Acrobat PDF

Fighting Social Engineering

You must be logged in to download this document
Reviews
Shared by: Aladdin Dandis
Categories
Tags
Stats
views:
60
rating:
not rated
reviews:
0
posted:
11/11/2008
language:
English
pages:
0
Fighting Social Engineering Increasing information security in organizations by combining scenario based learning and psychological factors of persuasion1 Mikael Hermansson & Robert Ravne University of Stockholm / Royal Institute of Technology March 2005 1 This Thesis correspond to 20 weeks of full-time work for each of the authors Fighting Social Engineering Abstract Social Engineering is the term for using human deception as means for information theft. The awareness of this phenomenon is currently low throughout organizations and there is no widely used educational tool for efficiently educating people on this matter. In this thesis scenario based learning is combined with the psychological factors of persuasion resulting in a method for developing educational software and a prototype implementing this method. The prototype is compared to an existing alternative educational approach, i.e. ordinary lectures. The purpose of the comparison was to get a benchmark to be able to measure the efficiency of the scenario based prototype. The scenario method was proven to be more efficient than the use of lectures. The work with this thesis resulted in a method for developing an efficient scenario based education tool addressing Social Engineering issues and a prototype of such educational tool. II Fighting Social Engineering Acknowledgements We would like to take the opportunity to pay our gratitude to those who contributed during the process of writing “Fighting Social Engineering”. First of all we would like to pay our deepest gratitude to our supervisor Alan Davidson at the Royal Institute of Technology for great support throughout the thesis project, insightful comments and just for putting up with us. Additionally we would like to thank Lars for providing us with information on how their organization educates their employees. And last but not least we like to thank the interviewees for their time and effort. Stockholm March 2005 Robert Ravne & Mikael Hermansson III Fighting Social Engineering Table of Contents 1 Introduction.................................................................................................................... 8 1.1 Problem...................................................................................................................... 9 1.2 Objective.................................................................................................................... 9 1.3 Scope ....................................................................................................................... 10 1.4 Target group ............................................................................................................ 10 1.5 Related work............................................................................................................ 10 1.6 Methodology............................................................................................................ 10 1.7 Thesis outline........................................................................................................... 16 2 Theoretical Framework............................................................................................... 17 2.1 Social Engineering................................................................................................... 17 2.2 Psychological factors of persuasion ........................................................................ 23 2.2.1 Reciprocation .................................................................................................... 23 2.2.2 Commitment and consistency ........................................................................... 25 2.2.3 Social proof ....................................................................................................... 26 2.2.4 Liking ................................................................................................................ 27 2.2.5 Authority ........................................................................................................... 28 2.2.6 Scarcity.............................................................................................................. 29 2.3 Scenario Based Learning ......................................................................................... 30 3. Scenario development................................................................................................. 36 3.1 General learning outcomes ...................................................................................... 38 3.2 Scenario development, storyboards and implementation ........................................ 38 4. Alternative educational approach - lectures............................................................. 39 4.1 The alternative approach ......................................................................................... 39 4.2 The alternative approach applied............................................................................. 39 4.2.1 Educational contents ......................................................................................... 40 5. Interviews results and analysis .................................................................................. 42 5.1 Structuring interview answers ................................................................................. 42 5.1.1 Alternative approach ......................................................................................... 42 5.1.2 Scenario method................................................................................................ 44 5.2 Analysis of the answers ........................................................................................... 46 IV Fighting Social Engineering 5.2.1 How does a Social Engineer operate? ............................................................... 46 5.2.2 How can you protect against a Social Engineer? .............................................. 49 6. Conclusions.................................................................................................................. 52 6.1 Critique .................................................................................................................... 54 6.2 Future work ............................................................................................................. 56 References........................................................................................................................ 57 Appendix 1 – Scenario development ............................................................................. 60 Scenario 1 – Reciprocation............................................................................................ 60 Scenario 2 – Commitment and Consistency.................................................................. 62 Scenario 3 – Social Proof .............................................................................................. 65 Scenario 4 – Liking........................................................................................................ 67 Scenario 5 – Authority................................................................................................... 69 Scenario 6 – Scarcity ..................................................................................................... 71 Appendix 2 – Storyboards.............................................................................................. 74 Scenario 1 – Reciprocation............................................................................................ 74 Scenario 2 – Commitment and Consistency.................................................................. 75 Scenario 3 – Social Proof .............................................................................................. 76 Scenario 4 – Liking........................................................................................................ 77 Scenario 5- Authority .................................................................................................... 78 Scenario 6- Scarcity....................................................................................................... 79 Appendix 3 – HiFi prototypes........................................................................................ 80 Scenario 1 – Reciprocation............................................................................................ 80 Scenario 2 – Commitment and Consistency.................................................................. 82 Scenario 3 – Social Proof .............................................................................................. 84 Scenario 4 – Liking........................................................................................................ 86 Scenario 5 – Authority................................................................................................... 88 Scenario 6 – Scarcity ..................................................................................................... 90 Appendix 4 – Interviews................................................................................................. 92 Alternative approach...................................................................................................... 92 Interview 1.................................................................................................................. 92 Interview 2.................................................................................................................. 92 V Fighting Social Engineering Interview 3.................................................................................................................. 92 Interview 4.................................................................................................................. 93 Interview 5.................................................................................................................. 93 Interview 6.................................................................................................................. 93 Scenario Method............................................................................................................ 94 Interview 7.................................................................................................................. 94 Interview 8.................................................................................................................. 94 Interview 9.................................................................................................................. 94 Interview 10................................................................................................................ 95 Interview 11................................................................................................................ 95 Interview 12................................................................................................................ 96 VI Fighting Social Engineering Figures Figure 1 – Plan of the work flow.................................................................................... 12 Figure 2 - The Social Engineering approach................................................................ 17 Figure 3 - The Process of Social Engineering attacks.................................................. 20 Figure 4 – Scenario Development Process ................................................................... 32 Figure 5 – Prototype Development Process .................................................................. 37 Figure 6 – Holistic illustration of the different components in the thesis .................. 53 VII Fighting Social Engineering 1 Introduction Organizations depend on reliable information in order to perform their daily tasks, in the same way that they are dependent of their power supply. Additionally the information needs to be timely, accurate, complete, valid, consistent and relevant to be of any use for the organization [THE1998]. These are strong arguments that stress the importance of existing and well functioning information security architectures within organizations. Another strong argument that shows the need for an information security architecture is the monetarily loss that organizations yearly suffer from through computer crime. According to the eighth annual CSI/FBI Computer Crime and Security survey, the annual loss for computer crimes 2004 totalled $141 496 560 USD [GOR2004]. Today work in security typically focuses on the more technical aspects of information security, for instance firewalls and antivirus software. The more non-technical aspects of information security are very often neglected and not seen as an important issue when it comes to IT-security investments [SHE2003]. Many enterprises have already learnt the hard way that security technology alone cannot secure the enterprise [SYM2003]. One way of bypassing the technical protection mechanisms is Social Engineering. “Social Engineering, once mastered, can be used to gain access on any system despite the platform or the quality of the hardware and software present. It is the hardest form of attack to defend against because hardware and software alone won’t stop it” [ART2001]. In February 1995 U.S. most wanted computer criminal Kevin Mitnick was arrested for computer crime which resulted in 4 years of prison time. Kevin’s main field of hacking was Social Engineering. After his release Kevin published a book on the subject Social Engineering with the title: “The art of deception” where he defines Social Engineering as following: “Social Engineering uses influence and persuasion to deceive people by convincing them that the Social Engineer is someone he’s not, or by manipulation. As a result, the Social Engineer is able to take advantage of people to obtain information with or without the use of technology.” [MIT2002] 8 Fighting Social Engineering Social Engineering is an overlooked security threat and organizations are vulnerable to it [BRU2003]. The main impression is that organizations not only overlook the problem but there is also a lack of awareness and knowledge of Social Engineering as a phenomenon. A defence against Social Engineering must take into account what is known about the psychology of persuasion and develop that knowledge to understand the persuasive attack [GRA2002]. There are several ways to cope with Social Engineering, but the best way is by educating your employees. The employees need to be aware of the risks and remain vigilant [BAR2001]. Social Engineering is a diverse and complex phenomenon [GRA2002]. Therefore the educational model to be used when educating personnel on Social Engineering must contend with this complexity. One very efficient and suitable educational model that manages complex topics is scenario based learning. In simple terms, scenario-based learning is learning that occurs in a context, situation, or social framework. It is based on the concept of situated cognition, which is the idea that knowledge cannot be known and fully understood independent of its context [KIN2002]. 1.1 Problem Is it possible to design an educational software application that educates people on how to act in different information dispatching situations? The educational software application should be based on different scenarios which, in turn, are grounded in the underlying psychological factors for persuasion that are exploited in each scenario. 1.2 Objective The objective is to develop an efficient educational method for educating people on how to act in different information dispatching situations that could be targeted and exploited in various Social Engineering attacks. Efficient educational software refers to software that is better than using lectures in the process of taking people from a state of not knowing how to act in an information dispatching situation, to a state where they know how to act in order to avoid successful Social Engineering attacks. 9 Fighting Social Engineering 1.3 Scope The main emphasis of this thesis lies in the development of the educational model. The intention of the educational model is to increase awareness of Social Engineering. The purpose of the comparison with lectures is to achieve a benchmark of the efficiency of the educational software. Social Engineering may be considered similar to certain intelligence activities as performed by, for instance, military intelligence agencies. This thesis does not consider knowledge originating from such activities. 1.4 Target group The target group is people within organizations responsible for or involved in security education that wants to find ways on how to educate employees how to act in different information dispatching situations, that could be targeted and exploited in various Social Engineering attacks. 1.5 Related work Work has been done within all the separate areas; Psychological factors [CIA2000], Scenario based learning [KIN200] and Social Engineering [MIT2003] just to name a few. No work has been found that combines these particular areas with the objective to create a scenario based educational software application that aims to reduce the risk of successful Social Engineering attacks. 1.6 Methodology In the process of identifying and deciding upon the requirements of an educational software application and its scenarios, the characteristics of the methodology used in this thesis are of the inductive kind. The inductive method is distinguished by “the road of exploration” [HOL1997]. A qualitative approach with literature studies is used throughout the thesis to be able to achieve the knowledge needed on the various topics required to fulfill the objective. Remaining in the qualitative paradigm, to measure the efficiency of the educational software a comparison with an existing educational approach is necessary. One of the characteristics of the qualitative approach is that it enables in-depth studies and focuses on the understanding of a phenomenon in contrast to a quantitative approach that focuses on explanation [HOL1997]. 