Skip to main content
SpringerLink
Log in

Social Engineering Penetration Testing in Higher Education Institutions

  • Conference paper
  • First Online:
Advances in Computer Science for Engineering and Education VI (ICCSEEA 2023)

Part of the book series: Lecture Notes on Data Engineering and Communications Technologies ((LNDECT,volume 181))

  • 345 Accesses

Abstract

Social engineering penetration testing is a complex but necessary tool to test the security of information systems. Such testing requires balancing the organization’s benefit and the comfort of an information system user. Penetration testing poses complex ethical concerns affecting people who do not expect it. At the same time, penetration testing is effective only when it mimics the real situation as much as possible, i. e. it is unexpected. The article’s authors describe the methodology of social engineering penetration testing of the educational institution information system; substantiate the design of the experiment, which allows for balancing the ethical precautions and the effectiveness of testing. The authors formulate a set of markers that they use to reduce the negative impact of the attack on users of the information system and to help users to identify the true nature of the attack. The experiment conducted by the authors shows the advance of a phishing attack aimed at a large number of system users and its effectiveness. The authors also reveal the challenges such an attack poses to the information system staff, who have to respond to such influence effectively and on time. The experiment shows that half of the responses were received in the first 40 min after mailing. Concluding the research authors analyze the suggested design of social engineering penetration testing experiment, ways to respond to real attacks of this kind, as well as to raise respondents’ awareness. The directions for possible future research are outlined. The value of this research is in the object—students of a higher educational institution who constantly work with information. The neglect of personal information indicates the need to introduce information hygiene courses from the very first courses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Singh, A., Kumar, A., Bharti, A.K., Singh, V.: An e-mail spam detection using stacking and voting classification methodologies. Int. J. Inf. Eng. Electr. Bus. (IJIEEB) 14(6), 27–36 (2022). https://doi.org/10.5815/ijieeb.2022.06.03

    Article  Google Scholar 

  2. Ahraminezhad, A., Mojarad, M., Arfaeinia, H.: An intelligent ensemble classification method for spam diagnosis in social networks. Int. J. Intell. Syst. Appl. (IJISA), 14(1), 24–31 (2022). https://doi.org/10.5815/ijisa.2022.01.02

  3. Fan, W., Kevin, L., Rong, R.: Social engineering: i-e based model of human weakness for attack and defense investigations. Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 9(1), 1–11 (2017). https://doi.org/10.5815/ijcnis.2017.01.01

    Article  Google Scholar 

  4. Smith, J.K., Shorter, J.D.: Penetration testing: a vital component of an information security strategy. Issues Inf. Syst. XI.1, 358–363 (2010). https://doi.org/10.48009/1_iis_2010_358-363

  5. Jazzar, M., Yousef, R.F., Eleyan, D.: Evaluation of machine learning techniques for email spam classification. Int. J. Educ. Manage. Eng. (IJEME) 11(4), 35–42 (2021). https://doi.org/10.5815/ijeme.2021.04.04

    Article  Google Scholar 

  6. Positive Technologies: Cybersecurity threatscape: Q3 2022. https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2022-q3/. Accessed 16 Feb 2023

  7. The history of penetration testing. https://alpinesecurity.com/blog/history-of-penetration-testing. Accessed 16 Feb 2023

  8. Scarfone, K., et al.: Technical guide to information security testing and assessment. Recommendations of the National Institute of Standards and Technology. NIST SP800–115. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf. Accessed 16 Feb 2023

  9. European Parliament, Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed 16 Feb 2023

  10. Payment Card Industry Data Security Standard. Requirements and security assessment procedures, version 3.0. https://www.pcisecuritystandards.org/minisite/en/docs/PCI_DSS_v3.pdf. Accessed 16 Feb 2023

  11. Campbell, N., Lautenbach, B.: Telstra security report. https://www.telstra.com.au/content/dam/shared-component-assets/tecom/campaigns/security-report/Summary-Report-2019-LR.pdf. Accessed 16 Feb 2023

  12. Kessel, P.: EY global information security survey. https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/ey-global-information-security-survey-2018-19.pdf. Accessed 16 Feb 2023

  13. Pescatore, J.: SANS top new attacks and threat report. https://www.sans.org/reading-room/whitepapers/threats/top-attacks-threat-report-39520. Accessed 16 Feb 2023

  14. Dimkov, T., et al.: Two methodologies for physical penetration testing using social engineering. In: 26th Annual Computer Security Applications Conference, pp. 399–408 (2010). https://doi.org/10.1145/1920261.1920319

  15. Barrett, N.: Penetration testing and social engineering. Inf. Sec. Tech. Rep. 8(4), 56–64 (2003). https://doi.org/10.1016/s1363-4127(03)00007-4

    Article  Google Scholar 

  16. Nguyen, T.H., Bhatia, S.: Higher education social engineering attack scenario, awareness & training model. J. Colloquium Inf. Syst. Secur. Educ. 8(1), 8 (2020)

    Google Scholar 

  17. Indrajit, R.E.: Social engineering framework: understanding the deception approach to human element of security. Int. J. Comput. Sci. Iss. 14(2), 8–16 (2017). https://doi.org/10.20943/01201702.816

    Article  Google Scholar 

  18. Kelm, D., Volkamer, M.: Towards a social engineering test framework. In: 11th International Workshop on Security in Information Systems, pp. 38–48 (2010). https://doi.org/10.5220/0004980000380048

