The Australian Cyber Security Centre threat report 2015

Introduction: The number, type and sophistication of cyber security threats to Australia and Australians are increasing. Due to the varied nature of motivations for cyber adversaries targeting Australian organisations, organisations could be a target for malicious activities even if they do not think the information held on their networks is valuable, or that their business would be of interest to cyber adversaries. This first unclassified report by the ACSC describes the range of cyber adversaries targeting Australian networks, explains their motivations, the malicious activities they are conducting and their impact, and provides specific examples of activity targeting Australian networks during 2014. This report also offers mitigation advice on how organisations can defend against these activities. The ACSC’s ability to detect and defend against sophisticated cyber threats continues to improve. But cyber adversaries are constantly improving their tradecraft in their attempts to defeat our network defences and exploit the new technologies we embrace. There are gaps in our understanding of the extent and nature of malicious activity, particularly against the business sector. The ACSC is reaching out to industry to build partnerships to improve our collective understanding. Future iterations of the Threat Report will benefit from these partnerships and help to close gaps in our knowledge

A Taxonomy of Phishing: Attack Types Spanning Economic, Temporal, Breadth, and Target Boundaries

Phishing remains a pernicious problem for organizations. Phishing attacks are increasing in sophistication, which hinders the ability of cybersecurity functions to effectively defend against them. These attacks are becoming increasingly complex, dynamic, and multifaceted to evade the organizational, individual, and technical countermeasures employed in a cybersecurity ecosystem. Information security (ISec) phishing research and practice have provided an understanding of generalized phishing attacks and their subsequent defense. Yet by applying generalized phishing rules to these studies, it may not be sufficient to understand and defend escalated forms of phishing. This study seeks to develop a taxonomy of phishing to provide a more nuanced understanding of this phenomena. This taxonomy may assist ISec research in providing theoretical guidance for the understanding and defense of the various forms of phishing

Kuritegevus kui kommunikatsioon: diagnostiliselt kasuliku teabe tuvastamine manipulatsioonirünnete sisust ja kontekstist

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTänapäevases teabe ülekülluse tingimustes on aina sagedasemaks muutunud erinevat tüüpi manipulatsiooniründed, mis jõuavad sõnumisaajateni e-kirjade, telefoni, lühisõnumite kui ka sotsiaalmeedia vahendusel. Tähelepanu hajutatuse, saabunud sõnumite tekitatud tugevate emotsioonide ning tõerääkimise eeldamise koostoime tõttu on manipulatsioonirünnete ohvriks langemine üha süvenev probleem, millega kaasnevad nii majanduslik kui ka vaimne kahju. Doktoritöö „Kuritegevus kui kommunikatsioon: diagnostiliselt kasuliku teabe tuvastamine manipulatsioonirünnete sisust ja kontekstist“ eesmärk on saada teada, millist manipulatsiooniründe ennetamise aspektist olulist teavet saavad sõnumisaajad rünnete toimepanemiseks kasutatud sõnumite sisust ning kontekstist. Eesmärgi saavutamiseks esitan väitekirjas kuritegevus kui kommunikatsioon käsituse, mis lähtub eeldusest, et iga tehnoloogia vahendatud keskkonnas toimuv tegevus tuleneb ja sõltub kommunikatsioonist. Doktoritöö aluseks olevates uurimustes kogutud e-kirjade ja rahvusvahelistes meediaväljaannetes kajastatud pettuste kirjelduste teksti- ja sisuanalüüsi tulemused võimaldasid selgitada mitmeid manipulatsioonirünnete tuvastamiseks kasulikke teabekilde. Manipulatsioonirünnete puhul on konkreetsel juhul kasutatavate kanalite, näiteks e-kirjade või telefonikõnede, mitmekesisuse tõttu olulisem mõista sõnumi saatja ja vastuvõtja vahel olemasoleva avatud kanali tähtsust. Avatud kanali olemasolul kasutavad manipulatsioonirünnete toimepanijad nii kasusaamisega meelitamist kui ka kahju kandmisega ähvardamist, et suunata sõnumite vastuvõtjaid viimastele kahju toovat tegu tegema. Samuti kohandavad mõned küberkurjategijad manipulatsioonirünnetes kasutatavate sõnumite sisu nii, et sõnumid sobituksid nende saatmise ajahetkel olulisse ühiskondlikku konteksti, näiteks COVID-19 viiruspandeemiaga seonduvasse.Under the current circumstances of information overload, social engineering attacks that reach recipients via e-mail, phone calls, text messages and social media have become an increasingly common occurrence. Our exhausted ability to pay attention, the strong emotions created by received messages and the default expectation of truth-telling have combined into a state where falling victim to social engineering attacks is a growing problem with severe financial and psychological consequences for the victims. For the purpose of preventing successful social engineering attacks, the dissertation “Crime-as-Communication: Detecting Diagnostically Useful Information from the Content and Context of Social Engineering Attacks” sought to find out the types of diagnostically useful information available to recipients from the content and context of social engineering attacks. To achieve this aim, the dissertation developed the Crime-as-Communication approach, which follows from the premise that all activities in technology-mediated environments are rooted in and dependent upon communication. Based on the results of qualitative text analysis and qualitative and quantitative content analysis applied to e-mails and descriptions of social engineering attacks reported in international media outlets, the dissertation established multiple informational aspects that help people detect social engineering attacks. Due to the variety of media, such as e-mails and phone calls, used in carrying out social engineering attacks, it is more important to acknowledge the overall significance of an open channel between message senders and recipients. Where an open channel is present, perpetrators use both gain-based appeals and loss-based threats to guide recipients into taking actions that end up harming them. Furthermore, some cybercriminals adapt the content of scam messages to fit the social context - such as the COVID-19 pandemic - salient at the time of circulating the messages.  https://www.ester.ee/record=b546643