10 Fighting Social Engineering The knowledge generated in this thesis is of the normative kind. Normative knowledge is generated both through the development of the educational model as well as through the comparison of the educational approaches. The comparison indicates which educational approach that is most effective to achieve the knowledge needed to avoid successful Social Engineering attacks. Normative knowledge can be viewed as rules, guidelines, advice and instructions for action to be taken in various situations [GOL1998]. In order to increase the chances for a person to behave correctly in information dispatching situations, awareness about how the Social Engineer exploits human behaviour is essential. There is no particular use in creating a checklist of specific countermeasures against Social Engineering since there are so many ways a Social Engineer can perform an attack. Being aware of “that the Social Engineer uses persuasion and influence to deceive people by convincing them that he is someone he is not” [MIT2002] is essential in order to avoid being exploited by a Social Engineer in an information dispatching situation. Therefore awareness about the Social Engineers different approaches is the main focal area, in this thesis, when educating people how to act in information dispatching situations. The overall goal with the education is to increase awareness on how a Social Engineer performs an attack and how one can protect against such attacks. Educational content that aims to fulfil this goal is implemented in both educational approaches in a way that each approach stipulates. With this awareness the learner should be able to recognise the different approaches of the Social Engineer and thereby act on the basis of this improved knowledge base in information dispatching situations. The picture below illustrates how the parts in this thesis fit together. 11 Fighting Social Engineering Social Engineering Psychological factors Scenario Based learning Prototype development Comparison with lectures Analysis/Result Figure 1 – Plan of the work flow Literature studies The literature studies are divided in three parts. Studies about Social Engineering are needed to achieve a broad base of knowledge about what Social Engineering is and how it can be practised. The information gathered about Social Engineering is used both as a support when constructing the scenarios and as a basis for the lectures in the comparison. The psychological factors for persuasion needs to be studied in order to understand the psychological factors that makes Social Engineering attacks successful since the scenarios are going to be designed from these psychological factors. Studies in scenario based learning are needed to get the knowledge of how to develop scenarios. Prototype development When developing scenarios the psychological factors behind influence are used as a starting point when looking at in which Social Engineering situations these factors are applicable. To move further on with the work theories of scenario based learning and scenario construction in general are applied. This will result in an educational software prototype well grounded in the above mentioned theories from the literature studies. 12 Fighting Social Engineering Since it is not possible to create scenarios that are representative for all situations in every organization it is the ambition to strive for as realistic scenarios as possible that exemplifies how the psychological factors are exploited in different Social Engineering situations. Scenarios can be developed from an idea based on a real life or imagined event [ROT]. When developing the scenarios the theory about Social Engineering from Ch.3.1 is used as a foundation and ideas from [MIT2003], [CAL2001] have influenced when making up imagined events for the scenarios. Finally the scenarios will be developed and presented in a HiFi2 prototype. Comparison Since the objective of this thesis is to develop an “efficient educational method” it is important to have a benchmark i.e. an existing alternative approach to compare against to be able to measure the degree of efficiency. When measuring the difference in efficiency of the scenario based approach and the alternative approach it is important that both approaches have got the same goals. Lectures are used as the alternative approach. Throughout the thesis, alternative approach and lectures are used synonymously. The lectures and the scenario based approach have the same goals. The goal with the comparison, as mentioned above, is to measure the efficiency of the scenario approach compared to one approach that is actually used in the real world today. The purpose of the comparison is not to rule out one of the approaches. The comparison will be performed as respondent interviews. Respondent interviews are used when it is desired to interview people that are part of the phenomenon of interest [HOL1997]. The interview is conducted by selecting a number of individuals that will function as test subjects. There are no clear rules in the qualitative approach regarding the number of test subjects to be used [SVE2000]. Interviews are conducted until conclusions can be made from the material. The test was structured as follows: There were two groups of test subjects, one for the scenario based approach and one for the alternative approach. Both groups were taught in Social Engineering related issues in the way that their specific approach advocates. After the education session each test entity answered questions related to the education session. After these test sessions conclusions were drawn about the efficiency of the scenario method approach compared to the lectures 2 HiFi prototype in this case refers to a prototype that is executable on a computer. 13 Fighting Social Engineering To be able to evaluate and compare the two approaches questions that focus on the fulfilment of the goals were asked. A few focused questions are much more useful than a collection of general ones [HAR1999]. In order to avoid control from the researchers in the interview situation standardized question forms are not used in the qualitative interview situation [HOL1997]. Two general questions related to the goals of the learning approaches were presented to the test subjects; how does a Social Engineer work? And how can you protect yourself? These two questions are directly related to the goals of the learning approaches and therefore the answers given by the test subjects indicated the efficiency of the two separate learning approaches. Since the test subject’s native tongue is Swedish both methods were translated and presented in Swedish to the test subjects in order to minimize bad test results due to misinterpretation. Data collection Social Engineering is not yet fully covered in the literature with the exception of [MIT2003] which is only used as a source of inspiration during parts of the scenario development process. There is however a great variety of publications to be found on the Internet. Publications from various authors accessible at SANS reading room are mainly used throughout Ch. 2.1. “SANS is the most trusted and by far the largest source for information security training and certification in the world” [SAN2004]. The literature on the psychological factors for persuasion is basically the book “Influence” [CIA2001], there is a risk of subjectivity when using a single source of information on a specific topic. However, [CIA2001] does not present the authors own opinions, but rather a summary of 50 years of research within the area. The research referred to is well known and accepted e.g. the Milgram studies. To find an alternative approach for the comparison turned out to be a difficult task since companies do not seem to have specific educational methods regarding Social Engineering. The selection process regarding choice of company was carried out by contacting a number of arbitrarily chosen companies and the first company that was willing to share their educational approach with us was picked. No educational approach educating in Social Engineering related issues was found, however one organization shared their educational approach and assisted in adapting it to the topic Social Engineering. The existing educational approach used for the comparison was obtained from a large Swedish manufacturing company. Information about the existing educational approach was collected through a telephone interview with the security manager of one of the departments in the selected company. He was a very helpful person and did not see any problems with sharing their educational approach for research purposes, although he preferred the company to remain anonymous. 14 Fighting Social Engineering Regarding literature on scenario based learning two approaches found suitable were combined, namely [KIN2002] and [ROT2001]. Both sources where discovered on the Internet using Google searching on “Scenario based learning”. The reason to combine these two approaches is that they are on different abstraction levels and are therefore applicable in different phases of the scenario development. [ROT2001] provides the general framework while [KIN2002] gets more into the detail of each step of the development process. The test subjects were selected with regards to if they had any prior knowledge of Social Engineering, which in this case was not desired. This criterion is necessary in order to be able to measure any difference in the awareness level of the test subjects. The search for test subjects took place at the main campus of Stockholm University. The students were approached with the question if they were willing to participate in a scientific study that would only take about 20 minutes of their time including both the test as well as the interview afterwards. The students who accepted the offer performed the test of one of the learning approaches. First three lecture tests were conducted, followed by three scenario based tests. The tests were conducted in a group room at the Stockholm University Library. The subject was asked to sit down and prepare for a 5 to 10 minute test followed by an interview. The lecture took approximately 5 minutes to carry out and the scenario based method took approximately 10 minutes. The test of the scenario based method was carried out on a computer. When the test was finished the test subjects were asked questions related to the learning objectives. The answers were collected and analyzed. The interviews where recorded using a tape recorder. Tape recorder is necessary when performing interviews since it is easy to miss out on valuable information when just writing down the answers [SVE2000]. The tests were conducted during two days. The first day three subjects per method were tested and interviewed. The material from these six interviews did not provide enough information for conclusions to be drawn. Therefore six more interviews were conducted a week later with the same approach as earlier. After have interviewed six subjects per approach (i.e. a total of twelve subjects), a point was reached where it was possible to draw conclusions about the efficiency of the educational approaches from the collected material. The answers were similar in regard to informational content and further interviews had most likely followed the same pattern of informational content. 15 Fighting Social Engineering 1.7 Thesis outline Chapter two contains the theoretical foundation for the thesis and gives a thorough explanation of Social Engineering and its countermeasures. The psychological factors of persuasion are explained individually. These six psychological factors are the essence for the scenarios whose theoretical part is explained at the end of the chapter. Chapter three describes the process of the scenario development. It starts out with defining the general learning outcomes for the scenarios. The process of developing each scenario is presented in Appendix 1, Appendix 2 and Appendix 3. Chapter four presents the alternative educational approach i.e. the lectures used at a manufacturing company in Sweden. This method is used as a benchmark when deciding the effectiveness in the scenario based method. Chapter five presents the interview results and the analysis of these results. Twelve interviews where conducted in two groups, one group for the scenario method and one group for the lectures. The contents of the interview results are related to the scenarios and the answers from the scenario based method group is compared to the answers from the alternative approach group. The interview result is presented as a whole in appendix 4. Chapter six presents a conclusion and discussion on to what degree the objectives of the thesis were reached or not. Reflections about the thesis are discussed and possible future research. The appendices are appendix 1 – scenario development, appendix 2 – storyboards, appendix 3 – HIFI-prototypes, appendix 4 – interviews. 16 Fighting Social Engineering 2 Theoretical Framework The theoretical framework for this thesis is divided into three sections: Social Engineering – in this subchapter the Social Engineering phenomenon and its countermeasures are described. Psychological factors of persuasion – the six factors behind influence and their defense are presented here. Scenario based learning – two approaches on scenario based learning are dealt with in this final subchapter. 2.1 Social Engineering Achieving unauthorized access to information through deception is also known by the term Social Engineering. Social Engineering is a serious threat to most secure networks. It is not easy to defend against Social Engineering attacks [GRA2002]. The thing that makes it so difficult to defend against is the fact that Social Engineers exploit the weakest point in an organizations security chain, the human factor [ALL2001]. This basically means that a skilled Social Engineer can gain access to any desired system or information despite the hardware and software protection mechanisms implemented to protect that system or information [ART2001]. Therefore Social Engineering is essentially about finding a way or means to bypass technology- or software-based security mechanisms implemented in a system by simply manipulating people who have access to the desired system or information [HIN2002]. Figure 2 illustrates how the Social Engineer uses humans to get hold of desired information. Target organization Social Engineer Employee Internet Server Firewall Social Engineering path Traditional hacker path Figure 2 - The Social Engineering approach 17 Fighting Social Engineering What the figure above illustrates is that the Social Engineer uses social skills instead of traditional hacking software and hardware in order to gain access to the target organization. Two different categories of Social Engineering Social Engineering is mainly divided in two different categories, namely technical or computer based deception, and human interaction based deception. Background research Similar to both methods though, is that the Social Engineer performs some kind of background research before initiation of the actual attack. There are several ways to conduct background research. One example of such research is to simply walk into organization’s facilities and read names off the building’s information board. These information tableaus are many times quite rich in information on the organization such as department names and sometimes names of the head of department. Such apparently trivial information can often be very useful in the hand of a Social Engineer. Another approach to background research is the not-so-pleasant sounding practice of “dumpster diving”. The term dumpster diving refers to the analysis of contents from a target’s trashcan. People are not too careful with what they throw away in the trash and there may be many fruitful findings with only minimal risk. Stealing garbage is seldom illegal. [ART2001] Computer based approach In the technical or computer based approach of deception the Social Engineer, as the name implies, relies on the technology to deceive the victim of the attack to supply the information needed to fulfill the purpose. This can be performed through the use of fake pop-ups that trick the victim into revealing e.g. passwords in the notion that it is necessary to re-authenticate in order to remain connected to the organizations computer network. The authorization information i.e. the username and password that the user provides is then sent off to the Social Engineer. With this authentication information the Social Engineer is able to gain access to the organization network [GUL2003]. Human based approach The other approach of Social Engineering is based simply on deception through human interaction. The attack becomes successful by taking advantage of the victim’s ignorance and the natural human inclination to be helpful and liked [GUL2003]. This can be performed through various forms of impersonation. The Social Engineer can, for example, play the role of a repairman, IT-support, a fellow employee, manager or a trusted third party in order to gain trust and thereby unauthorized access. All these are common elements in the company environments today. Therefore they do not raise any 18 Fighting Social Engineering particular attention, which the Social Engineer takes advantage of. [ART2001] Reverse Social Engineering Reverse Social Engineering is when the Social Engineer acts as a person in position of authority to whom employees will turn for help. It is called reverse since it is the victim that initiates the contact and not the Social Engineer. [GAR2001] This approach requires extensive research and preparation in order to succeed since the Social Engineer needs to create a situation where the victim is forced to contact the Social Engineer to solve the problem. The use of this approach is two fold. Either the Social Engineer performs a direct attack, or uses the situation to establish trust and a good relation to the victim, relations that could be useful in future criminal activities. [GRA2002] The process of a reverse Social Engineering attack consists of three basic steps. All three of these steps are necessary in order to complete a reverse Social Engineering attack. The three steps are described below. Sabotage – the first step involves corrupting the target workstation by for example installing malicious software on it. The purpose of this action is to get the user to believe that there is an actual problem with the workstation and therefore seeks help to solve this problem. Marketing – To be certain that the user calls the Social Engineer to seek assistance with the workstation problems the Social Engineer must advertise the provided services. There several ways to do this. Placing a business card nearby the user’s office is one way. Another way of advertising is to place the contact information in the error message generated by the malicious software. Support – When the Social Engineer has reached this step the main task is to see to that the user remains unsuspicious towards the Social Engineer. The Social Engineer then helps out with the workstation problems. As mentioned above the Social Engineer has two options. The Social Engineer could either try to get the desired information at once, or try to build a trusted relation with the user for future attacks. The most efficient way is of course to do both. The process of the Social Engineering attack Even though Social Engineering can be performed in many various ways a common pattern has emerged according to Gartner. This pattern can be recognized and it is therefore possible to take proactive measures against. This pattern is analyzed and divided into four common steps that are performed in a Social Engineering attack. Each step is dependent of the fulfillment and success of the previous steps therefore there positions in the process is fixed. Figure 3 shows these steps. 