Abstract
Social engineering penetration testing is a complex but necessary tool to test the security of information systems. Such testing requires balancing the organization’s benefit and the comfort of an information system user. Penetration testing poses complex ethical concerns affecting people who do not expect it. At the same time, penetration testing is effective only when it mimics the real situation as much as possible, i. e. it is unexpected. The article’s authors describe the methodology of social engineering penetration testing of the educational institution information system; substantiate the design of the experiment, which allows for balancing the ethical precautions and the effectiveness of testing. The authors formulate a set of markers that they use to reduce the negative impact of the attack on users of the information system and to help users to identify the true nature of the attack. The experiment conducted by the authors shows the advance of a phishing attack aimed at a large number of system users and its effectiveness. The authors also reveal the challenges such an attack poses to the information system staff, who have to respond to such influence effectively and on time. The experiment shows that half of the responses were received in the first 40 min after mailing. Concluding the research authors analyze the suggested design of social engineering penetration testing experiment, ways to respond to real attacks of this kind, as well as to raise respondents’ awareness. The directions for possible future research are outlined. The value of this research is in the object—students of a higher educational institution who constantly work with information. The neglect of personal information indicates the need to introduce information hygiene courses from the very first courses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Singh, A., Kumar, A., Bharti, A.K., Singh, V.: An e-mail spam detection using stacking and voting classification methodologies. Int. J. Inf. Eng. Electr. Bus. (IJIEEB) 14(6), 27–36 (2022). https://doi.org/10.5815/ijieeb.2022.06.03
Ahraminezhad, A., Mojarad, M., Arfaeinia, H.: An intelligent ensemble classification method for spam diagnosis in social networks. Int. J. Intell. Syst. Appl. (IJISA), 14(1), 24–31 (2022). https://doi.org/10.5815/ijisa.2022.01.02
Fan, W., Kevin, L., Rong, R.: Social engineering: i-e based model of human weakness for attack and defense investigations. Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 9(1), 1–11 (2017). https://doi.org/10.5815/ijcnis.2017.01.01
Smith, J.K., Shorter, J.D.: Penetration testing: a vital component of an information security strategy. Issues Inf. Syst. XI.1, 358–363 (2010). https://doi.org/10.48009/1_iis_2010_358-363
Jazzar, M., Yousef, R.F., Eleyan, D.: Evaluation of machine learning techniques for email spam classification. Int. J. Educ. Manage. Eng. (IJEME) 11(4), 35–42 (2021). https://doi.org/10.5815/ijeme.2021.04.04
Positive Technologies: Cybersecurity threatscape: Q3 2022. https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2022-q3/. Accessed 16 Feb 2023
The history of penetration testing. https://alpinesecurity.com/blog/history-of-penetration-testing. Accessed 16 Feb 2023
Scarfone, K., et al.: Technical guide to information security testing and assessment. Recommendations of the National Institute of Standards and Technology. NIST SP800–115. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf. Accessed 16 Feb 2023
European Parliament, Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed 16 Feb 2023
Payment Card Industry Data Security Standard. Requirements and security assessment procedures, version 3.0. https://www.pcisecuritystandards.org/minisite/en/docs/PCI_DSS_v3.pdf. Accessed 16 Feb 2023
Campbell, N., Lautenbach, B.: Telstra security report. https://www.telstra.com.au/content/dam/shared-component-assets/tecom/campaigns/security-report/Summary-Report-2019-LR.pdf. Accessed 16 Feb 2023
Kessel, P.: EY global information security survey. https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/ey-global-information-security-survey-2018-19.pdf. Accessed 16 Feb 2023
Pescatore, J.: SANS top new attacks and threat report. https://www.sans.org/reading-room/whitepapers/threats/top-attacks-threat-report-39520. Accessed 16 Feb 2023
Dimkov, T., et al.: Two methodologies for physical penetration testing using social engineering. In: 26th Annual Computer Security Applications Conference, pp. 399–408 (2010). https://doi.org/10.1145/1920261.1920319