Assessing Generational Differences in Susceptibility to Social Engineering Attacks. A Comparison Between Millennial and Baby Boomer Generations

Digitaalse ühiskonna ajastul on sotsiaalse manipuleerimise ründed (social engineering attacks)väga edukad ja kahjuks kasutajad ei suuda ennast selliste rünnakute vastu kaitsta. Sotsiaalne manipuleerimine (social engineering) on keeruline probleem, mistõttu on väga raske eristada kõige kaitsetumaid kasutajaid. Sellised ründed ei ole suunatud ainult noorte ja töötajate vastu, vaid on laiaulatuslikud sõltumata vanusest. Tehnoloogia kiire kasvu ja selle ebasihipärase kasutamise tõttu on kõik selliste rünnakute poolt mõjutatud, kõik on haavatavad (Purkait, 2012; Aggarwal et al., 2012). Kasutajaid peetakse turvalisuse "nõrgimaks lüliks" (Mohebzada et al., 2012; Mitnick and Simon, 2011), ja seega konfidentsiaalse info kaitsmine peaks olema kõikide inimeste eesmärk. Hoolimata sellest, et on olemas erinevaid lahendusi kasutajate koolitamiseks selliste rünnakute vältimiseks, andmepüük on jätkuvalt edukas (Dhamija et al., 2006). See on eelkõige seetõttu, et küberteadlikkuse koolitused, teoreetilised kursused või raamistikud eeldatakse olevat võrdselt efektiivsed kõikidele kasutajatele vaatamata nende vanusest, kuigi kogemus näitab et see ei ole tõsi (Alseadoon, 2014). Selleks, et koolitused saaksid olla efektiivsed, on oluline et need on koostatud lähtudes sotsiaalse manipuleerimise turvanõrkustest, mis on erinevatel vanusegruppidel erinevad. Käesoleva töö eesmärgiks on põlvkondade unikaalsete tunnuste (demograafilised ja isikulised) ja nende haavatavuste faktorite määratlemine. Sellealusel on loodud raamistik, mis on võimalik rakendada ja mis addresseerib neid nõrkusi. Arvesse võttes probleemi keerikust, käesolev uurimistöö näitab, et on vaja läbi viia edasisi uurimusi laiemast perspektiivist lähtuvalt lisades "põlvkondade" elemendi uurimiseesmärkidesse, et kas on erinevusi haavatuse riskide osas läbi põlvkondade. Käesolev uurimistöö kasutab nii kvalitatiivseid kui kvantitatiivseid meetodeid eesmärkide saavutamiseks. Andmekogumise rünnaku efektiivsuse hindamisel analüüsitakse kasutajate käitumist ning antakse sellele psühholoogiline tõlgendus. Esimene uurimisküsimus keskendub sotsiaalne manipulatsiooni haavatavuse faktorite määratlemisele ja kvantitatiivsed andmed (statistiline analüüs) näitavad, et põlvkond on oluline element potentsiaalsete sotsiaalse manipulatsiooni ohvrite eristamisel, kusjuures arvutikasutusoskus ja haridustase ei määra olulist rolli hindamaks kasutajate tõenäosust langeda selliste rünnakute ohvriks. Eelpool toodud faktorite ja ka eelnevate uuringute alusel, ei ole ka sugu määrav faktor haavatavuse ennustamisel (Parsons et al., 2013). Teine uurimisküsimus püüab selgitada, mis põhjustab põlvkondade haavatavuse erinevusi ning uuringu tulemused näitavad, et Y-põlvkonna isikuomadused, sh teadvus, ekstravertsus ja meeldivus on põhifaktorid, mis mõjutavad haavatavust. Viimasena, lisaks tugeva aluse loomisel edaspidiseks põlvkondade haavatavuse uurimisel, pakub käesolev töö välja raamistiku, milles on eeltoodud leiud arvesse võetud ja mille eesmärk on vähendada Y-põlvkonna haavatust sotsiaalse manipuleerimise rünnakutele. Käesoleva magistritöö unikaalsus seisneb üldises lähenemisviisis: alates ulatuslikus kirjanduse ülevaates "põlvkondade" haavatavuse faktorite määratlemisega, statistilise analüüsiga haavatavuste hindamiseks ja lõpetades lahenduse väljapakkumisega, mis aitab lahendada "põlvkondade" turvalisuse probleemi.In the age of digital society Social