19 Fighting Social Engineering Information Gathering The Social Engineer makes use of different techniques in order to gather information about his target. The information is then used to build relations with the target. By developing a relationship, attackers place themselves in a position of trust, which can then be exploited. Developing Relationship Exploitation of Relationship The attacker exploits the target into revealing information this information or action can be the end objective or can be used to stage the next attack/phase of attack. The attacker executes the cycle to achieve the end objective. Often an attack includes a number of these cycles to achieve the end objective. Execution to Achieve Objective Figure 3 - The Process of Social Engineering attacks [GAR2001] The iteration arrow in the figure above shows that the process can be repeated a number of times until the attacker has gathered the information needed to perform a more serious attack. In this way the attacker achieves enough information about the organization and its employees to be able to, for instance, act as an employee in the organization. In this way the attacker can convince the target to reveal information needed to compromise the organizations security. [GAR2001] How to deal with Social Engineering Today there is no single way to be fully protected against any security threat. This obviously applies to Social Engineering as well. It is even harder to protect yourself against Social Engineering than to protect yourself against for instance virus attacks since a virus has limited ways to execute while a Social Engineer can act in basically endless ways. There is however ways to reduce the possibility of successful Social Engineering attacks. Throughout the literature and articles that discuss different preventive measures against Social Engineering, education and training of employees is often mentioned as the most effective and sometimes even as the only protection there is against Social Engineering. To go as far as to say that it is the only way to cope with the problem is a fairly risky thing to imply, nevertheless one can 20 Fighting Social Engineering agree that education is an important area in the battle against Social Engineering. Although the emphasis in this thesis lies on the educational part it is important to mention other additional countermeasures to put education in its context. The following countermeasures, besides education, are suggested by Malcolm Allen [ALL2001]: Security policy – The security policy clearly states what is expected from the personnel within an organization. It is important that employees knows to what extent they are allowed to give out information. Good security architecture – The key issue here is to keep it simple so that personnel can concentrate on more important tasks. Management buy-in – It is important that the management are well aware of what type of security protection is needed and why, in order for efficient protective measures to be taken to counter the risks. Limit data leakage – To make it hard for the Social Engineer to achieve desired information about a company it is a good idea to decrease the amount of data available in public on for instance websites. Incident response strategy – Clear rules on how to handle information requests is important when stressed situations occur for the employees. There are other suggestions on countermeasures available throughout the literature and articles that deals with this topic. For example Gartner [GAR2001] suggests that removing humans from the authentication process is the best way deal with problems that occur when humans authenticate other humans. The purpose with showing these countermeasures is not to claim that these are somehow best practice. The purpose is to show that other means than education are both available and necessary to be able to cope with the problem of Social Engineering. Education There are several different ways of educating employees, all with their own level of effectiveness. It is popular throughout organizations to use combinations of several of the following tools for educational purposes: videos, newsletters, brochures, signs, posters, screensavers, note pads, t-shirts and stickers to name a few. A problem with the tools that the users see every day is that they become neglected. Therefore they frequently need to be exchanged in order to fulfill their purpose. When educating users one must understand that it is not sufficient just telling them how they should behave. It is essential that they are aware of the reasons for the education and fully 21 Fighting Social Engineering understand why they should behave in a certain way. For effective education it is important that management as well as the rest of the employees fully recognize the educational program. To personalize the security issues, i.e. show the employees that what they do and how they do it applies not only to their company but also to themselves, can be a very effective educational technique. Authentic stories of Social Engineering attacks, safety tips and informational stories posted on the intranet or in e-mails is one of the best methods for educating employees regarding Social Engineering risks. Furthermore, these stories could effectively be used in security awareness training lessons taught to the employees. Using authentic stories when educating employees increases their resistance to Social Engineering exploits. [ART2001] It is necessary that the security practice and procedures of an organization are taught and emphasized to the employees if they are supposed to have significant effect. Print and publish the organization’s security procedures and assume that the employees will read and understand them is a bit naive. The security procedure and practice training should be taught to every new employee and repeated periodically. To repeatedly train the employees is important to keep their Social Engineering awareness on a high level. An internal website that is dedicated for security information is a good way to keep the employees informed and educated. [TIM2001] Social Engineers are well aware that low-level employees and employees with low company morale are more susceptible to a Social Engineering attack thus they are easy targets for information revealing. But since Social Engineers can attack any employee for information, all employees should be concerned with methods of attack and be aware of who to trust when a problem occurs. Team-building is an important instrument to increase these employees engagement about computer and organizational security in a holistic sense. [NEL2001] Lack of security is seldom the reason for successful Social Engineering attacks, neither are stupid or naïve users. The reason is simply that the users are human. It is not just the help desk employees that can fall victim to the deceitful Social Engineers; people at all levels of the enterprise can be deceived into compliance with the intentions of the Social Engineer, resulting in violations of the security policy and procedures. The assumption that anyone could be immune to Social Engineering attacks is a bad one to make [GAR2001]. Current research in social psychology demonstrates that security awareness training alone will not equip employees to resist the persuasion of a Social Engineer. A defense against Social Engineering must take into account what is known about the psychology of persuasion and develop that knowledge to 22 Fighting Social Engineering understand the persuasive attack and the dynamics of building resistance. [GRA2002] 2.2 Psychological factors of persuasion As stated in the introduction the Social Engineer uses influence and persuasion to deceive people in order to get hold of information. Therefore a solid defence against Social Engineering must take into account what is known about the psychology of persuasion to be able to cope with the phenomenon. Dr. Robert Cialdinis [CIA2001] work in the study of persuasion is used as ground for the scenarios. Cialdini has earned an international reputation as an expert in the study of persuasion and he has performed over 30 years of research in the subject. He has found out that there are six basic psychological principles that direct human behaviour. Each of these principles is explained in this chapter. 2.2.1 Reciprocation One of the most effective weapons of influence is the rule of reciprocation. The rule of reciprocation says that we should repay in kind what another person gives us. After we have been given a gift or been offered a favor we feel obliged to return it. The rule is very widespread and research shows that it exists in all human cultures. The rule was important in the human social evolution; it meant that an individual had the possibility to for example give food, energy or care to another individual knowing that the gift was not wasted. It made it possible for sophisticated and coordinated systems of aid, defense and trade to develop which brought important benefits to those societies that possessed them. The rule is effective because it is so deeply rooted in our society. We have all been brought up to live up to the rule and we are all fully aware of the sanctions applied to those not living up to it. Nobody likes a person who takes and gives nothing in return. According to Cialdini an experiment conducted by psychologist Dennis Reagan 1971 shows how the rule of reciprocation can be used as an effective weapon of influence. A number of test persons was called in to rate the quality of some paintings along with another man (who was Dr. Reagan’s assistant). Under the evaluation process some of the test persons were offered a simple favor in form of a Coke by the assistant and some not. After the evaluation the assistant asked the test persons if they wanted to by a raffle ticket. Not surprisingly the study shows that the test persons who had received the assistant’s earlier favor bought twice as many raffle tickets as those who had not been given a Coke. The rule of reciprocation is very powerful and a small first favor can often generate larger return favors. The reason for this is that most of us find if 23 Fighting Social Engineering highly unpleasant to be in the position of indebtedness. We do not like to be in a state of obligation, this is a heavy burden on our shoulders and demands to be removed. There is another reason as well; a person who violates the rule is disliked by our society. Remember that nobody likes a person who takes and makes no effort to give anything in return. A skillful exploiter of the reciprocation rule knows this and can use this to fulfill evil obligations. There is another way which the rule of reciprocation can be used to get somebody to comply with a request. A person also feels an obligation to make a concession to someone who has made a concession earlier. Rejection-then-retreat Imagine a person who wants another person to agree to a certain request. To increase the chances for success the deceiver starts with larger request, one that the deceiver is certain the other person most likely will not agree up on. After the first request has been denied the deceiver then makes a smaller request, the actual one. If the request was delivered correctly the other person would see the second request as a concession and thereby most likely should feel inclined to respond with an own concession. This is illustrated by an experiment conducted by a group of psychological scientists (Cialdini, Vincent, Lewis, Catalan, Wheeler & Darby, 1975). A group of collage students where asked if they without payment would like to take a group of juvenile delinquents for a day trip to the zoo. This unpleasant task to be responsible for a group of juvenile delinquents was refused by 83 percent. Another group of students got the same question, but after first being presented an even more unpleasant request. This even worse request was to spend two hours per week as counselors to juvenile delinquents for a minimum of two years. All the asked students refused this demanding request, the students then got the smaller request to take the delinquents on the zoo trip. After being presented the larger request three times as many of the students agreed to take the juvenile delinquents on the zoo trip. The defense To be able to defend against reciprocation it is important to understand that the requester who uses the reciprocation rule is not the enemy – it is the rule that is the enemy. The simplest form of defense is to reject all initial requests or concessions one might be confronted to. This defense does not work in the long run. One would then miss the benefits of all legitimate favors or concessions offered by individuals with no intention of exploiting the reciprocation rule. The secret to avoid the traps of reciprocation is to identify the intention with the request or concession; is it a normal favor or is it compliance tactic? If we find out that the intention with a request or concession presented to us is used as a compliance device against us, the giver no longer has the advantage of reciprocation rule. The rule of reciprocation says that favors are to be met with favors but it does not demand that tricks should be met with favors. 24 Fighting Social Engineering 2.2.2 Commitment and consistency Psychologists have for a long time been aware of how effective the consistency principle is in directing human action. The principle says that after making a choice or taking a stand for something, we will encounter personal and interpersonal pressures to behave consistently with that commitment. This as well as the other weapons of influence lies deep within us. It is a valued quality of humans to act consistently in most situations. The person whose beliefs, words and deeds do not correspond is regarded as a confused or even two-faced individual. While a person who shows consistency in the way of living is seen as a person who possesses great personal strength and intellect. Another reason why consistency is an attractive property for people is that it offers shortcut through the complexities of our modern life. Consistent behavior makes it possible for us to save mental energy by not making tough decisions every day. We do not have to evaluate the large amount of information we encounter everyday in order to make the right decisions. All we need to say, do or believe is consistent with our earlier decisions. Human tendency to be consistent is so strong that it can be used to compel us to do things that we normally would not do. Our inclination to consistency can be exploited in order to make us respond to requests without thinking. The following experiment conducted by psychologists Jonathan Freedman and Scott Fraser shows how this weapon of influence can be used to manipulate people. The experiment uses the tactic of starting with a little request to gain compliance with a later larger request. Two groups of homeowners were presented a preposterous request of allowing a public-service billboard being installed on their front lawns. To show them the idea they were presented a picture of an elegant house with a very large and badly lettered sign reading “drive carefully” placed on the front lawn. The first group of homeowners where not manipulated by any weapon of influence and therefore only 17 percent complied with the request. The second group however was manipulated by the tactic of starting with a minor request. Two weeks earlier they had made a small commitment to driver safety. They had been presented a minor request of displaying a threeinch sign reading “be a safe driver”. This trivial request was accepted by nearly everybody in the test group, but it had an enormous effect on the acceptance of the bigger request they where to be presented two weeks later. 76 percent of the homeowners in the second group accepted the larger request of displaying the large sign on their front lawn. The defense The defense against this weapon of influence is to be aware of that our tendency to be automatically and unthinkingly consistent can be exploited by others for their profit. To have a sensible nose for when consistency might lead to a poor decision is a way out of the danger. Another defense mechanism is of the more subjective kind. It is simply to listen to the gut feeling. When realizing that you have been trapped into a request you do not 25 Fighting Social Engineering want to perform, a gut feeling occurs. In this situation an effective way out of the situation is to explain to the requester that we have penetrated the attempt to make us accept a request we do not want to accept. In situations when it is not clear if the initial request is evil-minded the signals from our stomachs might not occur. The solution then is to ask the question: “Knowing what I know now, if I could go back in time, would I make the same choice?” Consequently having accepted the first minor request and now being confronted with a second larger request is there possibly a manipulation attempt going on? The answer to the question might appear as the first feeling we encounter after asking ourselves this question. 