The Design and Evaluation of an Interactive Social Engineering Training Programme

Social engineering is a major issue affecting organisational security. Educating employees on how to avoid social engineering attacks is important because social engineering tries to penetrate an organisation by using employees to grant authorized access to sensitive information. While there are a number of theoretical studies about social engineering, a few practical studies have moved towards educating and training employees on how to spot such attacks. In this research, we emphasise the importance of educating employees to make them more resilient to these kinds of attacks. We developed an educational video encapsulated within a Social Engineering Training Programme. This is essentially an interactive training video during which the learner interacts with three different scenarios; educational content, a knowledge-check, and a web page containing the latest news about current social engineering attacks. The training programme was evaluated in a Saudi trading company with 24 employees. The evaluation showed that the programme delivered a positive impact in terms of awareness, as tested by a post-training qui

Seen the villains: detecting social engineering attacks using case-based reasoning and deep learning

Social engineering attacks are frequent, well-known and easy-toapply attacks in the cyber domain. Historical evidence of such attacks has shown that the vast majority of malicious attempts against both physical and virtual IT systems were based or been initiated using social engineering methods. By identifying the importance of tackling efficiently cybersecurity threats and using the recent developments in machine learning, case-based reasoning and cybersecurity we propose and demonstrate a two-stage approach that detects social engineering attacks and is based on natural language processing, case-based reasoning and deep learning. Our approach can be applied in offline texts or real time environments and can identify whether a human, chatbot or offline conversation is a potential social engineering attack or not. Initially, the conversation text is parsed and checked for grammatical errors using natural language processing techniques and case-based reasoning and then deep learning is used to identify and isolate possible attacks. Our proposed method is being evaluated using both real and semi-synthetic conversation points with high accuracy results. Comparison benchmarks are also presented for comparisons in both datasets

Semantic Detection of Targeted Attacks Using DOC2VEC Embedding

The targeted attack is one of the social engineering attacks. The detection of this type of attack is considered a challenge as it depends on semantic extraction of the intent of the attacker. However, previous research has primarily relies on the Natural Language Processing or Word Embedding techniques that lack the context of the attacker\u27s text message. Based on Sentence Embedding and machine learning approaches, this paper introduces a model for semantic detection of targeted attacks. This model has the advantage of encoding relevant information, which helps to improve the performance of the multi-class classification process. Messages will be categorized based on the type of security rule that the attacker has violated. The suggested model was tested using a dialogue dataset taken from phone calls, which was manually categorized into four categories. The text is pre-processed using natural language processing techniques, and the semantic features are extracted as Sentence Embedding vectors that are augmented with security policy sentences. Machine Learning algorithms are applied to classify text messages. The experimental results show that sentence embeddings with doc2vec achieved high prediction accuracy 96.8%. So, it outperformed the method applied to the same dialog dataset

Generic Taxonomy of Social Engineering Attack

Social engineering is a type of attack that allows unauthorized access to a system to achieve specific objective. Commonly, the purpose is to obtain information for social engineers. Some successful social engineering attacks get victims’ information via human based retrieval approach, example technique terms as dumpster diving or shoulder surfing attack to get access to password. Alternatively, victims’ information also can be stolen using technical-based method such as from pop-up windows, email or web sites to get the password or other sensitive information. This research performed a preliminary analysis on social engineering attack taxonomy that emphasized on types of technical-based social engineering attack. Results from the analysis become a guideline in proposing a new generic taxonomy of Social Engineering Attack (SEA)

Social engineering in the internet of everything

The Internet of Everything is becoming a reality, with fridges, smart TVs, cars, medical monitoring equipment and industrial control systems all communicating via the Internet. There have already been cases where smart toys have been exploited by hackers to steal personal information. Social engineering attacks on these devices which have little or no security are already a reality with hackers being quick to exploit any weakness in cyber space. This article reviews past cases, gives three scenarios which could lead to the owner of an IoT device giving private information to hackers and then proposes defence recommendations