Engineering attacks are very successful and unfortunately users still cannot protect themselves against these threats. Social Engineering is a very complex problem, which makes it difficult to differentiate among vulnerable users. These attacks not only target young users or employees, they select massively, regardless of the users' age. Due to the rapid growth of technology and its misuse, everyone is affected by these attacks, everyone is vulnerable to them (Purkait, 2012; Aggarwal et al., 2012). Users are considered the "weakest link" of security (Mohebzada et al., 2012; Mitnick and Simon, 2011) and as such, protecting confidential information should be the ultimate goal of all people. However, despite the fact that a number of different strategies exists to educate or train endusers to avoid these attacks, they still do, phishing still succeeds (Dhamija et al., 2006). This is mainly because the existing security awareness trainings, theoretical courses, or frameworks are expected to be equally effective for all users regardless of their age, but experience has shown that this is not true (Alseadoon, 2014). In order for these security trainings to be effective, it is essential that they are composed based on the Social Engineering security weaknesses attributed differently to different generations. Identifying unique characteristics (demographic and personality) of generations, determinants of their vulnerability is what this work aims to do. Then frameworks crafted based on that information (addressing these weaknesses) would be of use and worth implementing. Therefore, taking into consideration the complexity of this problem, this study suggests that there is a need to research it from a broader perspective, adding the "generation" element into the study focus to find out if there is indeed any difference in susceptibility among generational cohorts. In order to do so, this research will adapt both qualitative and quantitative methods towards reaching its objectives. Collected-data of users' performance in a phishing assessment are analyzed and psychological translation of results is provided. Thus, the first research question seeks to address what factors determinate endusers vulnerability to Social Engineering, and results from quantitative data (statistical analysis) show that generation is an important element to differentiate potential victims of Social Engineering, whilst computer-efficacy or educational level do not play any noteworthy role in predicting endusers' likelihood of falling for these threats. In consistency with the above elements and previous studies, also gender is shown no potentiality in predicting susceptibility (Parsons et al., 2013). The second research question deems to explain what makes generations differ in susceptibility and this study's findings propose that generation Y personality traits such as consciousness, extraversion and agreeableness are key influencers of their shown vulnerability. Finally, along with establishing strong foundations for future research in studying generations susceptibility to Social Engineering, this thesis employ these findings in proposing a framework aiming to lessen millennial likelihood to Social Engineering victimization. The originality of this study lies on its overall approach: starting with an exhaustive literature review towards identifying factors impacting generations' susceptibility level, then statistically measuring their vulnerability, to finish with a solution proposal crafted to suit the observed generational security weaknesses

Information Systems Betrayal: When Cybersecurity Systems Shift from Agents of Protection to Agents of Harm

Cybersecurity systems provide a unique opportunity of study as they can be used as agents of protection and harm. Practice uses these systems of protection against employees through the use of red team and black hat tactics for perimeter testing as well as invasive, complex monitoring for defense of internal threats. It is important to understand the effects of these actions on end users. This study seeks to understand the effects of these cybersecurity practices on individuals through the perspectives of trust, betrayal, aversion, and resistance. An integrative model is built and employed to understand the formation and consequences of IS betrayal

A STUDY OF SOCIAL ENGINEERING CONCEPTS WITHIN A DECEPTIVE DEFENSE

Organizations fall victim to costly attacks every year. This has created a need for more successful layers of defense. To aid in this need for additional defense, this study researches a way to bolster an underused defense style called deceptive defense. Researchers agree that deceptive defense could be the future of cybersecurity, and they call for more research in the deceptive category. The unresolved question from these researchers is what attack style could be used with a deception-based defense against an attacker. From this unresolved question, it was also determined that social engineering should be used in this culminating experience project as the attack style in question. This led to the question: “How can cyber defensive deception borrow concepts from social engineering to aid in bolstering a deception-based defense?” This project focused on researching concepts from both deceptive defense and social engineering, and to apply concepts from a popular attack style to a less popular defense style. This was done through a path of research into techniques, influence concepts, and two popular frameworks. It takes a 4-phased approach: researching deceptive defense techniques, researching social engineering concepts, researching two popular frameworks, and then applying one to the other. The findings are that: (1) there are similar concepts from both attack and defense styles; (2) there are techniques with similar applications but applied to the opposite parties (attackers or defenders); (3) and that it was possible to pull concepts from the social engineering framework to plan a deception-based defense. Further research would be desirable in an applied approach of how an attacker reacts to each persuasion principle. More research would also be recommended in the honeypot technique as an alerting and profiling technique

DEFENDING AGAINST SPEAR PHISHING: MOTIVATING USERS THROUGH FEAR APPEAL MANIPULATIONS

Phishing is a pervasive form of online fraud that causes billions in losses annually. Spear phishing is a highly targeted and successful type of phishing that uses socially engineered emails to defraud most of its recipients. Unfortunately, anti-phishing training campaigns struggle with effectively fighting this threat—partially because users see security as a secondary priority, and partially because users are rarely motivated to undergo lengthy training. An effective training approach thus needs to be non-disruptive and brief as to avoid being onerous, and yet, needs to inspire dramatic behavioral change. This is a tremendous, unsolved challenge that we believe can be solved through a novel application of theory: Using fear appeals and protection-motivation theory (PMT), we outline how brief training can educate users and evoke protection motivation. We further invoke construal-level theory (CLT) to explain how fear appeals can stimulate threat perceptions more quickly and more powerfully. This research-in-progress study further proposes a field experiment to verify the effectiveness of our proposed training approach in an ecologically valid environment. Overall, we (1) improve training based on PMT and CLT, (2) expand PMT for guiding fear appeal design; and (3) demonstrate a full application of CLT