Investigating The Effect of Social Engineering Techniques on Employees Vulnerability (Case study: Tehran Municipality Employees)

Document Type : Original Article

Authors

1 PhD student in Communication Sciences, Science and Research Unit, Islamic Azad University, Tehran, Iran

2 Assistant Professor, Department of Communication, Journalism and Media, Central Tehran Branch, Islamic Azad University, Tehran, Iran

Abstract

Social engineering is the art of deceiving people in a way that no use of force and threat, something to do or provide that information to social engineer . Social engineering can follow self-interest or organizational or national interest. Hackers, criminals, spies, saboteurs and ... all use social engineering to achieve their goals .social engineer uses Various techniques. In this study, the effect of this techniques on the vulnerability of people looked at the combined method (qualitative and quantitative ) to measure this effect .First, various social engineering techniques as well as their vulnerability conducted by reviewing previous research and the interviewing with the experts in the field of engineering social was obtained and different techniques in a variety of technical, social, physical and technical – social were categorized. Afterwards in quantitative stage, By creating a questionnaire and various Items In the form of Likert scale and Provide the questionnaire to the target community(Employees of Tehran Municipality) The degree of vulnerability of people to a variety of social engineering techniques was obtained. It was found vulnerability of the target population is more than to the techniques of technical, social, technical – social and physical respectively . to prevent social engineering, human –driven and technology –based solutions were proposed that human –centered mainly on training personnel and IT solutions based on the provision of the right equipment, computers and creating a right information access cycle in organizations .