2.2.3 Social proof The principle of social proof can be used as an effective weapon of influence. The principle says that in a given situation we look at the behavior of others to find out what to do. When a lot of people are doing the same thing it is generally the right thing to do. Just like the other weapons of influence the principle of social proof offers us a practical shortcut through the complexity of our everyday life. But we need to be observant since it also makes us vulnerable to attacks using the principle of social proof. The principle of social proof is most effective and influential under two specific conditions. The first is uncertainty, when finding ourselves in a state of uncertainty we are more likely to look at the behavior of others to find out what to do. The second circumstance under which social proof is more influential is similarity. People are more prone to follow the behavior of others when the other people are similar to themselves. Another important characteristic of the principle of social proof is that it works best when the proof is provided by the actions of many other people. The efficiency of the principle of social proof shows in the following simple experiment conducted by Milgram, Bickman, & Berkowitz. They simply let one person stand on a busy sidewalk and stare at the sky for one minute. There was not much that happened when only one person stared at the sky. The following day a group of five persons returned to the same spot and started staring at the sky. Within a minute a crowd of pedestrians joined the group and started looking up at the sky. The principle of social proof also generates another phenomenon called pluralistic ignorance which is the state when each person in a group decides that, since nobody is concerned or taking action, nothing can be wrong in a specific situation. A study conducted by Darley & Latané shows the effects of pluralistic ignorance. The idea was to set up a pretended emergency situation, which was to be observed by a single observer or by a group of people. The emergency situation consisted of having a person appearing to have an epileptic seizure. The scientists where then to find out if there were any 26 Fighting Social Engineering difference in the help frequency between single observers and groups. The result from this study was that the victim received help 85 percent of the time when there was a single person present. When a group of five persons were present the victim only received help 31 percent of time. The pluralistic ignorance effect also appears to be strongest in a group of strangers. The defense One way to defend against the pressures from the principle of social proof is to be sensitive in situations where the principle is being used. Revealing situations were the social proof is evidently manufactured by exploiters, in order to manipulate us to behave in the way they want us to, can save us from situations where the principle is being used an a weapon. Another defense mechanism to situations were the situation is being used as a weapon in addition to the above mentioned, is to take a quick glance at the situation before deciding which action to take. Try to look at the objective facts, use prior experiences or own judgments of similar situations, when deciding what to do. Not letting the actions of others be the only base for which decision to make can help us out from situations where the principle of social proof is being used as a weapon of influence. 2.2.4 Liking A person is more likely to accept a request if somebody likeable is presenting it. In simple terms, the rule of liking says that people prefer to say yes to individuals they know and like. Exploiters who of various reasons might want somebody to comply with their requests can also use the liking rule to increase their odds for succeeding. By manipulating the person to like the exploiter, the exploiter gets in a good position for succeeding with the request. Researchers have found several factors that influence liking. It has been proven in various studies that physical attractiveness is a factor. Generally attractive people are better liked, more persuasive, more frequently helped. Another factor that influence liking is similarity, we simply like people who are similar to us. Similarity can be in different areas such as opinions, background, personality traits or lifestyle. One study on insurance sales shows the people were more likely to buy insurance when the sales person was like them in age, politics, religion and cigarette smoking habits. Similarity is an effective factor for increasing liking and people typically underestimate the degree to which similarity affects liking for another. Praise is another factor that increases liking. An experiment on a group of men conducted by Drachman, deCarufel, & Insko shows the efficiency of praise. The participants in the study received comments about themselves from a person who wanted a favor from them. Some of the participants 27 Fighting Social Engineering received only positive comments others got a mixture of good and bad, and some got only negative comments. The result of the study shows that the person who provided only praise was the man who was most liked by the participants. This was true even when the men fully understood that by delivering praise in order to increase liking from them the man obtained benefits since he wanted a favor from the participants. Finally the study showed that positive comments generated just as much liking for the flatterer when they were untrue as when they were true. There is a natural human tendency to dislike a person who brings unpleasant news even when that person did not cause it. By associating themselves with good things people can influence how we feel about them and thereby increase the chances of succeeding with a request. The last technique to increase liking is to make use of the fact that people like things that are familiar to them. Familiarity affects liking in an unconscious way, often we do not realize that our attitude towards something has been influenced by the number of times we have been exposed to it earlier. The defense Since there are so many ways of increasing liking the defense against liking as a weapon of influence must be of a general kind. It is difficult to mobilize a specific defense to each of the many ways there are to increase liking. In order to defend against liking as a weapon of influence we must analyze the situation when a request is made. In the contact with a requester it is necessary to be sensitive to how we feel about the person to avoid being exploited by the liking weapon. If the feeling is that we like the requester more than we should under the circumstances, we should be aware that some kind of compliance tactic might be in use. By mentally separating the requester from the request and analyzing the offer solely on the facts with no concern to the requester it is possible to avoid being manipulated by the liking weapon. 2.2.5 Authority The power of authority pressure is shown to be a very powerful of influence. The Milgram study 1974 is a well known experiment that confirms this. In the Milgram study participants were given a teacher role assigned with the task to deliver increasing, high voltage shocks to a learner when the latter where giving the wrong answer to a series of questions. The purpose of this experiment involved the question: When it is their job, how much suffering will ordinary people be willing to inflict on an entirely innocent other person? The unsettling answer to this question was that the majority of the subjects handed out the maximum voltage shock (450 volts) before the researcher ended the experiment. Important to mention is that there where no actual shock given to the learner, however the subjects did not know this. Milgrams conclusion to the rather scary results was that the subject’s inability to defy 28 Fighting Social Engineering the wishes of the lab-coated researcher had to do with the obedience to authority. Repeated experiments of Milgrams basic procedure have been repeated in Holland, Germany, Spain, Italy, Australia and Jordan with similar results. A conclusion of this story is that the correctness of an action was not judged by such considerations as apparent irrationality, harmfulness, injustice or usual moral standards, but by the mere command of a higher authority. The obedience to authority is mostly rewarding and therefore it is natural to comply with the dictates of authority figures, there positions speak of greater access to information and power. It is convenient to allow oneself to automatic obedience. This kind of mechanical obedience mostly leads to appropriate actions but sooner or later conspicuous exceptions due to this mechanical behavior will occur. People when reacting in mechanical ways to authority are often as vulnerable to the symbols of authority as to the substance. This is something that is often exploited by con artists who drape themselves with the titles, clothes and trappings of authority. They know that there chance of compliance is far greater when they are draped with these symbols of authority. The defense To defend against the power of authority influence we can ask two questions: Is this authority truly an expert? How truthful can we expect this expert to be? The purpose of the first question is to direct our immediate attention away from the symbols of authority and towards the evidence for authority status. The second question advices us to consider not just the expert’s knowledge in the situation but also the trustworthiness. With regard to this second consideration, we should be alert to the trust-enhancing tactic in which communicators first provide some mildly negative information about themselves. Through this strategy they can create a perception of honesty that makes all subsequent information seem more credible to observers. 2.2.6 Scarcity The last of Cialdinis psychological principles for persuasion is the scarcity principle. The principle states that we tend to assign more value to things or opportunities that are difficult for us to get hold of. An apparent example of how the principle works is how a customer reacts when informed that a product of interest in is short in supply and it will not take long until the product is completely sold out, the customer buys the product. This “limited number” tactic is very effective and is used by many salespersons every day. The scarcity principle also works under the “deadline” tactic, where for instance a sales person states that an offer is only valid for a short period of time. The intention is to keep the customer from taking the time to think the 29 Fighting Social Engineering deal over and force the customer to make a hasty decision that ends up with the customer buying the product. The power of the scarcity principle also comes from the fact that when opportunities are less available for us we lose freedoms and we do not like losing the freedoms we already have. This is the core of the psychological reactance theory developed by psychologist Jack Brehm. This theory states that whenever our free choice is limited or threatened (by increasing scarcity for an item) our need to preserve our freedom makes us want the item significantly more than before. The scarcity principle also states that we like to see things that recently have become more difficult to obtain more valuable than things that have been difficult to obtain for a long period of time. Another factor that increases the power of the scarcity principle is when it is combined with a competition element. We are more attracted to scarce items when we compete with others for them. There has been a lot of research done on the scarcity principle. One example is a study done by West in 1975 where university students were asked how they liked the food in a certain campus cafeteria; the quality of the food was rated unsatisfactory. This however changed in a second survey without any changes in the production of the food. After the students was informed that the cafeteria could not serve food for the next two weeks, they ranked the food in the cafeteria much higher. The Defence It is not easy to defend against the forces of the scarcity principle since its pressures have an emotion-arousing quality that can make thinking difficult. The defence must be an awareness of a feeling of excitement in situations where we are confronted with an offer involving scarcity. When we encounter this excitement we need to calm down and think the situation over and make the decision based on why we want the offer. It is important to remember that scarce things do not perform, taste or sound better because they are short in supply or need to be bought immediately. 2.3 Scenario Based Learning Two approaches for designing scenarios for educational purposes are described. The reason for this is that the two approaches described do not rule out each other but rather work as a complement to each other. The first approach described address the more practical issues related to each step in the scenario development process, while the second one described is on a more conceptual level but with elements of practicalities. Introduction Scenario based learning is a learning approach that is based on the principle that learning occurs in a context, situation or social framework. The basis for 30 Fighting Social Engineering this approach is the theory of situated cognition. Situated cognition implies that knowledge is dependent of its context in order to be known and entirely understood. Learning takes place as we immerse ourselves in situations where we are forced to perform. The response we get from our environment is used to fine-tune our behavior pattern. This is all executed so rapidly and on an unconscious level that we are not even aware of the fact that we participate in a learning progression. Consequently it is not uncommon that we find it hard to describe how and why we are engaged in a specific behavior. Nevertheless we can, through the process of practice, repeat the behavior with increasing skill [KIN2002]. In order for the learner to experience and respond to a challenging situation scenario based learning incorporates the use of authentic stories. It is important that the situation presented to the learner is a situation that is likely to occur in the professional role. Furthermore it should provide the learner with issues, challenges, dilemmas and choices that they are likely to encounter in practice. This shows how scenario based learning uses interaction, placed in a context, to generate knowledge and skills. In scenario based learning the process of analyzing, identifying issues, solving problems and finally formulating strategies are some of the areas the learner has to master. The learner’s level of preparedness of how to handle real life situations is dramatically increased with the amount of practice they receive. It is assumed that the practice environment is similar to the situations they are likely to encounter in the real world. [ROT] First approach, practical level - Scenario outline When designing scenarios it is appropriate to start up with the process of identifying the issues and learning objectives. The learning objectives and the related issues can preferably be identified through brainstorming meetings. When the learning objectives and issues are identified the process of establishing suitable techniques for building scenarios and where to use them can be carried out. It is important to establish clear boundaries for the scenarios. The boundaries can be established by using behavior based learning objectives instead of knowledge based learning objectives. The behavior based learning objectives can be seen as performance objectives. After establishing the boundaries a discussion on the content, style and media of the scenario is preferred. The participants should address, discuss and determine the following areas: events in the scenario, learning outcomes, the best way to achieve learning outcomes, indication of successful outcomes, strategies towards desired outcomes and finally discuss the performance behavior for successful and unsuccessful outcomes related to the stated strategies. When the content is decided upon the participants should examine the look, feel and flow of the scenario. With the scenario content decided a story board with a general beginning and end having the scenario boundaries discussed earlier in mind should be created. In order to decide the data needs and the various scenario paths the scenario should be iteratively acted out. It is important to keep 31 Fighting Social Engineering records and flow scripts at this stage of the scenario development. A decision of which medium that is most suitable for implementing the scenario is yet to be decided before finishing step one. [KIN2002] Scenario design When step one is conducted the actual programming of the scenario can begin. Several different techniques can be used to illustrate the scenario. The most common simple techniques to be used are animated GIF’s, Macromedia Flash and digital video. Scenarios are most effective when illustrated with advanced interactive media and when they have a game-like appearance. Throughout the programming process the most important issue is to follow the story board created in the previous step. By following success and failure paths through the realistic scenario learning take place. To stress the main learning objective it is recommended to narrow down the optional paths for the learner. Otherwise the risk of too complex and unmanageable scenarios occurs. The goal is to design a scenario where the learner perceives the correct responses as a way to behave to achieve the learning outcomes. In order to make this possible the learner must feel involved in the situation of the scenario and a reward of progress in the scenario is given every time the behavior is correct i.e. when giving the correct answer to a specific question in a specific situation in the scenario. One should never forget to be creative when designing and deciding upon the visual appearance of the information presented in the scenarios [KIN2002]. Second approach, conceptual level The figure illustrates the work steps and the iterative process that takes place during the scenario development process. While developing a scenario it is important to reflect upon and refine the different scenario components to make sure that they link well with each other and that they focus on and address all of the identified learning objectives. What do we expect participants to learn? What Learning situation should they be exposed to? Learning outcomes Scenario (Experience) Learning Resource Feedback Learning Activities What should the participants do to achieve these learning How can we determine whether they have achieved the outcomes? Figure 4 – Scenario Development Process [ROT] 32 Fighting Social Engineering The Learning outcomes To be able to establish the learning outcomes it is necessary to specify the area for which we are preparing the learners. In order to pinpoint what competence might be required from the learners in both long and short term it is important to understand the situations for which we are preparing the learners. Then decision can be made on what the learner should be able to accomplish after completing the learning session [ROT]. Scenarios can be developed both through real life experiences or fictitious ones, regardless of in what area of learning you choose. It is not unusual that one chosen situation can be used to educate in several other learning areas. Therefore it is a good idea to have this in mind before deciding upon a particular situation to form a scenario around, if it is desired to cover multiple learning areas in one single situation. One example of such situation is that a detailed description of a cellular phone manufacturer in Sweden can be used to generate competence in a variety of areas for instance, organization, marketing, corporate culture, work procedures etc [ROT]. As a consequence, it is important that the following issues are addressed when developing the learning outcomes. The knowledge expected to be achieved by the learners after completion of the learning activities should be written down in the form of dynamic descriptions. The basis of learning outcomes should be the situations for which we are preparing the learners. To make sure that the learners achieve the expected level of knowledge it is important to consider the time aspects. Learners should be given the time necessary to achieve the specific learning outcome. 