Skip to main content
SpringerLink
Log in

Analysis of Social Engineering Threats with Attack Graphs

  • Conference paper
  • First Online:
Book cover Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance (DPM 2014, QASA 2014, SETOP 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8872))

Abstract

Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap.

While some research exists for classifying and analysing social engineering attacks, the integration of social engineering attackers with other attackers such as software or network ones is missing so far. In this paper, we propose to consider social engineering exploits together with technical vulnerabilities. We introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Dimensional Research Study about Social Engineering http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf.

  2. 2.

    SANS Institute InfoSec Reading Room http://www.sans.org/reading-room/whitepapers/engineering/threat-social-engineering-defense-1232.

References

  1. Peltier, T.R.: Social engineering: concepts and solutions. Inf. Syst. Secur. 15(5), 13–21 (2006)

    Article  Google Scholar 

  2. Algarni, A., Xu, Y., Chan, T., Tian, Y.C.: Social engineering in social networking sites: Affect-based model. In: Proceedings of the 8th International Conference on Internet Technology and Secured Transactions, pp. 508–515. IEEE (2013)

    Google Scholar 

  3. Dimkov, T., van Cleeff, A., Pieters, W., Hartel, P.: Two methodologies for physical penetration testing using social engineering. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 399–408. ACM (2010)

    Google Scholar 

  4. Laribee, L., Barnes, D., Rowe, N., Martell, C.: Analysis and defensive tools for social-engineering attacks on computer systems. In: Proceedings of the Information Assurance Workshop, pp. 388–389. IEEE (2006)

    Google Scholar 

  5. Mitnick, K.D., Simon, W.L.: The Art of Deception. Wiley, Indianapolis, Indiana (2009)

    Google Scholar 

  6. Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Social engineering attacks on the knowledge worker. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 28–35. ACM (2013)

    Google Scholar 

  7. Kvedar, D., Nettis, M., Fulton, S.P.: The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition. J. Comput. Sci. Coll. 26(2), 80–87 (2010)

    Google Scholar 

  8. Beckers, K., Heisel, M., Krautsevich, L., Maritnelli, F., Yautsiukhin, A.: Considering attacker motivation in attack graphs analysis in a smart grid scenario. In: Proceedings of the Second Open EIT ICT Labs Workshop on Smart Grid Security, Springer (2014, To appear)

    Google Scholar 

  9. Ahmadi, N., Jazayeri, M., Lelli, F., Nesic, S.: A survey of social software engineering. In: Workshop Proceedings of the 23rd IEEE/ACM International Conference on Automated Software Engineering, pp. 1–12. IEEE (2008)

    Google Scholar 

  10. Mills, D.: Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites. In: Proceedings of the Information Security Curriculum Development Conference, pp. 139–141. ACM (2009)

    Google Scholar 

  11. Chitrey, A., Singh, D., Singh, V.: A comprehensive study of social engineering based attacks in india to develop a conceptual model. Int. J. Inf. Netw. Secur. 1(2), 45–53 (2012)

    Google Scholar 

  12. Winkler, I.S., Dealy, B.: Information security technology?...don’t rely on it: a case study in social engineering. In: Proceedings of the 5th Conference on USENIX UNIX Security Symposium, p. 1–1. USENIX Association (1995)

    Google Scholar 

  13. Gonzalez, J.J., Seasick, A.: A framework for human factors in information security. In: Proceedings of WSEAS International Conference on Information Security (2002)

    Google Scholar 

  14. Twitchell, D.P.: Social engineering in information assurance curricula. In: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, pp. 191–193. ACM (2006)

    Google Scholar 

  15. International Organization for Standardization (ISO), International Electrotechnical Commission (IEC): Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001 (2013)

    Google Scholar 

  16. BSI: Grundschutzhandbuch IT. Bundesamt für Sicherheit in der Informationstechnik (BSI) (2007). http://www.bsi.bund.de/gshb/index.htm

  17. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the Computer Society Security Foundations Workshop. IEEE (2002)

    Google Scholar 

  18. Krautsevich, L., Martinelli, F., Yautsiukhin, A.: Towards modelling adaptive attacker’s behaviour. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) Foundations and Practice of Security. LNCS, vol. 7743, pp. 357–364. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  19. LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: Proceedings of the 8th International Conference on Quantitative Evaluation of SysTems, pp. 191–200. IEEE (2011)

    Google Scholar 

  20. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the Workshop on Visualization and Data Mining for Computer Security. ACM (2004)

    Google Scholar 

  21. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE (2002)

    Google Scholar 

Download references

Acknowledgements

This paper was partially supported by ARTEMIS Joint Undertaking SESAMO project, POR-CREO 2007-2013 Secure! regional project, PRIN Security Horizons project and the Ministry of Innovation, Science, Research and Technology of the German State of North Rhine-Westphalia and EFRE (Grant No. 300266902).

Author information

Authors and Affiliations

  1. Paluno – The Ruhr Institute for Software Technology, University of Duisburg-Essen, Duisburg, Germany

    Kristian Beckers

  2. Istituto di Informatica E Telematica, Consiglio Nazionale Delle Ricerche, Via G. Moruzzi 1, 56124, Pisa, Italy

    Leanid Krautsevich & Artsiom Yautsiukhin

Authors
  1. Kristian Beckers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Leanid Krautsevich
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Artsiom Yautsiukhin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Artsiom Yautsiukhin .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. Universitat Autònoma de Barcelona, Bellaterra, Spain

    Jordi Herrera-Joancomartí

  3. Imperial College London, London, United Kingdom

    Emil Lupu

  4. Universität Passau, Passau, Germany

    Joachim Posegga

  5. University of Urbino, Urbino, Italy

    Alessandro Aldini

  6. Pisa Research Area, National Research Council - CNR, Pisa, Italy

    Fabio Martinelli

  7. Technische Universität Darmstadt, Darmstadt, Germany

    Neeraj Suri

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Beckers, K., Krautsevich, L., Yautsiukhin, A. (2015). Analysis of Social Engineering Threats with Attack Graphs. In: Garcia-Alfaro, J., et al. Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance. DPM QASA SETOP 2014 2014 2014. Lecture Notes in Computer Science(), vol 8872. Springer, Cham. https://doi.org/10.1007/978-3-319-17016-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17016-9_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17015-2

  • Online ISBN: 978-3-319-17016-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation