SOCIAL ENGINEERING AS AN EVOLUTIONARY THREAT TO INFORMATION SECURITY IN HEALTHCARE ORGANIZATIONS

Information security in healthcare settings is overlooked even though it is the most vulnerable for social engineering attacks. The theft of hospital information data is critical to be monitored as they contain patients’ confidential health information. If leaked, the data can impact patients’ social as well as professional life. The hospital data system includes administrative data, as well as employees’ personal information hacked, which can cause identity theft. The current paper discusses types and sources of social engineering attacks in healthcare organizations. Social engineering attacks occur more frequently than other malware attacks, and hence it is crucial to understand what social engineering is and its vulnerabilities to understand the prevention measures. The paper describes types of threats, potential vulnerabilities, and possible solutions to prevent social engineering attacks in healthcare organizations. Keywords: social engineering, hospitals, healthcare organizations, information security.

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

SOCIAL ENGINEERING IN SOCIAL NETWORKING SITES: HOW GOOD BECOMES EVIL

Social Engineering (ES) is now considered the great security threat to people and organizations. Ever since the existence of human beings, fraudulent and deceptive people have used social engineering tricks and tactics to trick victims into obeying them. There are a number of social engineering techniques that are used in information technology to compromise security defences and attack people or organizations such as phishing, identity theft, spamming, impersonation, and spaying. Recently, researchers have suggested that social networking sites (SNSs) are the most common source and best breeding grounds for exploiting the vulnerabilities of people and launching a variety of social engineering based attacks. However, the literature shows a lack of information about what types of social engineering threats exist on SNSs. This study is part of a project that attempts to predict a persons’ vulnerability to SE based on demographic factors. In this paper, we demonstrate the different types of social engineering based attacks that exist on SNSs, the purposes of these attacks, reasons why people fell (or did not fall) for these attacks, based on users’ opinions. A qualitative questionnaire-based survey was conducted to collect and analyse people’s experiences with social engineering tricks, deceptions, or attacks on SNSs

Social Engineering SWOT Analysis in Government-Owned Commercial Banks and National Private Commercial Banks

This research examines the phenomenon of social engineering at government-owned commercial banks and national private commercial banks. The research method used is descriptive qualitative with a literature study. The research results show the bank's strengths, weaknesses, opportunities, and threats. In addition, several strategies are recommended for banks to prevent social engineering attacks, namely building information technology in banking according to the standards and regulations of the Financial Service Authority (Otoritas Jasa Keuangan), utilizing social media as an educational tool, training employees, monitoring and optimizing data security and banking information technology networks, suppressing the circulation of social issues on behalf of banks that can trigger social engineering, increasing financial literacy and awareness of data security personal customers and employees. To prevent social engineering attacks, banks can implement strategies that are considered adequate

Evaluation of Measures Taken by Telecommunication Companies in Preventing Social Engineering Attacks in Tanzania

This study aimed to evaluate the measures taken by telecommunication companies in preventing social engineering attacks in Tanzania. The study was guided by the deception theory, the researcher employed a descriptive research design and quantitative approach to conduct this study. Data was collected by using a questionnaire administered to the selected telecommunication companies in Tanzania. Furthermore, the obtained findings were as follows; most of the respondents who participated in this study are aware of social engineering and that they experienced social engineering. The study also revealed that there are common social engineering attacks experienced by the respondents such as business collaboration benefits, alleged wrong remittance of money, sim swaps, SMS phishing and fraudulent SMS from lost or stolen phones, password requisitions and links sharing. The findings of this study went further to reveal that social engineering has effects such as loss of sensitive data, financial loss, reputational damage, disruption of operations as well as legal and compliance issue. The general findings of this study show that most of the respondents said that there is a presence of security measures to prevent social engineering such as the provision of the awareness program, enabling the use of multifactor authentication, there is implementation of policies around social media usage, provision of regular software updates, regular review of security protocols, provision of well-known customer care services number. On the other hand, the study also revealed that telecommunication companies use the following ways to minimize social engineering attacks, provision of security awareness training for employees, implementing security policies and procedures, regularly reviewing and updating security protocols, detecting and responding to social engineering attacks, placing limits on the access each member has in the system, always require a username and password to be configured. On the strategies used to prevent social engineering, the finding of this study showed that telecommunication companies should ensure encrypting data, proper verification of emails or instructions sent to customers, ensure that even if hackers intercept communication they can’t access information contained within, use of SSL certificates from trusted authorities, incorporating phishing and malicious detection solutions into security stack. This study concludes that telecommunications ensure routine reviews of security standards, daily notifications for customers and other system users, and the availability of a well-known customer care services number. Due to the difficulties that information system users face, businesses have been using a variety of protection techniques to avoid social engineering, from putting up multifactor authentication for users' accounts to teaching employees how to spot suspect activity. Hence it is recommended that it is necessary to deploy mechanisms like machine learning-based ways to defend against social engineering-based assaults since cybercriminals exploit human activities to breach security as well as using the security features on messages (filter unknown senders) and calls (silence unknown callers)

Mitigating the risk of social engineering attacks

The topic of social engineering is only covered briefly in today\u27s system administration and security coursework. This lack of coverage leaves many Administrators ill-equipped to administer the users of a computer network. In addition to their technical training, administrators need to comprehend the potential severity and likelihood of social engineering attacks. Teaching administrators only to minimize the risk of hacking attempts or computer virus infections does not fully equip them with the knowledge needed to defend their networks. To ensure the safety of their network from social engineering attacks, administrators need to be able to answer three primary questions: * How can Administrators look for and identify a social engineering attack? * How can Administrators properly train users to ensure they do not become the network\u27s weakest security link? * How can Administrators test their protection methods to ensure the risk of social engineering attacks is sufficiently mitigated? This thesis attempts to answer these questions, devise a training workshop template Administrators can present to their users, and present a base set of audit guidelines Administrators can employ to ensure their attack prevention methods are effective