33 Fighting Social Engineering Designing the Learning Scenario Activities In order for the students to become actively involved in the scenario and therefore experience the situation, learning activities that enables this are developed. The learning activities should require the learner to take action instead of taking the passive role. Therefore, design the learning activities so that they become as interactive as they can be. Situations that offer the same activities that the learners would perform in real life should be reflected in the learning activities. For instance decision making, problem solving, planning etc. The learning activities should be developed with regards to whether the learners are to work individually or in groups. To summarize, these are important areas to consider when developing the learning activities according to [ROT]. The learning activities must enable the learners to focus on the main leaning outcomes. An authentic situation should be presented in the learning activities to allow the learners to experience the situation and make use of their analytical and problem solving skills. The learning activities should be designed with consideration of whether the learners are to work individually or in groups. Consider if the developed education material is to be used exclusively for e-learning, or for face-to-face learning, or a mixture of both. Teaching instructions may be appropriate as a complement to help the educators to provide information for the students. 34 Fighting Social Engineering Developing the Scenarios When the learning outcomes have been decided upon it is time to start working with the scenario. The first step to take in order to develop a scenario is to pick a specific incident or situation that is similar to the situation that the learners are to increase their knowledge about. Imagined situations need to be developed so that they seem realistic for the learner. Well-developed scenarios offer the learners the feeling that they have actually experienced the situation in the scenarios themselves. The situation should give the learner the ability to make decisions and take actions. They need to encounter the same circumstances that they are to meet in their work environment. The scenario needs to capture the complexity of real life situations i.e. multiple choices in different situations. The scenario needs to be developed so that it encourages the learners to analyze situations, make decisions, plan actions and solve problems. It is necessary to identify the key information and actors that are to participate in the scenario. This does not imply that the scenarios should be lengthy. On the contrary a shorter scenario is more likely to have the learner’s attention through the whole scenario. These are the key points to consider when developing scenarios [ROT]: A scenario should be developed from a real life or imagined event. It should focus on an individual, a program or a situation. It should be written clearly and as briefly as possible. It should be vibrant, realistic and interesting. It is sufficiently complex but not overwhelming. It needs to capture the attention of the reader and draw them into the story so that they can experience it. It needs to tease out the key information and players in the situation to develop the scene. It should highlight the complexity of a situation. It should enable students to feel that they have experienced the situation. It needs to be relevant to the learning outcomes. It needs to ensure that key information is included in the story to “trigger” the students to address the learning outcomes. 35 Fighting Social Engineering 3. Scenario development For the development and designing of the scenarios a combination of the two scenario development approaches presented in the theory chapter is used. In general both approaches are used, but on different abstraction levels. The scenarios will be designed on the basis of the following main steps combined from the two approaches of scenario development that are discussed in chapter 2.3. Deciding on area of learning – To be able to continue with the process this must be decided first. It would be impossible to design a scenario without knowing what to educate. Deciding the learning outcomes – It must be clear what the learners should have achieved after completed the scenario. It is important that a reduction of non relevant learning areas is made to avoid confusing the learner with, for the learning situation, unimportant issues. Create the scenario situation – Now there is enough information about in what direction the scenario development is heading to be able to come up with the most suitable situation, authentic or imagined, to fit the specific learning area. Set boundaries – Knowing the rough outline of the scenario, boundaries can be set in order to keep the size and complexity of the scenario manageable. It is important to remember what the learning outcomes are when setting boundaries. Deciding on learning activities – It is appropriate to perform this step as early as possible in the scenario design process to avoid mental barriers due to technological limitations etc. The learning objectives should be in focus when deciding the learning activities. Creating a storyboard – Knowing the content and boundaries, creating a storyboard is a good way of getting an outlet for creativity since a storyboard it is not limited by technical restrictions. Deciding on media format – This step is placed in the end of the design process so that it will not restrain the well needed creativity and the outcome of the storyboard. Begin the implementation process – All the necessary information is now gathered and it is time to put the mental model to realization. 36 Fighting Social Engineering The picture below illustrates the scenario development process used for constructing the scenario prototypes. The development process is split up into two parts, namely the “what” and the “how”. The “what” illustrates important issues that should be considered before moving on with the more practical parts, the “how” What Area of Learning Boundaries Learning Outcomes Create Scenario Situation How Learning Activities Storyboards Deciding Media Format Implementation Process Figure 5 – Prototype Development Process 37 Fighting Social Engineering 3.1 General learning outcomes Since the area of learning in each of the six scenarios concerns one of the factors for persuasion (see Ch. 2.3) and that they are all related to Social Engineering (see Ch. 2.1), identification and justification of the learning outcomes on a general level is necessary before the actual scenario construction takes place. Three main learning outcome areas were identified: 1. The learner should be aware of how each principle works. It is necessary to know the psychology of persuasion when defending against Social Engineering, as mentioned in Ch. 2.1. 2. The learner should also be aware of that how each principle can be exploited by a Social Engineer. As stated in Ch. 2.1, it is important to know in what way a Social Engineer can exploit these principles in order to be aware of who to trust and what to defend against. 3. Finally the learner should be taught how to avoid being deceived by a Social Engineer exploiting one or several of these principles. It is essential to know how to avoid being deceived in order to be protected against Social Engineering attacks, since Social Engineering is all about deceiving people (see Ch. 2.1). 3.2 Scenario development, storyboards and implementation The result of the scenario creation, storyboard development and the implementation of the HIFI-prototypes of the scenarios are presented in Appendix 1 – Scenario development, Appendix 2 - Storyboards, and appendix 3 – HiFi-prototypes. The reason for putting these parts in appendices is that they have a repetitive character and is quite monotonous reading. Still they present an important part of the thesis. 38 Fighting Social Engineering 4. Alternative educational approach - lectures As stated in 1.3 the objective of this thesis is “to develop an efficient educational method”. To be able to measure the degree of efficiency an alternative approach is needed for a comparison. One approach suitable for this comparison was discovered at a Swedish manufacturer, who wishes to remain anonymous. More specifically, the approach found is currently used at the central distribution warehouse of this company which has approximately 350 employees. The management at this central distribution warehouse refers to this particular approach as the informal method. However, it is referred to as lectures in this thesis. 4.1 The alternative approach The alternative approach is used when educating employees in general information security issues such as routines in information dispatching situations and in situations when all employees need to be informed at the same time. Such occasions could be when a new product or model is about to be released and the employees need to take extra precaution in their information handling routines. When such an occasion occurs the employees are gathered in the dining facilities and the chief information officer gives an oral presentation of the security issue and how the employees should act. The informal meeting usually lasts between 20-40 minutes. 4.2 The alternative approach applied The original alternative approach is used to educate a large number of employees at a time and the comparison test is aimed to educate one person at a time. This is necessary to make it possible to conduct a test with the learner after the lesson without the risk that the learner has been influenced by others during the educational process combined with the fact that the scenario based approach is aimed to be performed on one person at the time. Therefore there is neither any need for Power Point presentations nor other presentation tools. When applying the lectures the educator uses an information sheet (see 4.2.1) with information on how a Social Engineer performs the attacks and what can be done to reduce the risk for an attack. The educator then performs an oral lecture for the learner. There will be no information about the psychological factors for persuasion presented to the learner in the alternative approach. The learning session will take approximately 5-10 minutes to perform. The learner will have the opportunity to ask questions during the lection if there is something that is not fully understood. The contents of the alternative approach is divided into parts, the first part contains general information about the phenomenon Social Engineering, the second part is more detailed information about how the Social Engineer works and how one can protect against Social Engineering. 39 Fighting Social Engineering 4.2.1 Educational contents The following information is presented to the test subjects in the interview situation. How the Social Engineer works A Social Engineer uses persuasion in order to deceive people, with the purpose of achieving information he desires. The Social Engineer can operate from two different approaches namely technical/computer based deception or human interaction based deception. An example of the technical/computer based approach could for instance be when the Social Engineer uses fake pop-ups (windows that ask for user input) that has a very genuine appearance that the user believes are authentic and thereby are tricked to reveal information. The human based approach on the other hand involves direct face to face contact between the Social Engineer and the victim. An example of the human based approach is when the Social Engineer plays the role of a repairman, IT-support, a fellow employee, manager or a trusted third party to trick the victim into revealing desirable information. When, on the other hand, the victim contacts the Social Engineer it is called reversed Social Engineering. The Social Engineer creates a situation where the victim is forced to contact the Social Engineer. An example of this is when the victim gets a computer related problem (created by the Social Engineer) and is forced to call for help. The Social Engineer has prepared for this by placing contact information in the error message generated by the malicious software that has caused the initial problem. The process of the Social Engineers course of action can be divided in four steps. Information gathering is where information is collected about the target that is used for relation building with the target, for example find out the telephone number to the victim. Development of relationship is the step where the Social Engineer gets the victim to trust the Social Engineer, for example the Social Engineer helps the victim with something. Exploitation of relationship is when the Social Engineer exploits the established relationship, for example when the Social Engineer tricks the victim that it is necessary to reveal the password. The final step is execution to achieve the objective. That is when the Social Engineer uses the achieved information to fulfill the end objective, for example when the Social Engineer uses the password to log in and steal information. 40 Fighting Social Engineering How to protect against Social Engineering Social Engineering differentiates from other security threats in the sense that in this case it is the human that is target for the attacks. Since Social Engineers use deception as their main tool when operating it is important to be observant when giving out information. Since the Social Engineer often impersonates in order to deceive the victim it is very important to authenticate the receiver of the information. The Social Engineer is not as predictable as for instance a virus outbreak which you can be prepared against to a certain degree. Therefore it is important to always keep in mind that the Social Engineer can strike at any time without any forewarning. 41 Fighting Social Engineering 5. Interviews results and analysis In the analysis of the interviews relevant general statements made by the subjects in each of the two groups are extracted. These statements have then been analyzed and put in relation to which psychological factor they refer to. There are a total of twelve interviews, six for the alternative approach and six for the scenario method. The answers are structured in 5.1 and analyzed in 5.2. The focus is to find fragments in the interview answers that present evidence of comprehension of the studied phenomenon. The interview results as a whole are presented in appendix 4. 5.1 Structuring interview answers The answers from the interviews are split up, structured and categorized according to similarities. The answers from the subjects in the alternative approach group are presented in 5.1.1 and the answers from the scenario method group are presented in 5.1.2. Phrases that are similar in meaning, albeit not word by word, are grouped under a common statement to facilitate the interpenetration process. 5.1.1 Alternative approach How does a Social Engineer operate? The Social Engineer contacts the person he wants information from. He claims to be someone he is not in order to get desired information. The Social Engineer is nice and helpful The Social Engineer creates problems on the computer (Virus etc.) - Reversed Social Engineering The Social Engineer builds trust with the victims. The Social Engineer uses different steps to achieve the goals - Collecting information, fulfillment The Social Engineer can also use technical approaches to get information Subject nr 1, 2, 3, 4, 6 1, 4, 5, 6 1 1, 3, 4, 5 5 3, 6 2, 3 3 6 42 Fighting Social Engineering How can you protect against a Social Engineer? Check the identity of people. - Be critical towards people you hand out information to. Contact someone in the company to help you with your computer Use common sense. Never fill out stupid forms on the Internet Never write down your password You should be careful with what kind of information you hand out - Do not hand out personal stuff Stay on guard, consciousness. Do not use a new repairman. Subject nr 1, 4, 5, 6 2, 3 1 1 1 1 2, 4, 6 3 3, 4, 5 43 Fighting Social Engineering 5.1.2 Scenario method How does a Social Engineer operate? The Social Engineer contacts the person he wants information from. The Social Engineer claims to be someone he is not. Trick the victim into making hasty decisions. Offers something the victim cannot resist. The Social Engineer can create a problem on the victim’s computer that he later on offers to fix. (Reversed Social Engineering) Offers a service and claim favor in return. Getting access to the victims computer (and do mean stuff). The Social Engineer gets the victim to like him and exploits this. The Social Engineer can also make the victim to agree with him in some matter and then use it later in the conversation since you want to stick to your standpoint even though it might not be in compliance with the security policy. The Social Engineer can sound very convincing about a certain issue e.g. that all personnel in the organization are doing this thing and you should to. The Social Engineer can ask you to install or download and install particular software; the software can contain a spy program. Subject nr 7, 8, 9, 10, 12 7,8,9,10,11,12 7, 12 9, 10, 11 7, 9, 10 8, 9 8, 9 9, 10, 11, 12 9 10 10 44 Fighting Social Engineering How can you protect against a Social Engineer? One should question the identity of (authority) people who you do not recognize. Double check with your manager if there is something that is supposed to be installed on the computers. Never hand out passwords or other secret stuff. Always think twice in stressed situations so that you do not make any hasty decisions. One should remain critical and not fall for things people say Personally deliver documents when possible. Never let anybody you do not know borrow your computer. Never feel obliged to return kindness and favors. Learn some basic IT-sense. Learn how to install software. You should not trust people only because they seem nice. You should not act in a certain way only because you are told that others have acted that way. Subject nr 7,8,9,10,11,12 7, 12 7, 9, 10 7, 9, 11, 12 8 7 7 7, 8, 9, 10 8 8 10 10, 11 45 Fighting Social Engineering 5.2 Analysis of the answers For each interview answer an analysis of the essentials is made and the two methods are related to each other as well as to corresponding scenarios when applicable. 