Barrett, N.: Penetration testing and social engineering. Inf. Sec. Tech. Rep. 8(4), 56–64 (2003). https://doi.org/10.1016/s1363-4127(03)00007-4
Nguyen, T.H., Bhatia, S.: Higher education social engineering attack scenario, awareness & training model. J. Colloquium Inf. Syst. Secur. Educ. 8(1), 8 (2020)
Indrajit, R.E.: Social engineering framework: understanding the deception approach to human element of security. Int. J. Comput. Sci. Iss. 14(2), 8–16 (2017). https://doi.org/10.20943/01201702.816
Kelm, D., Volkamer, M.: Towards a social engineering test framework. In: 11th International Workshop on Security in Information Systems, pp. 38–48 (2010). https://doi.org/10.5220/0004980000380048
Buriachok, V., et al.: Technology for information and cyber security in higher education institutions of Ukraine. Inf. Technol. Learn. Tools 77(3), 337–354 (2020). https://doi.org/10.33407/itlt.v77i3.3424
Marusenko, R., Sokolov, V., Buriachok, V.: Experimental evaluation of phishing attack on high school students. In: Hu, Z., Petoukhov, S., Dychka, I., He, M. (eds.) ICCSEEA 2020. AISC, vol. 1247, pp. 668–680. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-55506-1_59
Marusenko, R., Sokolov, V., Bogachuk, I.: Method of obtaining data from open scientific sources and social engineering attack simulation. Adv. Artif. Syst. Logist. Eng. 135, 583–594 (2022). https://doi.org/10.1007/978-3-031-04809-8_53
Hu, Z., Buriachok, V., Sokolov, V.: Implementation of social engineering attack at institution of higher education. In: International Workshop on Cyber Hygiene, pp. 155–164 (2019)
Finn, P., Jakobsson, M.: Designing and conducting phishing experiments, 1–21 (2006)
Mouton, F., et al.: Necessity for ethics in social engineering research. Comput. Sec. 55, 114–127 (2015). https://doi.org/10.1016/j.cose.2015.09.001
Resnik, D.B., Finn, P.R.: Ethics and phishing experiments. Sci. Eng. Ethics 24(4), 1241–1252 (2017). https://doi.org/10.1007/s11948-017-9952-9
Faily, S., McAlaney, J., Iacob, C.: Ethical dilemmas and dimensions in penetration testing. In: 9th International Symposium on Human Aspects of Information Security & Assurance, pp. 233-242 (2015). https://doi.org/10.13140/rg.2.1.3897.1360
Pierce, J., Jones, A., Warren, M.: Penetration testing professional ethics: a conceptual model and taxonomy. Aust. J. Inf. Syst. 13(2), 193–200 (2006). https://doi.org/10.3127/ajis.v13i2.52
Creasey, J., Glover, I.: A guide for running an effective penetration testing programme. https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf. Accessed 16 Feb 2023
Hadnagy, C.: Social engineering: The science of human hacking (2018)
Introduction.EDUCATION.UA. https://vstup.osvita.ua. Accessed 16 Feb 2023
Applicant search service. http://abit-poisk.org.ua. Accessed 16 Feb 2023
Kotov, V., Massacci, F.: Anatomy of exploit kits. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36563-8_13
Parsons, K., et al.: Do users focus on the correct cues to differentiate between phishing and genuine emails? arxiv:1605.04717
Jampen, D., Gür, G., Sutter, T., Tellenbach, B.: Don’t click: towards an effective anti-phishing training. a comparative literature review. HCIS 10(1), 1–41 (2020). https://doi.org/10.1186/s13673-020-00237-7
Cotten, T.: Ghost emails: hacking Gmail’s UX to hide the sender. https://blog.cotten.io/ghost-emails-hacking-gmails-ux-to-hide-the-sender-46ef66a61eff. Accessed 16 Feb 2023
Google: Gmail sending limits in Google Workspace. https://support.google.com/a/answer/166852. Accessed 16 Feb 2023
Acknowledgment
The authors are grateful to Borys Grinchenko Kyiv University administration for assistance in conducting experiments, as well as personally to the deputy head of IT in the Education Laboratory Oksana Buinytska for successfully detecting attack simulation and prompt response.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Marusenko, R., Sokolov, V., Skladannyi, P. (2023). Social Engineering Penetration Testing in Higher Education Institutions. In: Hu, Z., Dychka, I., He, M. (eds) Advances in Computer Science for Engineering and Education VI. ICCSEEA 2023. Lecture Notes on Data Engineering and Communications Technologies, vol 181. Springer, Cham. https://doi.org/10.1007/978-3-031-36118-0_96
Download citation
DOI: https://doi.org/10.1007/978-3-031-36118-0_96
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36117-3
Online ISBN: 978-3-031-36118-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)