Human - The Biggest Barrier in Combating Threat from Social engineering
Abstract: Organizations are taking computer security more seriously every day, investing huge amounts of money in creating stronger defenses including firewalls, anti-virus software, biometrics and identity access badges. These measures have made the business world more effective at blocking threats from the outside, and made it increasingly difficult for hackers or viruses to penetrate systems. But there are still threats that put organizations at risk , this threats are not necessary from external attackers, in this paper we will analyze what are the internal threats in organizations, why are we vulnerable and the best methods to protect our organizations from inside
…show more content…
In order to fully understand security, people must be understood, specifically people’s relationship with information technology networks.
However, very little existing research has studied the relationship of people to information technology networks. This work plans to contribute to the body of research that exists about social engineering to try to define and understand the problem of social engineering so eventually solutions can exist that will increase the security of knowledge and eliminate the security hole people so often create.
Literature review:
Introduction
Miles Orvell, a professor at Temple University wrote “One indication that a new scholarly field is emerging is the appearance of the conferences, journals and books on that theme.” Judging by this criteria, ITSE still has a long way to go. In this chapter, I will lay out some of the work that has been done and highlight some large holes in ITSE research.
Curriculum Research
Douglas Twitchell of Illinois State University proposed a curriculum to teach social engineering attacks and defenses. In his study he showed that social engineering is only briefly mentioned in about 30% of security curriculums and ITSE defenses are never taught .
Agent Based Research
Some of the most interesting and newest research into social engineering was first proposed by Stephanie White in 2003 and involves an agent
The topic I chose to do my analysis on concerning organizational issues related to Internet technologies and network security is a new and emerging threat to companies called ransomware. On 23 January, 2017, the Guardian (https://www.theguardian.com/books/2017/jan/23/ransomware-attack-paralyses-st-louis-libraries-as-hackers-demand-bitcoins?CMP=twt_books_b-gdnbooks) published an article that over 700 computers in St Louis had been infected with ransomware, and that the city was deciding how to deal with this threat.
In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution.
According to Mitnick, social engineering in information security simply means the psychological manipulation of people so as to divulge confidential information. It involves some kind of confidence trick with the aim of gathering information, committing fraud or getting access to the system . This is very different for the traditional conning but is one of the processes that the social engineering process that is more complex.
Reconnaissance – Attackers may depend on social engineering to gain information, access, and data to a companies inner-working; This include finding out policies, office building security protocols; even dumpster diving for any information that could be used to initiate a scanning procedure. Counter measures for these methods include, enforcing employees to comply with security policies, constantly train employees in the methods of social engineering by attackers; this includes over the phone conversations subjecting an employee into disclosing any type of company information, no matter how innocent the information may seem (an alternative excuse for employees is to refer to company’s website), installation of security cameras, and use
Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.
In this day and age, where information is the new currency on the block, criminals are on the rise to acquire this information. The book highlights the different techniques and attacks of the social engineer and how easily we are persuaded into thinking that technology has secured us from these attacks. He shows these through a variety of stories that have actually happened as indications of our negligence to these attacks, but as well points out ways that we can protect ourselves from these attacks and become less victimized by the social engineer. He gets us to look through
Social Engineering from the outset may seem like a topic one might hear when talking about sociology or psychology, when in fact it is a form of identity theft. To an information technology (IT) professional, Social Engineering is a form of voluntary, unintentional identity theft. Many victims fail to realize they are being victimized until it is too late, while many others may never know. This paper will provide a definition of social
An ordinary social engineer would be interested in finding various exploits in order to accomplish his goal. In the process, he will friendly interact with human and tries to extract or compromise information as a result. One strategy that a social engineering would use is to find a way to infiltrate the targeted community. For this he needs to dress properly and adopts some respectable and unsuspicious behavior vis-a-vis of the target. The hacker may play a diverse roles and on the occasion supply credential in such a way to establish legitimacy in the mind of the victim. Before the victim realizes, the attacker would have already sunk all the needs information from the victim.
Social engineering is often referred to as a technique a person, through use of deception, uses to gain trust and to fool a person into providing information that he/she would not typically freely give for the use of malicious intent. However, some would argue this definition should be broadened to include that it may or may not be for malicious intent, as some professions use social engineering for testing security measures (Hadnagy, 2011). For the remainder of the paper social engineering is in reference to as one with malicious intent.
The survey went out to 5412 security practitioners and 351 experts returned the surveys (Richardson, 2011). The survey participants are people that have either attended a CSI event or have an interest in security and are concerned with making improvements to security. The survey is an anonymous questionnaire that provides information about what security specialists are facing in the industry. The responses come from specialists within from various different types of groups within the private and public
Social Engineering as defined by IT professionals is the practice of deceiving someone, either in person, over the phone or using a computer, with the express intent of breaching some level of security, either personal or professional (Ledford, 2011.) Implementing quality risk analysis solutions while maintaining data integrity is a crucial element of successful system modeling; within the context of social engineering in the workplace, there are several factors that can make implementing those solutions rather challenging. Social engineering is a type of
Over the last few years, there is one factor that has been prevalent in the majority of data security breaches. It is the manipulation of the organizations employee’s into providing the hacker the private or confidential information without realizing it. The use of social engineering, and fraud in data breaches has been steadily increasing over the last few years. It is the job of a security professional to ensure that network data remains confidential, has integrity, and is available. All three of which can be compromised by the risk of social engineering.
Both the government and the private sector have been aware of the threat social engineering poses to information security since the 1980s, but it has only gained public notoriety within the last decade. Still, while today 's corporations may be prepared for a raid by anonymous cyber-terrorists striking from overseas, they continue to turn a blind eye to the dangers of socially engineered attacks. Thanks to a combination of corporate oversight and poor employee training, hackers with zero coding knowledge are able to penetrate their secured buildings and wreak havoc. In order to combat this vulnerability, the Department of Homeland Security should take an active role in the operational security of major American businesses through extensive auditing and employee training.
Information Security requires internal controls to protect confidential information from external intruders and internal intruders from unauthorized access to the information. The purpose and scope of this project is to address how businesses can use internal control techniques to protect employee, customer, and business information from unauthorized intruders. Internal controls determine how information can be accessed and used, as well as, by whom.
It is the manipulation of people through deception, lies, fabricated story and tricks. They influence and persuade people to obtain information with or without the use of technology. Social engineering is a powerful tool used by cyber criminals’ especially on seniors because of their level of trust.