  19. Buriachok, V., et al.: Technology for information and cyber security in higher education institutions of Ukraine. Inf. Technol. Learn. Tools 77(3), 337–354 (2020). https://doi.org/10.33407/itlt.v77i3.3424

    Article  Google Scholar 

  20. Marusenko, R., Sokolov, V., Buriachok, V.: Experimental evaluation of phishing attack on high school students. In: Hu, Z., Petoukhov, S., Dychka, I., He, M. (eds.) ICCSEEA 2020. AISC, vol. 1247, pp. 668–680. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-55506-1_59

    Chapter  Google Scholar 

  21. Marusenko, R., Sokolov, V., Bogachuk, I.: Method of obtaining data from open scientific sources and social engineering attack simulation. Adv. Artif. Syst. Logist. Eng. 135, 583–594 (2022). https://doi.org/10.1007/978-3-031-04809-8_53

    Article  Google Scholar 

  22. Hu, Z., Buriachok, V., Sokolov, V.: Implementation of social engineering attack at institution of higher education. In: International Workshop on Cyber Hygiene, pp. 155–164 (2019)

    Google Scholar 

  23. Finn, P., Jakobsson, M.: Designing and conducting phishing experiments, 1–21 (2006)

    Google Scholar 

  24. Mouton, F., et al.: Necessity for ethics in social engineering research. Comput. Sec. 55, 114–127 (2015). https://doi.org/10.1016/j.cose.2015.09.001

    Article  Google Scholar 

  25. Resnik, D.B., Finn, P.R.: Ethics and phishing experiments. Sci. Eng. Ethics 24(4), 1241–1252 (2017). https://doi.org/10.1007/s11948-017-9952-9

    Article  Google Scholar 

  26. Faily, S., McAlaney, J., Iacob, C.: Ethical dilemmas and dimensions in penetration testing. In: 9th International Symposium on Human Aspects of Information Security & Assurance, pp. 233-242 (2015). https://doi.org/10.13140/rg.2.1.3897.1360

  27. Pierce, J., Jones, A., Warren, M.: Penetration testing professional ethics: a conceptual model and taxonomy. Aust. J. Inf. Syst. 13(2), 193–200 (2006). https://doi.org/10.3127/ajis.v13i2.52

    Article  Google Scholar 

  28. Creasey, J., Glover, I.: A guide for running an effective penetration testing programme. https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf. Accessed 16 Feb 2023

  29. Hadnagy, C.: Social engineering: The science of human hacking (2018)

    Google Scholar 

  30. Introduction.EDUCATION.UA. https://vstup.osvita.ua. Accessed 16 Feb 2023

  31. Applicant search service. http://abit-poisk.org.ua. Accessed 16 Feb 2023

  32. Kotov, V., Massacci, F.: Anatomy of exploit kits. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36563-8_13

    Chapter  Google Scholar 

  33. Parsons, K., et al.: Do users focus on the correct cues to differentiate between phishing and genuine emails? arxiv:1605.04717

    Google Scholar 

  34. Jampen, D., Gür, G., Sutter, T., Tellenbach, B.: Don’t click: towards an effective anti-phishing training. a comparative literature review. HCIS 10(1), 1–41 (2020). https://doi.org/10.1186/s13673-020-00237-7

    Article  Google Scholar 

  35. Cotten, T.: Ghost emails: hacking Gmail’s UX to hide the sender. https://blog.cotten.io/ghost-emails-hacking-gmails-ux-to-hide-the-sender-46ef66a61eff. Accessed 16 Feb 2023

  36. Google: Gmail sending limits in Google Workspace. https://support.google.com/a/answer/166852. Accessed 16 Feb 2023

Download references

Acknowledgment

The authors are grateful to Borys Grinchenko Kyiv University administration for assistance in conducting experiments, as well as personally to the deputy head of IT in the Education Laboratory Oksana Buinytska for successfully detecting attack simulation and prompt response.

Author information

Authors and Affiliations

  1. Taras Shevchenko National University of Kyiv, Kyiv, 01601, Ukraine

    Roman Marusenko

  2. Borys Grinchenko Kyiv University, Kyiv, 04053, Ukraine

    Volodymyr Sokolov & Pavlo Skladannyi

Authors
  1. Roman Marusenko
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Volodymyr Sokolov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pavlo Skladannyi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Volodymyr Sokolov .

Editor information

Editors and Affiliations

  1. Faculty of Applied Mathematics, National Technical University of Ukraine “Igor Sikorsky Kiev Polytechnic Institute”, Ukraine, Kyiv, Ukraine

    Zhengbing Hu

  2. Faculty of Applied Mathematics, National Technical University of Ukraine “Igor Sikorsky Kiev Polytechnic Institute”, Ukraine, Kyiv, Ukraine

    Ivan Dychka

  3. Halmos College of Arts and Sciences, Nova Southeastern University, Fort Lauderdale, FL, USA

    Matthew He

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Marusenko, R., Sokolov, V., Skladannyi, P. (2023). Social Engineering Penetration Testing in Higher Education Institutions. In: Hu, Z., Dychka, I., He, M. (eds) Advances in Computer Science for Engineering and Education VI. ICCSEEA 2023. Lecture Notes on Data Engineering and Communications Technologies, vol 181. Springer, Cham. https://doi.org/10.1007/978-3-031-36118-0_96

Download citation

Publish with us

Policies and ethics

Search

Navigation