A Framework for Conceptualizing Social Engineering Attacks

  • Jose J. Gonzalez
  • Jose M. Sarriegi
  • Alazne Gurrutxaga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4347)

Abstract

At the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, such as to disable the organization by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling (“balancing”) feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defense in control processes or in escalating (“reinforcing”) processes of resistance. The possible combinations of the two modes of attack and the two modes of defense yield four archetypes of exploit and natural defense. Predictably, the social engineer would seek to outsmart the first line of defense; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multi-layered defense against social engineering attacks.

Keywords

Social engineering critical infrastructure pattern recognition system archetype system dynamics information security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Greene, S.: Security Policies and Procedures: Principles and Practices. Prentice-Hall, Upper Saddle River (2006)Google Scholar
  2. 2.
    Keeney, M., et al.: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Carnegie Mellon, Software Engineering Institute, Pittsburgh (2005)Google Scholar
  3. 3.
    Winkler, I.S.: The non-technical threat to computing systems. Computing Systems 9(1), 3–14 (1996)Google Scholar
  4. 4.
    Wikipedia. Social engineering (computer security) (2006) [cited 2006 May 13], Available from: http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29
  5. 5.
    Barrett, N.: Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report 8(4), 56–64 (2003)CrossRefGoogle Scholar
  6. 6.
    Harl. The psychology of social engineering (1997) (cited: May 13, 2006), Available from: http://www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html
  7. 7.
    Dennet, D.C.: Freedom Evolves. Penguin Books, London (2004)Google Scholar
  8. 8.
    Hasle, H., et al.: Measuring resistance to social engineering. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Winkler, I.S.: Corporate Espionage: what it is, why it is happening in your company, what you must do about it. Prima Publishing, Rocklin (1997)Google Scholar
  10. 10.
    Winkler, I.S.: Spies Among Us. Wiley Publishing, Inc., Indianapolis (2005)Google Scholar
  11. 11.
    Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York (2003)Google Scholar
  12. 12.
    Chabris, C.F., Hearst, E.S.: Visualization, pattern recognition, and forward search: effects of playing speed and sight of the position on grandmaster chess errors. Cognitive Science (27), 637–648 (2003)CrossRefGoogle Scholar
  13. 13.
    Dolan, A.: Social Engineering (2004) (cited: May 19, 2006), Available from: http://wwwsans.org/
  14. 14.
    Granger, S.: Social engineering fundamentals, Part I: Hacker tactics (2001) (cited: May 12, 2006), Available from: http://www.securityfocus.com/infocus/1527
  15. 15.
    Senge, P.: The Fifth Discipline. Doubleday/Currency, New York (1990)Google Scholar
  16. 16.
    Kim, D.: Systems Archetypes. Pegasus Communications, Cambridge (1992)Google Scholar
  17. 17.
    Wolstenholme, E.F.: Towards the definition and use of a core set of archetypal structures in system dynamics. System Dynamics Review 19(7), 7–26 (2003)CrossRefGoogle Scholar
  18. 18.
    Wolstenholme, E.F.: Using generic system archetypes to support thinking and modelling. System Dynamics Review 20(4), 341–356 (2004)CrossRefGoogle Scholar
  19. 19.
    Melara, C., et al.: A system dynamics model of an insider attack on an information system. In: Gonzalez, J.J. (ed.) From Modeling to Managing Security: A System Dynamics Approach. Norwegian Academic Press, Kristiansand (2003)Google Scholar
  20. 20.
    Martinez-Moyano, I.J., et al.: Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model. In: The 23rd International Conference of the System Dynamics Society, July 17-21. The System Dynamics Society, Boston (2005)Google Scholar
  21. 21.
    Schultz, E.E.: A framework for understanding and predicting insider attacks. Computers and Security 21(6), 526–531 (2002)CrossRefGoogle Scholar
  22. 22.
    Suler, J.R., Phillips, W.: The Bad Boys of Cyberspace: Deviant Behavior in Multimedia Chat Communities. CyberPsychology and Behavior 1, 275–294 (1998)CrossRefGoogle Scholar
  23. 23.
    Gragg, D.: A Multi-Level Defense Against Social Engineering (2003) (cited: May19, 2006), Available from: http://www.sans.org/
  24. 24.
    Gaudin, S.: Case Study of Insider Sabotage: The Tim Lloyd/Omega Case. Computer Security Journal (2000) (cited: May19, 2006), Available from: http://www.gocsi.om/pdfs/insider.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jose J. Gonzalez
    • 1
  • Jose M. Sarriegi
    • 2
  • Alazne Gurrutxaga
    • 3
  1. 1.Faculty of engineering and science, Research Cell “Security and Quality and Organizations”Agder University CollegeGrimstadNorway
  2. 2.NISlabGjøvik University CollegeGjøvikNorway
  3. 3.Tecnun (University of Navarra)San SebastianSpain

Personalised recommendations