1,943 research outputs found
Countering Social Engineering through Social Media: An Enterprise Security Perspective
The increasing threat of social engineers targeting social media channels to
advance their attack effectiveness on company data has seen many organizations
introducing initiatives to better understand these vulnerabilities. This paper
examines concerns of social engineering through social media within the
enterprise and explores countermeasures undertaken to stem ensuing risk. Also
included is an analysis of existing social media security policies and
guidelines within the public and private sectors.Comment: Proceedings of The 7th International Conference on Computational
Collective Intelligence Technologies and Applications (ICCCI 2015), LNAI,
Springer, Vol. 9330, pp. 54-6
Refining the PoinTER “human firewall” pentesting framework
PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Each month, more attacks are launched with the aim of making web users
believe that they are communicating with a trusted entity which compels them to
share their personal, financial information. Phishing costs Internet users
billions of dollars every year. Researchers at Carnegie Mellon University (CMU)
created an anti-phishing landing page supported by Anti-Phishing Working Group
(APWG) with the aim to train users on how to prevent themselves from phishing
attacks. It is used by financial institutions, phish site take down vendors,
government organizations, and online merchants. When a potential victim clicks
on a phishing link that has been taken down, he / she is redirected to the
landing page. In this paper, we present the comparative analysis on two
datasets that we obtained from APWG's landing page log files; one, from
September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April
30, 2014. We found that the landing page has been successful in training users
against phishing. Forty six percent users clicked lesser number of phishing
URLs from January 2014 to April 2014 which shows that training from the landing
page helped users not to fall for phishing attacks. Our analysis shows that
phishers have started to modify their techniques by creating more legitimate
looking URLs and buying large number of domains to increase their activity. We
observed that phishers are exploiting ICANN accredited registrars to launch
their attacks even after strict surveillance. We saw that phishers are trying
to exploit free subdomain registration services to carry out attacks. In this
paper, we also compared the phishing e-mails used by phishers to lure victims
in 2008 and 2014. We found that the phishing e-mails have changed considerably
over time. Phishers have adopted new techniques like sending promotional
e-mails and emotionally targeting users in clicking phishing URLs
Plugging the “Phishing” Hole: Legislation Versus Technology
This iBrief analyzes the Anti-Phishing Act of 2005, legislation aimed at curbing the problem of phishing. Phishing is the sending of fraudulent emails which appear to be from legitimate businesses and thereby fooling the recipients into divulging personal information such as credit card numbers. While this legislation may provide some assistance in the fight against phishing, it is limited by the global nature of the Internet and the ease with which phishers can hide and avoid judgments. This iBrief therefore concludes that although the Anti-Phishing Act can play a supporting role in the battle, technological solutions are the most effective means of reducing or eliminating phishing attacks
Plugging the “Phishing” Hole: Legislation Versus Technology
This iBrief analyzes the Anti-Phishing Act of 2005, legislation aimed at curbing the problem of phishing. Phishing is the sending of fraudulent emails which appear to be from legitimate businesses and thereby fooling the recipients into divulging personal information such as credit card numbers. While this legislation may provide some assistance in the fight against phishing, it is limited by the global nature of the Internet and the ease with which phishers can hide and avoid judgments. This iBrief therefore concludes that although the Anti-Phishing Act can play a supporting role in the battle, technological solutions are the most effective means of reducing or eliminating phishing attacks
- …