Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations

Social engineering is the attack aimed to manipulate dupe to divulge sensitive information or take actions to help the adversary bypass the secure perimeter in front of the information-related resources so that the attacking goals can be completed. Though there are a number of security tools, such as firewalls and intrusion detection systems which are used to protect machines from being attacked, widely accepted mechanism to prevent dupe from fraud is lacking. However, the human element is often the weakest link of an information security chain, especially, in a human-centered environment. In this paper, we reveal that the human psychological weaknesses result in the main vulnerabilities that can be exploited by social engineering attacks. Also, we capture two essential levels, internal characteristics of human nature and external circumstance influences, to explore the root cause of the human weaknesses. We unveil that the internal characteristics of human nature can be converted into weaknesses by external circumstance influences. So, we propose the I-E based model of human weakness for social engineering investigation. Based on this model, we analyzed the vulnerabilities exploited by different techniques of social engineering, and also, we conclude several defense approaches to fix the human weaknesses. This work can help the security researchers to gain insights into social engineering from a different perspective, and in particular, enhance the current and future research on social engineering defense mechanisms

The social psychology of cybersecurity

Cybersecurity incidents may seem very technological in nature, but ultimately the hackers and the organisations they target are people, with their own goals, influences and beliefs. There is a danger of relying on lazy stereotypes of those involved in cybersecurity, or taking the Hollywood portrayals of hackers and cybersecurity experts as fact. Our research aims to explore the social psychological factors of this increasingly important societal issue, as well as inputting into the discussion about where psychologists should place themselves in what can be a controversial and morally complex topic

Towards a development of a Social Engineering eXposure Index (SEXI) using publicly available personal information

Millions of people willingly expose their lives via Internet technologies every day, and even those who stay off the Internet find themselves exposed through data breaches. Trillions of private information records flow through the Internet. Marketers gather personal preferences to coerce shopping behavior, while providers gather personal information to provide enhanced services. Few users have considered where their information is going or who has access to it. Even fewer are aware of how decisions made in their own lives expose significant pieces of information, which can be used to harm the very organizations they are affiliated with by cyber attackers. While this threat can affect everyone, upper management provides a significantly higher risk due to their level of access to critical data and finances targeted by cybercrime. Thus, the goal of this work-in-progress research is to develop and validate a means to measure exposure to social engineering of 100 executives from Fortune 500 companies. This work-in-progress study will include a mixed methods approach combining an expert panel using the Delphi method, developmental research, and a quantitative data collection. The expert panel will provide a weighted evaluation instrument, subsequently used to develop an algorithm that will form the basis for a Social Engineering eXposure Index (SEXI) using publicly available personal information found on the Internet on these executives, which will help quantify the exposure of each executive. The collected data will be quantitatively evaluated, analyzed, and presented

Social Engineering Cyber Threats

The article explores the pervasive threat of social engineering in cybersecurity, emphasizing its success in infiltrating information systems by manipulating individuals rather than employing traditional hacking methods. The author underscores the vulnerability arising from human trust, as individuals, especially those lacking technology education, tend to be targets. While cryptography offers partial security, social engineering complicates overall system security. Mitigation strategies include educating employees on threats, risks, and security policies, coupled with enforcing penalties for noncompliance. Additionally, employing two-factor authentication and physical token-based access adds layers of protection. The article delves into semantic attacks, classifying various exploitation methods and emphasizing the critical role of user awareness. It addresses prevalent scams such as phishing, vishing, impersonation, and smishing, noting their impact on individuals and organizations. The study extends its focus globally, highlighting a unique advance fee fraud targeting vulnerable populations. Social engineering remains a significant challenge despite technological advancements, necessitating a multifaceted approach combining technical defenses, education, and public awareness

Introducing Psychological Concepts and Methods to Cybersecurity Students

This chapter will begin with a brief review of the literature that highlights what psychology research and practice can offer to cybersecurity education. The authors draw on their wide-ranging inter-disciplinary teaching experience and in this chapter they discuss their observations gained from teaching psychological principles and methods to undergraduate and postgraduate cybersecurity students. The authors pay special attention to the consideration of the characteristics of cybersecurity students, so that psychology is taught in a way that is accessible and engaging. Finally, the authors offer some practical suggestions for academics to help them incorporate psychology into the cybersecurity curriculum

CLASSIFICATION OF SOCIAL ENGINEERING METHODS AND TYPES OF SOCIAL ENGINEERING ATTACKS

Background: Social engineering is an acute threat to modern enterprises. In large companies, dynamic information flows and changes in management processes increase the number of attack points for social engineers, which entails possible unwanted information outflows. Objective: The study aims to analyze social engineering attacks, identify their complexity, and compare them with the types of attacks. The primary objective is to determine the key mechanisms to counter social engineering. Methods: The paper analyzes the current body of scientific literature concerning the legal regulation of social engineering methods and the study of criminalized social engineering. The methodological foundation of the study is a combination of scientific research methods, including the abstract-logical approach, correlation analysis, and the comparative method. Results: The existing research testifies to the dynamic spread and development of social engineering technologies, which necessitates the development of an effective system to counter social engineering attacks. The most promising approach appears to be the one based on the technical component and simultaneously involving the training of employees of enterprises and organizations in counteracting unauthorized access to information. This approach will reduce the risk of information leakage and strengthen the information security of modern companies

Teaching Psychological Principles to Cybersecurity Students

This paper will discuss our observations gained from teaching psychological principles and methods to undergraduate and postgraduate cybersecurity students. We will draw on and extend our previous work encouraging the teaching of psychology in computing and cybersecurity education. We pay special attention to the consideration of characteristics of cybersecurity students in terms of teaching psychology in a way that will be accessible and engaging. We then discuss the development and use of an online training tool which draws on psychology to help educators and companies to raise awareness of cybersecurity risks in students and employees. Finally, we offer some practical suggestions to incorporate psychology into the cybersecurity curriculum

Immersive Storytelling for Information Security Awareness Training in Virtual Reality

Due to the central role of the human factor in information security, the need for information security awareness (ISA) is constantly increasing. In order to maintain a high level of ISA, trainings have to be carried out frequently to ensure sustainability. Since education via VR has led to a sustainable learning effect in other fields, we evaluated the use of VR for ISA trainings. Moreover, we combined our VR training with immersive storytelling. For the evaluation we used two sets of participants. The first used a traditional e-Learning method to answer the questionnaire. The second used our VR training. After one week we repeated the questionnaires. The results showed that the VR group could achieve higher scores than the noVR group. Moreover, the VR group achieved even higher scores after one week which might be due to the sustained learning effect from the VR training

Teaching Tip: Hook, Line, and Sinker – The Development of a Phishing Exercise to Enhance Cybersecurity Awareness

In this paper, we describe the development of an in-class exercise designed to teach students how to craft social engineering attacks. Specifically, we focus on the development of phishing emails. Providing an opportunity to craft offensive attacks not only helps prepare students for a career in penetration testing but can also enhance their ability to detect and defend against similar methods. First, we discuss the relevant background. Second, we outline the requirements necessary to implement the exercise. Third, we describe how we implemented the exercise. Finally, we discuss our results and share student feedback