Abstract
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap.
While some research exists for classifying and analysing social engineering attacks, the integration of social engineering attackers with other attackers such as software or network ones is missing so far. In this paper, we propose to consider social engineering exploits together with technical vulnerabilities. We introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Dimensional Research Study about Social Engineering http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf.
- 2.
SANS Institute InfoSec Reading Room http://www.sans.org/reading-room/whitepapers/engineering/threat-social-engineering-defense-1232.
References
Peltier, T.R.: Social engineering: concepts and solutions. Inf. Syst. Secur. 15(5), 13–21 (2006)
Algarni, A., Xu, Y., Chan, T., Tian, Y.C.: Social engineering in social networking sites: Affect-based model. In: Proceedings of the 8th International Conference on Internet Technology and Secured Transactions, pp. 508–515. IEEE (2013)
Dimkov, T., van Cleeff, A., Pieters, W., Hartel, P.: Two methodologies for physical penetration testing using social engineering. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 399–408. ACM (2010)
Laribee, L., Barnes, D., Rowe, N., Martell, C.: Analysis and defensive tools for social-engineering attacks on computer systems. In: Proceedings of the Information Assurance Workshop, pp. 388–389. IEEE (2006)
Mitnick, K.D., Simon, W.L.: The Art of Deception. Wiley, Indianapolis, Indiana (2009)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Social engineering attacks on the knowledge worker. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 28–35. ACM (2013)
Kvedar, D., Nettis, M., Fulton, S.P.: The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. J. Comput. Sci. Coll. 26(2), 80–87 (2010)
Beckers, K., Heisel, M., Krautsevich, L., Maritnelli, F., Yautsiukhin, A.: Considering attacker motivation in attack graphs analysis in a smart grid scenario. In: Proceedings of the Second Open EIT ICT Labs Workshop on Smart Grid Security, Springer (2014, To appear)
Ahmadi, N., Jazayeri, M., Lelli, F., Nesic, S.: A survey of social software engineering. In: Workshop Proceedings of the 23rd IEEE/ACM International Conference on Automated Software Engineering, pp. 1–12. IEEE (2008)
Mills, D.: Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites. In: Proceedings of the Information Security Curriculum Development Conference, pp. 139–141. ACM (2009)
Chitrey, A., Singh, D., Singh, V.: A comprehensive study of social engineering based attacks in india to develop a conceptual model. Int. J. Inf. Netw. Secur. 1(2), 45–53 (2012)
Winkler, I.S., Dealy, B.: Information security technology?...don’t rely on it: a case study in social engineering. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, p. 1–1. USENIX Association (1995)
Gonzalez, J.J., Seasick, A.: A framework for human factors in information security. In: Proceedings of WSEAS International Conference on Information Security (2002)
Twitchell, D.P.: Social engineering in information assurance curricula. In: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, pp. 191–193. ACM (2006)
International Organization for Standardization (ISO), International Electrotechnical Commission (IEC): Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001 (2013)
BSI: Grundschutzhandbuch IT. Bundesamt für Sicherheit in der Informationstechnik (BSI) (2007). http://www.bsi.bund.de/gshb/index.htm
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the Computer Society Security Foundations Workshop. IEEE (2002)
Krautsevich, L., Martinelli, F., Yautsiukhin, A.: Towards modelling adaptive attacker’s behaviour. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) Foundations and Practice of Security. LNCS, vol. 7743, pp. 357–364. Springer, Heidelberg (2013)
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: Proceedings of the 8th International Conference on Quantitative Evaluation of SysTems, pp. 191–200. IEEE (2011)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the Workshop on Visualization and Data Mining for Computer Security. ACM (2004)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE (2002)
Acknowledgements
This paper was partially supported by ARTEMIS Joint Undertaking SESAMO project, POR-CREO 2007-2013 Secure! regional project, PRIN Security Horizons project and the Ministry of Innovation, Science, Research and Technology of the German State of North Rhine-Westphalia and EFRE (Grant No. 300266902).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Beckers, K., Krautsevich, L., Yautsiukhin, A. (2015). Analysis of Social Engineering Threats with Attack Graphs. In: Garcia-Alfaro, J., et al. Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance. DPM QASA SETOP 2014 2014 2014. Lecture Notes in Computer Science(), vol 8872. Springer, Cham. https://doi.org/10.1007/978-3-319-17016-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-17016-9_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17015-2
Online ISBN: 978-3-319-17016-9
eBook Packages: Computer ScienceComputer Science (R0)