-128
-
Konferensbidrag (refereegranskat)abstract
- This paper presents the result of a case study where the SBC model was used as a foundation to perform semi-structured interviews to test the security in a medical establishment. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.
|
|
| 4. |
|
|
| 5. |
- Nohlberg, Marcus, et al.
(författare)
-
Measuring Readiness for Automated Social Engineering
- 2008
-
Ingår i: Proceedings of the 7th Annual Security Conference, Las Vegas, USA, June 2-3, 2008 [CD-ROM]. - 9781935160014 ; , s. 20.1-20.13
-
Konferensbidrag (refereegranskat)abstract
- This paper presents the result of a case study of the readiness of four large Swedish multinational corporations to deal with automated social engineering attacks. A preliminary study to review how the security policy of a large corporation deals with social engineering attacks was performed. The results from this study were combined with a conceptual model of social engineering when constructing a new interview protocol and a grading scale. This interview protocol was designed to measure the readiness of an organization to deal with social engineering attacks in general, and in this case with automated social engineering in particular. Four interviews were conducted with senior security managers and senior employees. Results indicate that no organization was over 60% on the readiness scale and thus all are considered at risk of attack.
|
|
| 6. |
|
|
| 7. |
- Nohlberg, Marcus, et al.
(författare)
-
Non-Invasive Social Engineering Penetration Testing in a Medical Environment
- 2008
-
Ingår i: Proceedings of the 7th Annual Security Conference [CD-ROM]. - 9781935160014 ; , s. 22.1-22.13
-
Konferensbidrag (refereegranskat)abstract
- This paper proposes a soft approach for social engineering penetration testing. By using the SBC model as a foundation, questions related to the social element of security were asked in semi-structured interviews to a group of subjects. The answers were analyzed and presented in an uncomplicated graph. The purpose was to study the feasibility of letting the users participate, instead of exploiting their weaknesses. It was found that the approach of interviewing the subjects rendered interesting, and relevant, results, making it an approach that should be studied further due to its apparent gains: less ethically troublesome penetration testing, increased awareness, improved coverage and novel information as added bonuses.
|
|
| 8. |
|
|
| 9. |
- Nohlberg, Marcus
(författare)
-
Securing Information Assets : Understanding, Measuring and Protecting against Social Engineering Attacks
- 2008
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Social engineering denotes, within the realm of security, a type of attack against the human element during which the assailant induces the victim to release information or perform actions they should not. Our research on social engineering is divided into three areas: understanding, measuring and protecting. Understanding deals with finding out more about what social engineering is, and how it works. This is achieved through the study of previous work in information security as well as other relevant research areas. The measuring area is about trying to find methods and approaches that put numbers on an organization’s vulnerability to social engineering attacks. Protecting covers the ways an organization can use to try to prevent attacks. A common approach is to educate the users on typical attacks, assailants, and their manipulative techniques. In many cases there are no preventive techniques, dealing with the human element of security, in place.The results show that social engineering is a technique with a high probability of success. Furthermore, defense strategies against it are complicated, and susceptibility to it is difficult to measure. Important contributions are a model describing social engineering attacks and defenses, referred to as the Cycle of Deception, together with a thorough discussion on why and how social engineering works. We also propose new ways of conducting social engineering penetration testing and outline a set of recommendations for protection. It is crucial to involve managers more, but also to train the users with practical exercises instead of theoretical education, for example, by combining measuring exercises and penetration testing with training. We also discuss the future threat of Automated Social Engineering, in which software with a simple form of artificial intelligence can be used to act as humans using social engineering techniques online, making it quite hard for Internet users to trust anyone they communicate with online.
|
|
| 10. |
- Nohlberg, Marcus
(författare)
-
Social Engineering Audits Using Anonymous Surveys : Conning the Users in Order to Know if They Can Be Conned
- 2005
-
Ingår i: CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005.
-
Konferensbidrag (refereegranskat)abstract
- It is important to know the security readiness of any organization in order to strengthen it. One often neglected aspect of security is the human element, which is often attacked by social engineering” techniques. This paper studies to what extent users are aware and susceptible to common social engineering attacks, and if a quantitative approach to enetration testing of social engineering can be used. By employing a quantitative study under the false pretense of studying “micro efficiency”, an organization with above average skilled users was surveyed on three classic social engineering cons. The results indicate that the approach could be useful as a part of, or as a stand alone auditing technique. The human element is not only vulnerable, but vulnerable to the extent that it shadows most other security measures. The author argues for the necessity of education in order to counter the serious threat of social engineering, since it in many cases complies with the principle of adequate protection.
|
|