5.2.1 How does a Social Engineer operate? The Social Engineer contacts the person he wants information from. Both groups have seemed to comprehend that the Social Engineer mainly operates by trying to establish contact with the victim. In the alternative approach five out of six subjects mentioned directly or indirectly that the Social Engineer contacts the person he wants information from. The same number of subjects in the alternative approach answered similarly. However, it is obvious that several subjects in the scenario method had ideas on how this contact can be established. They suggested contact by telephone, e-mail or in person which might be obvious ways to contact people but worth mentioning since none of the subjects in the alternative approach suggested any contact possibilities. This statement does not directly relate to a specific scenario, although it is recurring in all the scenarios since they all involves the establishing of contact initiated by the Social Engineer. The Social Engineer claims to be someone he is not in order to get desired information. This is emphasized by the majority of subjects in the alternative approach group; four out of the six subjects have mentioned this. One subject has given an example of an identity the Social Engineer can take. In the scenario method group all of the six subjects have mentioned the identity issue. All subjects in this group have gained knowledge that the Social Engineer often takes the role of an authority person and three out of the six subjects give examples of such authority roles. Roles mentioned were manager and computer support. One subject made an example of how the authority principle can be exploited, “The Social Engineer can ask you to install or download and install a particular software; the software can contain a spy program”. This statement shows that the subjects show understanding of the authority scenario. All six scenario method subjects were aware that the Social Engineer often takes the role as an authority in order to manipulate the victims. The authority scenario was the fifth out of the six scenarios. 46 Fighting Social Engineering The Social Engineer creates problems on the victim’s computer. Four out of the six subjects in the alternative approach group talked about this matter. One of them mentioned virus and called the Social Engineer a hacker which is a misperception. Viruses were mentioned in two more interviews but the context of those interviews shows that the subjects still understand that it is not viruses per se that are the main tool of a Social Engineer. It rather shows a lack of computer terminology knowledge. One out of these four subjects had gained knowledge of the phenomenon reversed Social Engineering and explained how it works. However, this was the only thing the subject had grasped. In the scenario method group four out of the six subjects reflected upon this matter and three of these explained the principles of Reversed Social Engineering. As with the previous issues the subjects in the scenario method were more detailed in their explanations. Reversed Social Engineering was not explicitly mentioned in any of the six scenarios. However, the character of the subject’s answers indicates that they achieved this knowledge from the authority scenario where it is stated that the Social Engineer can exploit problems he himself has caused. The Social Engineer gets the victim to like him and exploits this. In the alternative approach group two of out of the six subjects mentioned that the Social Engineer builds trust with the victim in order to exploit this trust. Additionally one of the other subjects mentioned that the Social Engineer is skilled in being nice to people. Four out of the six subjects in the scenario method group mentioned liking and showed understanding of how the Social Engineer later on exploits this. Additionally one subject briefly mentioned being helpful. The liking scenario was number four out of the six scenarios and it is interesting that four out of six subjects particularly remembered information from this one since it is hard to explain the principle of liking in a scenario given that liking require feelings for another person. It seems as the subjects has grasped that the Social Engineer often tries to be kind and helpful. The Social Engineer uses different steps to achieve the goals This was something that two out of the six subjects in the alternative approach group mentioned, they were however unable to remember all of the steps. One of the two vaguely remembered two of the steps the other one did not remember any steps. The subjects in the scenario method group did not discuss this matter since the method did not address it. 47 Fighting Social Engineering The Social Engineer can also use technical approaches to get information. One out of the six subjects in the alternative approach group mentioned this second approach. The subject also mentioned the example from the text, that the Social Engineer can use fake pop-up windows in this approach. This matter was not explicitly discussed in the scenario method; nevertheless three out of the six subjects in the scenario method group mentioned technical approaches but did not make any distinction between the two approaches. This statement is not directly related to a specific scenario. The Social Engineer offers something the victim cannot resist. Three out of the six subjects in the scenario method group showed understanding of how the Social Engineer can get access to information by offering something the victim cannot resist. The same principle is discussed by two more of the subjects where they say that the Social Engineer tricks the victim into making hasty decisions. One of these four subjects discussed both the offer and the hasty decision. This Social Engineering approach was not discussed in the alternative approach and none of the subjects in that group mentioned it. The scenario that presented the principle of scarcity was the last one of the six scenarios to be presented to the subjects. Half of the subjects in the scenario group showed evidence of understanding regarding the scarcity principle. The Social Engineer offers a service and claims a favor in return. This was addressed in the scenario method and two out of the six subjects in this group mentioned this. The alternative approach did not address this issue and none of the subjects in that group brought this up. This statement relates to the principle of reciprocation that was presented in the first scenario. Only two out of the six subjects in the scenario method group related to this principle. One of the subjects in the scenario method group suggested that “The Social Engineer can also make the victim agree with him in some matter and then use it later in the conversation since you want to stick to your standpoint even though it might not be in compliance with the security policy”. Another subject said that “The Social Engineer can sound very convincing about a certain issue e.g. that all personnel in the organization is doing this thing and you should to”. These two subjects refer to the scenario regarding commitment and consistency where the Social Engineer tries to convince the victim to change to a new easy password with the argument that it is in compliance with the company’s security policy. 48 Fighting Social Engineering 5.2.2 How can you protect against a Social Engineer? Check the identity of people. All six subjects in the alternative approach group suggested that identity control is one way to protect against a Social Engineer. Although two of the subjects did not mention identity control explicitly they said that it is important to be critical towards people you hand out information to and stay conscious and not trust people. These answers can be interpreted as the subjects are aware of the importance of identity control. In the scenario method group all six of the subjects mentioned identity control, five of them explicitly and one referred to the scenario concerning authority where the importance of identity control is emphasized. Both groups seem to have grasped the importance of identity control. This shows, again, that the subjects remembered and were able to relate to the authority scenario. Always think twice in stressed situations so that you do not make any hasty decisions. Four out of the six subjects in the scenario method group talked explicitly about decisions in stressed situations. Additionally one mentioned the importance to remain critical and not fall for things people say. This statement refers to the same situation as the other four talked about. None of the subjects in the alternative approach group talked about hasty decisions in stressed situations. The scarcity scenario, as mentioned earlier, was the last of the six scenarios and five of the six subjects were able to relate to this scenario. Stay on guard, consciousness. Two out of the six subjects in the alternative approach group talked explicitly about staying on guard and one of them about being conscious. Additionally one talked about not using a new repairman referring to being conscious, the remaining three mentioned being careful and thinking before acting. In the scenario method group none of the subjects explicitly mentioned staying on guard but all of the subjects in that group showed awareness of the importance of consciousness as they talked about being critical, careful, suspicious etc. The overall answers from all the subjects in both groups showed awareness of the importance of being conscious. This statement is not directly related to a specific scenario 49 Fighting Social Engineering You should be careful with what kind of information you hand out. Three out of six subjects in the alternative approach group mentioned the importance of being careful when handing out information. Additionally one mentioned not to hand out personal stuff which must be considered as carefulness when handing out information. In the scenario method group three out of the six subjects discussed this topic. This statement is not directly related to a specific scenario Never feel obliged to return kindness and favors. Four out of the six subjects in the scenario method group said that you never should feel obliged to return favors. In addition one subject said that it is important to think over the situation properly when you are offered something which refers to that the requester might want something in return. None of the subjects in the alternative approach group mentioned anything about this matter. This statement is related to the reciprocation scenario. The reciprocation scenario was the first of the scenarios and it is interesting that five out of the six subjects refer to this scenario. Since it was the first scenario the subjects tried they might have paid extra attention to this particular scenario and that is why they remember and are able to relate to it. Do not install software on your computer if you are not certain of what you are doing. Two out of the six subjects in the scenario method group talked about this matter. One of them suggested that you should talk with your manager if you do not now what you are doing. In the alternative approach group one of the subjects suggested that you should contact someone in the company to help you with your computer which must be considered to fall under the same category. This statement is not related to a specific scenario. You should not act in a certain way only because you are told other has acted that way. Two out of the six subjects in the scenario group had gained knowledge about this matter and none of the subjects in the alternative approach group. This statement is related to the social proof scenario, which was scenario number three. In this scenario the Social Engineer tries to convince the victim to install a chat program with the argument that the victim’s colleagues already use this program. 50 Fighting Social Engineering You should not trust people only because they seem nice. One of the subjects in the scenario method group mentioned this and additionally one suggested that you never should let anyone you do not know borrow your computer. Both subjects referred to the same scenario but only the first subject understood the essence of it. None of the subjects in the alternative approach group talked about this matter. This statement refers to the liking scenario. Liking was the fourth scenario and it is interesting that only two subjects related to liking when they was asked how to protect against a Social Engineer while four subjects related to this scenario when asked the question how a Social Engineer works. Only one subject related to linking in both questions. Other suggestions provided from subjects in the alternative approach group were: Use common sense, never fill out stupid forms on the Internet and never write down your password. Other suggestions provided from the subjects in the scenario method group were: Personally deliver documents when possible, learn some basic IT-sense and learn how to install software. These suggested protective measures are not explicitly mentioned in the scenarios. 51 Fighting Social Engineering 6. Conclusions The objective of this thesis was to develop a prototype for an efficient educational method for educating people on how to act in different information dispatching situations that could be targeted and exploited in various Social Engineering attacks. Working toward this objective included several steps. Searching and reading literature on Social Engineering, psychological factors of persuasion and methods for scenario construction contributed with the theoretical platform as well with the knowledge needed to conceptualize the method for scenario development. Creating the scenarios has generated not only the scenarios per se but also a method for scenario development incorporating the psychological factors of persuasion. See chapter 3 and Appendix 1. The creation of the storyboards (Appendix 2) has generated knowledge on how to take the scenario development from a theoretical level to an implementation ready level. The development of the HIFI-prototype (Appendix 3) contributes in the way that it illustrates how to create scenarios with a low complexity development tool such as Microsoft Power Point. Finding an existing alternative approach for education of Social Engineering related issues showed the lack of awareness of the phenomenon throughout organizations today since it was tremendously hard work to locate only one organization that was aware of what Social Engineering was and educated their personnel in this matter. Comparing the two different approaches using six test subjects on each approach contributed with data for an analysis that indicated differences in to what extent the test subjects showed awareness of Social Engineering. The result is a method for developing a scenario based educational tool that increases the awareness of how a Social Engineer works and how to protect against this threat. The method developed starts out with defining what to be taught and ends up with how to do it. The method proved to be efficient and comfortable to work with. It provided support through the whole development process. This approach makes it possible to focus on what to be taught instead of wasting time on practical issues around scenario construction. 52 Fighting Social Engineering The picture below intends to give a holistic illustration of the different components in their context. The scenario construction method that combines Social Engineering theory and the psychological factors of persuasion is, together with the resulting prototypes, the main contribution of this thesis. The comparison with the alternative approach i.e. the lectures is mere a benchmark indicating, to some degree, the efficiency of the scenario method. Social Engineering Theory Psychological Factors of Persuasion What Area of Learning Boundaries Learning Outcomes Create Scenario Situation How Learning Activities Storyboards Deciding Media Format Implementation Process Comparison Prototypes Figure 6 – Holistic illustration of the different components in the thesis 53 Fighting Social Engineering The comparison with the only alternative educational approach found shows that the test subjects in the scenario based method provide more vivid and substantial answers indicating higher awareness of Social Engineering than the subjects in the alternative approach group. However since the purpose of the comparison only is to achieve a benchmark regarding the efficiency of the scenario method, it is not appropriate to draw any major conclusions from this comparison. The scenario method is in need of adjustments and tuning to become more efficient, nevertheless it has great potential for fulfilling its educational purpose. 