Generic Taxonomy of Social Engineering Attack

Social engineering is a type of attack that allows unauthorized access to a system to achieve specific objective. Commonly, the purpose is to obtain information for social engineers. Some successful social engineering attacks get victims’ information via human based retrieval approach, example technique terms as dumpster diving or shoulder surfing attack to get access to password. Alternatively, victims’ information also can be stolen using technical-based method such as from pop-up windows, email or web sites to get the password or other sensitive information. This research performed a preliminary analysis on social engineering attack taxonomy that emphasized on types of technical-based social engineering attack. Results from the analysis become a guideline in proposing a new generic taxonomy of Social Engineering Attack (SEA)

An ontology of security threats to web applications

As the use of the internet for commercial purposes continues to grow, so do the number of security threats which attempt to disrupt online systems. A number of these threats are in fact unintended. For example, a careless employee might drop a cup of coffee onto essential equipment. However, when compared to the brick and mortar world, the internet offers would-be attackers a more anonymous environment in which to operate. Also, the free availability of hacking tools makes it possible even for the curious teenager to carry out dangerous attacks. Despite this ever-present threat however, it is all too often the case that security is dealt with (if at all) after a web application has been developed. This is mainly due to our software development heritage whereby companies prefer to focus on the functionality of new systems because that provides an immediate return on investment. As a precursor to proposing an framework for building security into web applications, this paper presents an ontology of threat to web applications. The thinking behind this is that much the same as in the military world, one needs to have as much intelligence about the enemy as possible, the same can be argued in the case of online security threats. Such an ontology would enable stake holder in online applications to take less of a reactive stance but instead be more proactive by being aware what’s out there.peer-reviewe

Got Phished? Internet Security and Human Vulnerability

A leading cause of security breaches is a basic human vulnerability: our susceptibility to deception. Hackers exploit this vulnerability by sending phishing emails that induce users to click on malicious links that then download malware or trick the victim into revealing personal confidential information to the hacker. Past research has focused on human susceptibility to generic phishing emails or individually targeted spear-phishing emails. This study addresses how contextualization of phishing emails for targeted groups impacts their susceptibility to phishing. We manipulated the framing and content of email messages and tested the effects on users’ susceptibility to phishing. We constructed phishing emails to elicit either the fear of losing something valuable (e.g., course registrations, tuition assistance) or the anticipation of gaining something desirable (e.g., iPad, gift card, social networks). We designed the emails’ context to manipulate human psychological weaknesses such as greed, social needs, and so on. We sent fictitious (benign) emails to 7,225 undergraduate students and recorded their responses. Results revealed that contextualizing messages to appeal to recipients’ psychological weaknesses increased their susceptibility to phishing. The fear of losing or anticipation of gaining something valuable increased susceptibility to deception and vulnerability to phishing. The results of our study provide important contributions to information security research, including a theoretical framework based on the heuristic-systematic processing model to study the susceptibility of users to deception. We demonstrate through our experiment that several situational factors do, in fact, alter the effectiveness of phishing attempts

Undermining:social engineering using open source intelligence gathering

Digital deposits are undergoing exponential growth. These may in turn be exploited to support cyber security initiatives through open source intelligence gathering. Open source intelligence itself is a doubleedged sword as the data may be harnessed not only by intelligence services to counter cyber-crime and terrorist activity but also by the perpetrator of criminal activity who use them to socially engineer online activity and undermine their victims. Our preliminary case study shows how the security of any company can be surreptitiously compromised by covertly gathering the open source personal data of the company’s employees and exploiting these in a cyber attack. Our method uses tools that can search, drill down and visualise open source intelligence structurally. It then exploits these data to organise creative spear phishing attacks on the unsuspecting victims who unknowingly activate the malware necessary to compromise the company’s computer systems. The entire process is the covert and virtual equivalent of overtly stealing someone’s password ‘over the shoulder’. A more sophisticated development of this case study will provide a seamless sequence of interoperable computing processes from the initial gathering of employee names to the successful penetration of security measures

The impact of personality traits on user’s susceptibility to social engineering attacks

Phishing attacks and other social manipulation attacks are an everyday occurrence for most workers in their email boxes. Others experience social engineering tricks to take and divert payments on legitimate electronic commerce transactions. This exploratory pilot study aims to examine the impact of user’s personality on the likelihood of user’s susceptibility to social engineering attacks. Five expert interviews were conducted to investigate what traits makes some individuals more or sometimes less susceptible to social engineering attack than others. The personality traits were obtained using the big five personality model for correlation with interview data. The result suggests that users with high scores in agreeableness and extroversion traits are likely to be more susceptible to social engineering attack than others. These results are a useful start for further research into the impact of different tricks on different personality types

Digital Deception: Generative Artificial Intelligence in Social Engineering and Phishing

The advancement of Artificial Intelligence (AI) and Machine Learning (ML) has profound implications for both the utility and security of our digital interactions. This paper investigates the transformative role of Generative AI in Social Engineering (SE) attacks. We conduct a systematic review of social engineering and AI capabilities and use a theory of social engineering to identify three pillars where Generative AI amplifies the impact of SE attacks: Realistic Content Creation, Advanced Targeting and Personalization, and Automated Attack Infrastructure. We integrate these elements into a conceptual model designed to investigate the complex nature of AI-driven SE attacks - the Generative AI Social Engineering Framework. We further explore human implications and potential countermeasures to mitigate these risks. Our study aims to foster a deeper understanding of the risks, human implications, and countermeasures associated with this emerging paradigm, thereby contributing to a more secure and trustworthy human-computer interaction.Comment: Submitted to CHI 202

Social Engineering Cyber Threats

The article explores the pervasive threat of social engineering in cybersecurity, emphasizing its success in infiltrating information systems by manipulating individuals rather than employing traditional hacking methods. The author underscores the vulnerability arising from human trust, as individuals, especially those lacking technology education, tend to be targets. While cryptography offers partial security, social engineering complicates overall system security. Mitigation strategies include educating employees on threats, risks, and security policies, coupled with enforcing penalties for noncompliance. Additionally, employing two-factor authentication and physical token-based access adds layers of protection. The article delves into semantic attacks, classifying various exploitation methods and emphasizing the critical role of user awareness. It addresses prevalent scams such as phishing, vishing, impersonation, and smishing, noting their impact on individuals and organizations. The study extends its focus globally, highlighting a unique advance fee fraud targeting vulnerable populations. Social engineering remains a significant challenge despite technological advancements, necessitating a multifaceted approach combining technical defenses, education, and public awareness

Cybersecurity in Contemporary Organizations: A leadership challenge

This paper addresses narrowing the gap between business executives and cybersecurity technologists for cybersecurity preparedness within organizations. Without a common understanding of cybersecurity risks, organizations become vulnerable to data breaches. To manage cybersecurity effectively, leaders must stay informed about evolving threats and adopt a proactive approach. We draw upon interviews with senior business and cybersecurity executives and propose three action items to narrow the gap -- engage with cybersecurity professionals, establish cyber governance, and counter social engineering, which will prepare organizations to protect against cyber threats and become resilient when a cyber breach occurs