Keywords


Smiley face

[1] K.Mitnick,W.Simon and S.Wozniak,”The Art of Deception: Controlling the  Human Element of Security”, NJ: Wiley, 2002.
[2] Social Engineer, “Security though education”, Retrieved March 29, 2016, from The Social Engineering Framework: http://www.social-engineer. org/framework/psychological, 2016.
[3] Symantec Corporation,”INTERNET SECURITY THREAT REPORT”,Retrieved 31 03,2016,from http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_v19_21291018.en-us.pdf, 2014. 
[4] R.Ballagas, M.Rohs, J.Sheridan and J.Borchers, “Byod: Bring your own device”, In Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp, 2004.
[5] W.Shen, “Active Social Engineering Defense (ASED)”, Defense Advanced Research Projects Agency Program Information. Accessed February 1, 2019. https://www.darpa.mil/program/active-social engineering-defense, 2019.
[6] A.Chantler and R.Broadhurst, “Social Engineering and Crime Prevention in Cyberspace”, Queensland University of Technology, 2006.
[7] C.Hadnagy, “Social Engineering: The Art of Human Hacking”, NJ: Wiley, 2011.
[8] T.Qin and J.Burgoon, “An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Intelligence and Security Informatics”, IEEE, pp. 152–159, 2007.
[9] N.Verma, “Social Engineering: A Means to Violate a Computer System”, Publisher Global Vision Publishing House, 2011.
[10] K.D.Mitnick, “The Art of Deception - Controlling the Human Element of Security”,  Indiana,Wiley Publishing, p.16, 2003.
[11] B.Oosterloo, “Managing Social Engineering Risk”, University of Twente, 2008
[12] N.Pavkovic and L.Perkov, “Social Engineering Toolkit—A systematic approach to social engineering”, 34th IEEE International Convention MIPRO, Opatija, Croatia, pp.1485–1489, 2011.
[13] A.V.Grebmer, “Information and IT Risk Management in a Nutshell: A Pragmatic Approach to Information Security”. Publisher. BoD – Books on Demand. pp.58-74, 2008.
[14] M.Erbschloe, “Social Engineering-Hacking systems,nations and societies”, Translated by Seyyedhasan Hoseiny, Tehran, Sabah, 1400.(In Persian)
[15] H.Kim, D.Yoo, J.Kang and Y.Yeom,  “Dynamic ransomware protection using deterministic random bit generator”, In Proceedings of the IEEE Conference on Applications, Information and Network Security, Miri, Malaysia, pp.1–6, 2017.
[16] S.Wang, S.Zhu and Y.Zhang, “Blockchain-based mutual authentication security protocol for distributed RFID systems”, In Proceedings of the IEEE Symposium on Computers and Communications, Natal, Brazil, pp.74–77, 2018.
[17] L.Segovia, F.Torres, M.Rosillo, E.Tapia, F.Albarado and D.Saltos, “Social engineering as an attack vector for ransomware”, In Proceedings of the Conference on Electrical Engineering and Information Communication Technology, Pucon, Chile, pp.1–6, 2017.
[18] D.F.Sittig and H.Singh, “Asocio-technical approach to preventing, mitigating and recovering from ransomware attacks”, Appl. Clin. Inform, pp. 624–632, 2016.
[19] B.Arya and K.Chandrasekaran, “A client-side anti-pharming (CSAP) approach”, In Proceedings of the IEEE International Conference on Circuit, Power and Computing Technologies (ICCPCT), Nagercoil, India, pp.1–10, 2016. 
[20] Kaspersky, “Pharming definition”, https://www.kaspersky.com/resource-center/definitions/pharming, 2021.
[21] E.Aharoni, “What is a Watering Hole attack and how to prevent them” https://blog.cymulate.com/watering-hole-attack-dont-drink-water, 2021
[22] N.Pokrovskaia, “Social engineering and digital technologies for the security of the social capital’development”, In Proceedings of the International Conference of Quality Management, Transport and Information Security, Petersburg, Russia, pp.16–19, 2017.
[23] K.Krombholz, H.Hobel, M.Huber and  E.Weippl, “Advanced social engineering attacks”. J. Inf. Secur. Appl, pp. 113–122, 2014
[24] K.Axelton, “what is shoulder surfing” https://www.experian.com/blogs/ask-experian/what-is-shoulder-surfing/, 2020
[25] L.Xiangyu, L.Qiuyang and S.Chandel, “Social engineering and Insider threats”, In Proceedings of the International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, Nanjing, China, pp.25–34, 2017.
[26] Y.Diogenes and E.Ozkaya, “Cybersecurity –Attack and Defense Strategies”, https://www.oreilly.com/library/view/cybersecurity-attack/9781788475297/6a6d16cf-64bb-411e-bba2-ecbd10ad2d88.xhtml, 2021
[27] P.Patil and P.Devale, “A literature survey of phishing attack technique”, Int. J. Adv. Res. Comput. Commun. Eng, pp.198–200, 2016.
[28] S.Granger, “Social engineering fundamentals”, www.securityfocus.com/infocus/1527 and 1533, 2006.
[29] S.A.Moosavi, “Social Engineering,Art of Psychological War, Human Hacking,Persuation and Deception”, Tehran.Nasleroshan, 2020.(In Persian)
[30] S.Aslany and H.Eskandary, “An overview of the Importance of Compassion in Community Security”, Rooyesh-e-Ravanshenasi, vol.7, no.11, Serial no.32, pp.341-354, 2019. (In Persian)
[31] G.Seidman, “Why Do We Like People Who Are Similar to Us?”,  https://www.psychologytoday.com/us/blog/close-encounters/201812/why-do-we-people-who-are-similar-us, 2021.
[32] R.Cialdini, “Influence: The Psychology of Persuasion”, New York,Harper Business, 2006
[33] US Commodity Futures Trading Commission, “Foreign Currency Trading (Forex) Fraud”,  https://www.cftc.gov/ConsumerProtection/FraudAwarenessPrevention/CFTCFraudAdvisories/fraudadv_forex.html, 2019
[34] D.Gragg, “A Multi-Level Defense Against Social Engineering”, SANS Institute, InfoSec Reading Room, pp.13-18, 2003.
[35] S.Stasiukoni, “ Social Engineering, the USB Way”, http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634,  2013.
[36] L.J.Janczewski and  A.Colarik, “Cyber Warfare and Cyber Terrorism”, Pennsylvania, Idea Group Inc, 2008.
[37] K.Beckers, S.Pape, “A serious game for eliciting social engineering security requirements”, In Proceedings of the International Requirements Engineering Conference, Beijing, China,pp.16–25, 2016.
[38] L.Peotta, M.D.Holtz, B.M.David, F.G.Deus and R.T.De Sousa, “A formal classification of internet banking attacks and vulnerabilities”,Int. J. Comput. Sci. Inf. Technol. 3,pp.186–197, 2011.
[39] G.Ho, A.Sharma, M.Javed, V.Paxson and  D.Wagner, “Detecting credential spearphishing in enterprise settings”, In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, pp.469–485, 2017.
[40] Techopedia Dictionary, “Whaling Definition”, https://www.techopedia.com/definition/28643/whaling, 2016.
[41] E.O.YeboahBoateng and P.M.Amanor, “Phishing,SMiShing&Vishing:Anassessment of threats against mobile devices” J. Emerg. Trends Comput. Inf. Sci. 5, pp.297–307, 2014
[42] H.Tu, A.Doupé, Z.Zhao and G.J.Ahn, “Everyone hates robocalls: A survey of techniques against telephone spam”, In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA. pp. 320–338, 2016.
[43] T.Braun, B.C.Fung, F.Iqbal and B.Shah, “Security and privacy challenges in smart cities”, Sustain. Cities Soc, pp.39,499-507, 2018
[44] Sophos, “Sophos facebook id probe shows 41% of users happy to reveal all to potential identity thieve”. http://www.sophos.com/en-us/press, 2007
[45] I.Ghafir, “Social engineering attack strategies and defence approaches”, In Proceedings of the IEEE International Conference on Future Internet of Things and Cloud, Vienna, Austria,PP.1–5, 2016
[46] G.Costantino, A.La Marra, F.Martinelli, and I.Matteucci, “CANDY: A social engineering attack to leak information from infotainment system”, In Proceedings of the IEEE Vehicular Technology Conference, Porto, Portugal, pp.1– 5, 2018.
[47] Federal Financial Institutions Examination Council, “Security Culture”, https://ithandbook.ffiec.gov/it-booklets/information-security/i-governance-of-the-information-security-program/ia-security-culture.aspx, 2019
[48] S.Abraham, “An overview of social engineering malware: Trends, tactics, and implications”, Technology in Society, p.183, 2010.
[49] D.Ashenden, “Information Security management: A human challenge?”,  Information Security Technical Report, 2008.
[50] R.Heartfield and G.Loukas, “ A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks”, ACM Comput, Surv, pp.48, 1–37, 2016.
Volume 11, Issue 1 - Serial Number 41
No. 41, Spring
May 2023
Pages 31-46
  • Receive Date: 04 January 2022
  • Revise Date: 25 February 2022
  • Accept Date: 24 December 2022
  • Publish Date: 22 May 2023