6.1 Critique There are several different ways to approach a scientific problem. The qualitative approach in this thesis has proven to be quite comfortable working with. However there are some issues worth mentioning here that are not fully satisfying. Finding literature on Social Engineering, psychological factors of persuasion and methods for scenario construction turned out to be relatively hard as the range of available literature was limited. It was hard to get information from the subjects without affecting their answers in any way and therefore they were allowed to speak as long as they had something to say. When they were finished they were asked if they had anything else to add and most of the time they did not have anything to add. This approach did not provide as much interview data as expected. Another interview strategy might have been more fruitful in this aspect. Since the subjects in the scenario group seem to show greater understanding of the last three scenarios in the suite it might not be such a good idea to have six separate scenarios. However it is necessary to divide them this way in order to be able to measure in to what degree each scenario has effect on the subject. It also shows that the subject’s ability to learn was not reduced at the end of the test. It would be interesting to see if there is a difference in the answers if the order of the scenarios were different for each subject. One problem that was encountered while working with this thesis was that it was really hard work trying to find a company with both a Social Engineering educational model and the willingness to let us use it as a comparing method. It is commonly known that companies in general have restricted policies about there security procedures. It was very nice that at least one company wanted to help us. 54 Fighting Social Engineering The comparison is not fair in the sense that the two approaches are not similar. However an approach that is in use in organizations today is far more interesting to compare with than another prototype. It gives an indication of whether it is possible to find better ways than existing ones to educate employees on this matter. Besides, developing another prototype to compare with is outside the scope and timeframe of this thesis. The test was conducted using University students and not people working in an organization. To use people working in an organization might have been fairer to the test. But since it is only the difference between the two approaches that is of interest in this thesis the test subject’s occupation is of minor relevance. The contents of the two different approaches differ and this might have affected the result of the comparison. Since one of the goals with the scenario based method was to incorporate the psychological factors of persuasion it would not have been interesting to compare with another approach containing these factors. The two different educational approaches differ in the amount of time required to perform them. The ideal situation would have been if the two approaches required the same amount of time. However to extend the contents of the lectures only with the purpose to increase the amount of time required to match the scenario based method would have been misleading since it already contains the information necessary to perform the test. The lectures are a very simple form of education but still an approach that is widely used. It might have been more interesting to compare the scenario based method with another more complex approach. However since no such method was found we still believe that the comparison with lectures provides valuable information to some extent regarding the efficiency of the scenario based method. 55 Fighting Social Engineering 6.2 Future work Throughout the work with this thesis new ideas and perspectives on the problem pop up. A few of them are presented below with the intention to inspire future work. It would be interesting to do follow up tests, within a couple of weeks, with the subjects to see how much and what they remember from the different educational methods. Is there a difference? An interesting approach might be to continue with the already developed scenarios in appendix 1 and change the contents and do further tests and see if the subjects can learn and remember all six factors. Another interesting approach would be to adjust the method trying to fit all six factors into one gigantic scenario and perform new study and observe the consequences of such approach. Are there any other methods used in organizations today and how effective are these methods compared to the scenario based method? Another approach could be to develop another education method containing the psychological factors and compare it to the method presented in this thesis. An alternative approach could be videotaped scenarios with humans acting in the different situations. 56 Fighting Social Engineering References Internet Sources [ALL2001] Malcolm Allen, “The use of “Social Engineering” as a means of violating computer systems” http://www.sans.org/rr/paper.php?id=529, 2005-01-30 Wendy Arthurs, “A proactive defence to Social Engineering” http://www.sans.org/rr/paper.php?id=511, 2005-01-30 Michael Bruck, “A Little-Known Security Threat” http://www.entrepreneur.com/article/0,4621,309221,00.html, 2005-01-30 Gartner’s Information Security Strategies Research Note TU14-5662 http://www3.gartner.com/gc/webletter/security/issue1/, 2005-01-30 Lawrence A. Gordon et al, “Ninth annual CSI/FBI computer crime and security survey” http://www.gocsi.com, 2005-01-30 David Gragg, “A multi-level defence against Social Engineering” http://www.sans.org/rr/papers/51/920.pdf, 2005-01-30 Radha Gulati, “The Threat of Social Engineering and Your Defence Against It” http://www.sans.org/rr/papers/index.php?id=1232, 2005-01-30 Jen Harvey, “Guidelines for Writing Good Questions” http://www.icbl.hw.ac.uk/ltdi/cookbook/info_guidelines_for _questions/, 2005-01-30 Jason Hiner, “Change your company’s culture to combat Social Engineering attacks” http://techrepublic.com.com/5100-6264-1047991.html, 2005-01-30 [ART2001] [BRU2003] [GAR2001] [GOR2004] [GRA2002] [GUL2003] [HAR1999] [HIN2002] 57 Fighting Social Engineering [KIN2002] Randall W. Kindley, “Scenario-Based E-Learning: A Step Beyond Traditional E-Learning” http://www.learningcircuits.org/2002/may2002/kindley.html, 2005-01-30 Alejandro N. Mayorkas, “Kevin Mitnick sentenced to nearly four years in prison” http://www.usdoj.gov/criminal/cybercrime/mitnick.htm, 2005-01-30 Rick Nelson, “Methods of hacking: Social Engineering” http://zeth.kodslav.org/security/dokumentation/dokumentatio n/soceng/socialeng.html, 2004-02-16 Arie Rotem et al, “Guidelines for development of scenario based e-learning resources” www.anaphi.unsw.edu.au/Scenario_guidelines.pdf, 2005-01-30 SANS Institute, 2004, http://www.sans.org/aboutsans.php, 2005-01-30 Richard Sheiman, “A balanced approach to information security” http://www.infoscreen.com/publications/InfoScreen_balance d_approach.pdf, 2003-10-14 SYMANTEC,”Behind the Firewall – The Insider Threat: Part II” http://enterprisesecurity.symantec.com/article.cfm?articleid= 2160&EID=0, 2005-01-30 University of Arizona, “Thwarting Social Engineering Attacks” http://info-center.ccit.arizona.edu/~ccitinfo/newsletters/ april2002/and_here.html, 2005-01-30 The institute of internal auditors, “Why is Information Security Important?” http://www.theiia.org/iia/index.cfm?doc_id=853, 2005-01-30 [MAY1999] [NEL2001] [ROT] [SAN2004] [SHE2003] [SYM2003] [STE2002] [THE1998] 58 Fighting Social Engineering [TIM2001] Rick Tims, “Social Engineering: Policies and education a must”, http://www.giac.org/practical/gsec/Rick_Tims_GSEC.pdf, 2005-01-30 Books [HOL1997] [MIT2003] [SVE2000] [CIA2001] Holme et al, 1997, Forskningsmetodik, Studentlitteratur Mitnick et al, 2003, The art of deception, Wiley Publishing, Inc. Svenning, C, 2000, Metodboken, Lorentz förlag Cialdini, R, 2001, Influence, Allyn & Bacon Magazine article [BAR2001] Richard Barber, “Social Engineering: A people problem?” Network security, volume 2001, issue 7 1 July 2001 Other [GOL1998] Goldkuhl, 1998, Kunskapande, Linköpings Universitet 59 Fighting Social Engineering Appendix 1 – Scenario development Scenario 1 – Reciprocation • Deciding the area of learning. Reciprocation in the form of a gift, a favor or a concession can be used by a Social Engineer to make the victim feel obliged to return the gift, favor or concession in order to manipulate victims into revealing secret or sensitive information. The area of learning in this scenario is how to defend against Social Engineers using the principle of reciprocation. • Deciding the learning outcomes. Principle The learner should be aware of the principle of reciprocation i.e. that favors, gifts and concession can be used to make a person to feel in debt and obliged to repay the favor, gift or concession. Exploitation The learner should be aware of that an offered favor, gift or concession is not always genuine. It could be an attempt by a Social Engineer to make the learner feel obliged to repay the favor, gift or concession by revealing information that the Social Engineer desires. Protection The learner should become aware that by discovering a fake favor, gift or concession attempt the risk of being exploited in a Social Engineering attempt that utilizes the principle of reciprocation is reduced. Furthermore the learner should be aware that there is no obligation to repay favors, gifts or concessions. • Create the scenario situation. A matching scenario is where an employee is offered help from a person claiming to work at the company’s IT-department. The offer could, for instance, be to install a security patch that is supposed to get rid of a virus that the person from the IT-department claims exists. When the offered service is accomplished the caller takes the opportunity to ask for a favor in return. The favor includes that the employee, in some way, hands out sensitive information. 60 Fighting Social Engineering • Set boundaries. The scenario should contain the offer of a gift, service or concession with the choice for the learner to accept or not. Furthermore, request for a favor in return with the choice for the learner to comply or not should be included. Everything else is outside the boundaries of this scenario. • Deciding learning activities. The learner will imagine to be working in an office of a large company when the telephone suddenly rings. The learner answers the telephone and the person on the other end presents himself as Bob from the IT-department. It is confirmed in the beginning of the scenario that there is a person named Bob that works at the ITdepartment of the company. Bob tells the learner that there is a nasty virus on the computer that is mass-sending virus infected e-mails on the company’s network. Bob tells the learner that this is a problem that is most likely caused by the learner himself installing some software or sending/receiving private e-mails which is against corporate policy and will probably make the learner’s boss very angry. Now Bob tells the learner that he probably can fix the problem without letting anyone else know about it. The learner is also informed about what the unpleasant consequences will be if the boss should find out about the virus problem. Since this seems to be a very nice offer from Bob the learner accepts it. Then the learner receives another call from Bob, imagined to be later the same day, when Bob tells the learner that he has, not without problems, fixed the problem with the virus without letting any one else know about it. Now Bob tells the learner that he wants to come by later to inspect the computer to be really sure that the computer is free from virus. Since Bob works in a different building with another access code than the building that the learner resides in, he needs to obtain the access code from the learner. Bob asks the learner for the access code to the building. If the learner complies with Bob’s request there is information displayed that the learner has been deceived by a Social Engineer that is using the principle of reciprocation in order to get the learner to provide him with the access code to the building. If the learner does not comply with Bob’s request there is information displayed that a good decision has been made in this case, because Bob does not work at the IT-department but is in fact a Social Engineer with criminal intent that wanted to get access to the building. The learning outcomes are then communicated to the learner as an ending to the scenario. 61 Fighting Social Engineering • Creating a storyboard The storyboard i.e. sketches of the visual aspects and paths of the scenario were created. The storyboard is to be seen as a support for the implementation of the scenario. The result of the storyboarding is reflected in the implementation. The storyboards from each scenario are presented in appendix 1 - storyboards. • Deciding on media format Microsoft Power Point is a suitable tool for the development of the HiFi prototypes since it provides the necessary interactivity and is easy to get started with. Other techniques, such as the Macromedia Flash, could be used for a final implementation but are far too advanced and difficult to get started with for being a candidate when implementing the HiFi prototypes. The other techniques mentioned in chapter 3.3 do not provide properties for interactive application design and were therefore not considered for this purpose. • Begin the implementation process The result from the implementation of scenario 1 – Reciprocation is presented in appendix 2 – HiFi prototypes. Scenario 2 – Commitment and Consistency • Deciding the area of learning. Commitment and consistency can be exploited by Social Engineers to get the victim to make an initial commitment. After the initial commitment is made the victim is more willing to agree to requests that correspond to that initial commitment. The area of learning in this scenario is how to defend against Social Engineers using the commitment and consistency approach. • Deciding the learning outcomes. Principle The learner should become aware of the principle of commitment and consistency i.e. that by making a commitment the learner is likely to act consistent to that commitment and is thereby put in a situation where the learner is willing to respond to requests that are in compliance with the initial commitment. 62 Fighting Social Engineering Exploitation The learner should become aware that by committing to a particular issue there is a risk to be vulnerable to Social Engineers that are trying to exploit the human tendency to automatically and unthinkingly stay consistent with initial commitments in order to retrieve sensitive information. Protection The learner should become aware that the risk of being deceived by a Social Engineer, using the commitment and consistency principle, can be reduced by being observant and reflective on decisions that are made in situations involving previously made commitments. The learner should become aware of that one should not automatically comply to requests that are consistent with the previous commitment. • Create the scenario situation. A suitable scenario is when the Social Engineer calls up an employee and claims to be working at the administrative office. The Social Engineer asks the employee if he/she is concerned about the company’s security and reminds the employee about the company’s policy regarding password routines. When the Social Engineer has got the employee to commit to concern about the company’s security and comply with the company password policy the Social Engineer informs the employee that it is time to renew the password due to a security incident. The Social Engineer informs the employee on how to construct a new password in such way that it is simple for the learner to remember for instance girlfriend’s name. The Social Engineer who already has collected information about the employee’s family etc. when performing background research, through for instance dumpster diving, can then easily guess the new password. • Set boundaries. The scenario should contain a commitment situation for the learner to comply with or not. Furthermore, an attempt to get the learner to comply with further requests that are consistent with the initial commitment should be made by the Social Engineer. Everything else is outside the boundaries of this scenario. • Deciding learning activities. The learner is imagined to work in an office of a large sized company when the telephone rings. The learner answers the telephone and the person on the other end presents herself as Olga from the head office. It is confirmed in the beginning of the scenario that there is a person named Olga working at the head office of the company. Olga starts talking to the learner about the importance of following the 63 Fighting Social Engineering company’s security policy and asks the learner if he/she is of the same opinion and if he/she is not concerned about the company’s security. The learner is informed about the importance of following company policies. If the learner does not agree with what the caller states the learner is informed that he/she should reconsider the opinion regarding following security policies and is then encouraged to retry the scenario. If the learner shares the callers opinion and agrees on the importance of following the company’s security policy the learner is informed about the part in the security policy that addresses the password routine issues such as regularly changing passwords. The caller tries to persuade the learner that it is important to choose passwords that are easy to remember to avoid bothering the IT-department with issues regarding forgotten passwords since they have more important tasks to deal with. The caller then suggests that the learner change password immediately and that one of the following suggested templates is picked to construct the new password from; own name reversed, girlfriends name reversed or phone number reversed. If the learner complies with the callers request to change the password using one of the suggested templates the learner is informed that he/she has been deceived by a Social Engineer using the commitment and consistency principle trying to get the learner to reveal the password. If the learner does not comply with Olga’s request to change password according to her templates the learner is informed that a good decision has been made in this case, since Olga is a Social Engineer with intent of using the commitment and consistency principle to get hold of the learner’s password and thereby get access to sensitive information. The learning outcomes are then communicated to the learner as an ending to the scenario. • Creating a storyboard See “Creating a storyboard” in scenario 1 Ch. 4.2. • Deciding on media format See “Deciding on media format” in scenario 1 Ch. 4.2. • Begin the implementation process 64 Fighting Social Engineering The result from the implementation of scenario 2 – Commitment and consistency is presented in appendix 2 – HiFi prototypes. Scenario 3 – Social Proof • Deciding the area of learning. The principle of social proof shows that people have a tendency to imitate others, particularly in situations where they are not sure on how to act or what to do. Social engineers can exploit this principle in order to