A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial

On the Security Assessment of the Cloud

Cloud computing is an enabling technology paradigm that provides access to the geodistributed pool of resources that are rapidly and flexibly provisioned at run-time with minimum management from the user. These benefits have driven the proliferation of the Cloud over the last decade. Many organizations have migrated to the Cloud or have a Cloudfirst strategy for their businesses. Despite these benefits, the security of the Cloud has been flagged as among the top concerns by its users. To address security concerns, Threat Analysis (TA) is often advocated to ascertain a system’s exposure to threats. A plethora of TA techniques exist that focus on analyzing threats to targeted assets at the system’s level (e.g., components, hardware) or at the user’s level (e.g., virtual machine) in the Cloud. These techniques are effective, but their applicability is limited beyond their targeted asset. However, the Cloud is a complex system entailing both the physical and virtual resources. Moreover, these resources can instantiate, migrate across physical hosts, or decommission to provide rapid resource elasticity to the users. On this background, this thesis aims at assessing the security of the Cloud holistically by considering the interactions among the services/components involved in the operational stack of the Cloud. In this regard, a technology-agnostic information flow model is developed that represents the Cloud’s functionality through a set of conditional transitions. Furthermore, threats are added to the model to analyze their impact on the Cloud. This enables the exploration of a threat’s behavior and its propagation across the Cloud and supports assessing the security of the Cloud by analyzing the impact of multiple threats across various operational layers/assets. Using public information on threats from the National Vulnerability Database (NVD), actual Cloud attacks were traced and speculatively postulated alternate potential attack paths. Furthermore, the thesis also investigates different threats with similar indicators of compromise (e.g., attack patterns) to be considered in the security assessment along with the specific user’s requirements. Finally, the thesis also targets the evaluation of potential violations from the Cloud providers that breach users’ requirements. The results presented in the thesis demonstrate that by ascertaining the attack paths and considering the interplay between threats and security requirements, the security of the Cloud can be comprehensively assessed