Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Social engineering and crime prevention in cyberspace

This paper highlights methods of syntactic and semantic social engineering attacks (human-based and computer-based) that are currently prevalent in the cyber community. It will also present the emerging trends in high-tech crime; and, the likely future direction cyber-crime will take with respect to social engineering

Changing users' security behaviour towards security questions: A game based learning approach

Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.Comment: 6, Military Communications and Information Systems Conference (MilCIS), 2017. arXiv admin note: substantial text overlap with arXiv:1707.0807

Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails

We examined the influence of three social engineering strategies on users’ judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed

The Relationship Between Social Persuasion Strategies, Phishing Features and Email Exposure Time on Phishing Susceptibility

This item is only available electronically.A ‘phishing email’ aims to persuade an unsuspecting individual to reveal personal credentials and sensitive information. Currently, the global costs to businesses and individuals associated with phishing related attacks are reported in the hundreds of millions of dollars. While technological interventions capture a proportion of these phishing emails, ultimately, the human user is the last line of defence in determining the legitimacy of the email. ‘Phishers’ aim to exploit human weaknesses through the use of various persuasion strategies that create a sense of urgency and time pressure to respond to emails. Typically, individuals must also rely on subtle phishing features in an email to determine if the email is genuine or an attempted phish. Furthermore, phishers take advantage of the assumption that users determine the legitimacy of emails in a short amount of time. The present study aims to examine the impact of these email characteristics of persuasion strategies, the number of phishing features, and exposure time on phishing detection and susceptibility. Using an online survey platform, participants (N= 136) completed an email sorting task where they were required to review and sort 60 incoming emails from the inbox of ‘Professor Alex Jones’. Several significant results were obtained supporting the hypotheses. It demonstrated that individuals are better able to detect a phishing email when it utilises common persuasion strategies (authority and scarcity), and contain a greater number of phishing features. It also revealed that with increased email exposure time, individuals had a better phishing detection rate. However, the effect of identifying phishing emails with common persuasion strategies was not greater during shorter exposure time, providing a non-significant result. A greater understanding of these email factors associated with phishing susceptibility could lead to more tailored awareness campaigns and/or training programs to increase phishing detection and reduce susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

Teaching Tip: Hook, Line, and Sinker – The Development of a Phishing Exercise to Enhance Cybersecurity Awareness

In this paper, we describe the development of an in-class exercise designed to teach students how to craft social engineering attacks. Specifically, we focus on the development of phishing emails. Providing an opportunity to craft offensive attacks not only helps prepare students for a career in penetration testing but can also enhance their ability to detect and defend against similar methods. First, we discuss the relevant background. Second, we outline the requirements necessary to implement the exercise. Third, we describe how we implemented the exercise. Finally, we discuss our results and share student feedback