get a victim to act as desired by convincing the victim that several of the victims colleagues already is cooperating with the attacker on this matter. The area of learning in this scenario is how to defend against Social Engineers using the principle of social proof. • Deciding the learning outcomes. Principle The learner should become aware of the principle of social proof i.e. that the behavior of others has a tendency to influence people in situations when it is uncertain how one should to act. Exploitation The learner should become aware that by using the behavior of others when making decisions, one becomes vulnerable to Social Engineering attacks that exploit the principle of social proof in order to make the learner behave as the Social Engineer desires. Protection The learner should become aware that it is possible to reduce the risk of being exposed to Social Engineers exploiting the principle of social proof by avoiding to use the behavior of others as a sole base for decisions. • Create the scenario situation. The situation appropriate to illustrate the principle of social proof is when a person contacts an employee within the target organization asking the employee to reveal some sensitive information, with the argument that other employees within the organization have already complied with the request. • Set boundaries. The scenario should contain a question directed to a victim with the request for the revealing of sensitive information. The victim should be motivated to comply with the request by the fact that the Social Engineer claims that several of the 65 Fighting Social Engineering victim’s colleagues already have complied with the request. Everything else is outside the boundaries of this scenario. • Deciding learning activities. In this scenario the learner will imagine to be working at the marketing department in a fairly large organization. The learner has just started working in a project with five other co-workers, namely Anna, Ben, Lars, Susan and Ron. The co-workers are located in different area offices of the company. A person who says his name is Sven and claims to be working at the IT-department of the company calls the learner. Sven tells the learner that he has just set up a new secure instant messaging system to the co-workers in the project and that they are very pleased with it and have started to chat already. Now Sven tells the learner that he is going to help the learner install the system so that it is possible to chat with the co-workers by providing an address to an internal web-page where the instant messaging client resides. Now the learner is given an option to visit the company web-site and let Sven from the company’s IT-department guide him through the installation process of the messaging client which the co-workers are very pleased with. If the learner rejects the offer information is displayed that a very good choice has been made since the caller was not Sven from the IT-department but a very shrewd Social Engineer that was trying to use the principal of social proof to get the learner to install a rouge piece of software with the intention to steal sensitive information. If the learner accepts the callers offer information is displayed that the choice was not a very clever one since the caller was not Sven from the IT-department but a very shrewd Social Engineer that was trying to use the principal of social proof to get the learner to install a rouge piece of software with the intention to steal sensitive information. The learning outcomes are then communicated to the learner as an ending to the scenario. • Creating a storyboard See “Creating a storyboard” in scenario 1 Ch. 4.2. • Deciding on media format See “Deciding on media format” in scenario 1 Ch. 4.2. • Begin the implementation process 66 Fighting Social Engineering The result from the implementation of scenario 3 – Social Proof is presented in appendix 2 – HiFi prototypes. Scenario 4 – Liking • Deciding the area of learning. The principle of liking is an efficient tool for a skilled Social Engineer when building trust with the victim. The goal for the Social Engineer is to be liked by the victim and thereby increase the chances that the victim decides to reveal sensitive information, based on the fact that the victim finds the Social Engineer to be nice and likeable and not based on the actual request. The area of learning in this scenario is how to defend against Social Engineers using the principle of authority. • Deciding the learning outcomes. Principle In this scenario the learner should become aware of the principle of liking. The principle of liking states that people tend to give positive response to individuals they like. Exploitation When completing this scenario, the learner should have become aware of that the principle of liking can be exploited by a Social Engineer who uses different approaches. These approaches aim to getting the victim to like him/her and make the learner feel as if they have common values with the intention to make the victim reveal sensitive information. Protection To be able to reduce the risk of being deceived by a Social Engineer using the principle of liking, the learner must be careful when relatively new and new acquaintances asks for information, especially if the person has made such impression on the learner that the learner likes the person inordinately well considering the situation. When making the decision, the learner should distinguish between the feelings for the requester and the content of the request and make the decision solely on the latter. • Create the scenario situation. The situation suitable for this scenario would consist of a person (the learner) working in an organization’s sales department and another person (the Social Engineer) that has previously contacted the sales person to set up a meeting with 67 Fighting Social Engineering the sales person at the office to discuss a potential business deal. At the actual business meeting, the Social Engineer uses the principle of liking to get the sales person to feel willing to let the Social Engineer use the computer. The Social Engineer obviously wants to install a rouge piece of software on the computer with the intention to get access to the organization’s network and information sources. • Set boundaries. The essence of this scenario lies within the part were the Social Engineer gets the learner to like him/her. This takes place during the actual meeting. The victim should then feel satisfied with letting the Social Engineer use the computer. Everything else is outside the boundaries of this scenario. • Deciding learning activities. At the beginning of the scenario the learner is told to imagine to be working as a sales representative and that he/she recently has been contacted by a potential customer (the Social Engineer) and that they have set up a meeting at the office for further discussions about a potential business deal. During the meeting the learner feels that this customer, James, is a really nice person and that they have a lot in common. James seems to be a really important person with lot of useful business contacts. James is also well spoken and has sophisticated manners. At the end of the meeting the learner gets along great with James and that James is the kind of person that the learner could develop a friendship with in the future. When they are about to round things up James suggests that they have a cup of coffee before they end the meeting. The learner agrees to that and when going to get the coffee James asks if he could use the learner’s computer to confirm the flight back home. Now the learner is given the option to either agree or disagree to James request to use the learner’s computer. If the learner does not agree to let James use the computer information is displayed that it was a wise decision and is told that James is in fact a Social Engineer that was trying to install malicious software on the learner’s computer using the principle of liking, with the intention to get access to the organizations network and information sources. If, on the other hand, the learner agrees to let James use the computer while out getting coffee, the learner is informed that it was not such wise decision to make. This since James is in fact a Social Engineer that was trying to install malicious software on the learner’s computer using the principle of liking, with the intention to get access to the organizations network and information sources. The learning outcomes are then communicated to the learner as an ending to the scenario. 68 Fighting Social Engineering • Creating a storyboard See “Creating a storyboard” in scenario 1 Ch. 4.2. • Deciding on media format See “Deciding on media format” in scenario 1 Ch. 4.2. • Begin the implementation process The result from the implementation of scenario 4 – Liking is presented in appendix 2 – HiFi prototypes. Scenario 5 – Authority • Deciding the area of learning. A Social Engineer can make use of the principle of authority when trying to get hold of sensitive information from a victim. The Social Engineer takes the role of an authority, e.g. a manager, when trying to get the victim to comply with the request. This approach aims to get the victim to believe that the Social Engineer is entitled to the information requested based on the claimed authority position. The area of learning in this scenario is how to defend against Social Engineers using the principle of authority. • Deciding the learning outcomes. Principle The learner should become aware of the principle of authority i.e. that people tend to comply to requests from other people that appear to be in a position of authority. Exploitation The learner should become aware that a person who appears to be in a position of authority is not always who the person claims to be. The person could be a Social Engineer using the principle of authority to make the learner feel obliged to comply with the requests. Protection To be able to defend against a Social Engineer who is using the principle of authority the learner should become aware of that authority symbols can easily be 69 Fighting Social Engineering counterfeited and that a heightened awareness of authority power is necessary when defending against authority based Social Engineering attempts. • Create the scenario situation. A suitable scenario would be a situation when a person (a Social Engineer) knocks on the learner’s office door claiming to work at the company’s ITdepartment. The visitor informs the learner that a new security patch has to be installed on the learner’s computer on direct order from the Vice President of the company. The intention of the Social Engineer is to install a rouge piece of software to retrieve sensitive information. • Set boundaries. The scenario should contain a request directed to an employee uttered by a Social Engineer appearing as an authority figure. The learner should be able to comply or disobey to the request. Everything else is outside the boundaries of this scenario. • Deciding learning activities. The learner will imagine to be working in an office of a large sized company and that he/she has an office where he/she works. The learner hears a knocking on the door and at the door is a person who claims to be working at the IT-department. The visitor informs the learner that the IT-department has a direct order from the Chief Security Officer to install a new effective firewall on each personal computer at the company due to several intrusion attempts. The visitor tells the learner that he/she has to occupy the computer for the next 5-10 minutes to be able to install the necessary software. The learner can either agree or disagree to letting the person from the ITdepartment perform the installation. If the learner agrees to let the man from the IT- department install the necessary software the learner is informed that a bad decision has been made. The person from the IT-department is not who he/she appears to be, the person is a Social Engineer using the principle of authority to make the learner comply with the request which intention is to install a rouge piece of software that steals the learners password. If the learner does not agree to let the person from the IT-department install the software the learner is informed that a wise decision has been made because the person who claims to be working at the IT-department is in fact a Social Engineer 70 Fighting Social Engineering using the principle of authority to make the learner feel empowered to perform the installation. The learning outcomes are then communicated to the learner as an ending to the scenario. • Creating a storyboard See “Creating a storyboard” in scenario 1 Ch. 4.2. • Deciding on media format See “Deciding on media format” in scenario 1 Ch. 4.2. • Begin the implementation process The result from the implementation of scenario 5 – Authority is presented in appendix 2 – HiFi prototypes. Scenario 6 – Scarcity • Deciding the area of learning. In order to retrieve sensitive information from a victim, a Social Engineer can use the scarcity principle. By letting the victim believe that something offered by the Social Engineer is in scarce supply and that the demand for the product is huge the Social Engineer can make the victim make a hasty decision that is in compliance with what the Social Engineer desires. The area of learning in this scenario is how to defend against Social Engineers using the scarcity principle. • Deciding the learning outcomes. Principle The learner should become aware of the scarcity principle i.e. that people tend to assign more value to opportunities when they are less available. Exploitation The learner should become aware that a Social Engineer can exploit the scarcity principle by claiming that something is short in supply and very sought-after. The Social Engineer can get the victim to make a hasty decision. Protection For the learner to be able to defend against a Social Engineer that is using the scarcity principle the learner must be taught to be observant on to any excitement in situations involving scarcity. It is important that the learner realizes that he/she 71 Fighting Social Engineering must calm down in order do regain a rational perspective in order to make a correct decision. • Create the scenario situation. The learner receives an e-mail with a tempting offer while going through the daily load of e-mails at work. The e-mail appears to be sent from a partner company. The offer is valid only for a short period of time and the supply is limited. The acceptance of the offer should involve a web site registration procedure. The Social Engineer’s intention with this e-mail is to get the victim exited and therefore submit information that he/she would not give away in a normal situation. • Set boundaries. The scenario should contain a tempting offer with a scarce supply and a limited period of validity. The offer should contain some kind of registration procedure where the learner must submit information. The learner should have the choice to either accept or decline the offer. Everything else is outside the boundaries of this scenario. • Deciding learning activities. In this scenario the learner will imagine to be working as an accountant in an organization that acts as a supplier to SonyEricsson. When going through the daily e-mails the learner notice a received e-mail from the marketing division at SonyEricsson and that they are offering free 3G mobile phones to a selected group of business associates (the e-mail is actually from a Social Engineer). The offer is valid only for a short period of time and the phone supply is scarce. Therefore the learner is advised to act quickly in order to get the free 3G mobile phone. The only thing the learner has to do is to register at a, for this purpose, specially set up web page at Sony Ericsson. The learner has to provide personal information and choose a password to be able to get back and submit an evaluation of the 3G mobile phone. The learner will have the choice to either accept or turn down the offer given in the e-mail. 72 Fighting Social Engineering If the learner chooses to accept the offer information is displayed that it was not such wise decision to make since the e-mail was sent out by a Social Engineer using the scarcity principle trying to get the learner excited and thereby get the learner to make a hasty decision and supply information e.g. the password which he/she normally would not submit on the Internet. If the learner, on the other hand, chooses not to accept the offer, information is displayed that it was a wise decision since the e-mail was sent out by a Social Engineer. The Social Engineer was using the scarcity principle trying to get the learner excited and thereby get the learner to make a hasty decision and supply information e.g. a password which he/she normally would not submit on the Internet. The learning outcomes are then communicated to the learner as an ending to the scenario. • Creating a storyboard See “Creating a storyboard” in scenario 1 Ch. 4.2. • Deciding on media format See “Deciding on media format” in scenario 1 Ch. 4.2. • Begin the implementation process The result from the implementation of scenario 6 – Scarcity is presented in appendix 2 – HiFi prototypes. 73 Fighting Social Engineering Appendix 2 – Storyboards Scenario 1 – Reciprocation 74 Fighting Social Engineering Scenario 2 – Commitment and Consistency 75 Fighting Social Engineering Scenario 3 – Social Proof 76 Fighting Social Engineering Scenario 4 – Liking 77 Fighting Social Engineering Scenario 5- Authority 78 Fighting Social Engineering Scenario 6- Scarcity 79 Fighting Social Engineering Appendix 3 – HiFi prototypes Scenario 1 – Reciprocation 80 Fighting Social Engineering 81 Fighting Social Engineering Scenario 2 – Commitment and Consistency 82 Fighting Social Engineering 83 Fighting Social Engineering Scenario 3 – Social Proof 84 Fighting Social Engineering 85 Fighting Social Engineering Scenario 4 – Liking 86 Fighting Social Engineering 87 Fighting Social Engineering Scenario 5 – Authority 88 Fighting Social Engineering 89 Fighting Social Engineering Scenario 6 – Scarcity 90 Fighting Social Engineering 91 Fighting Social Engineering Appendix 4 – Interviews Alternative approach Interview 1 How does a Social Engineer operate? The Social Engineer uses people who work at a company to get a hold of stuff. He claims to be someone else in order to get information that the person hi tricks has got. He is nice and helpful. He is skilled when it comes to being nice to people. He can create problems on the computer like virus and stuff. He knows computers well, a hacker. How can you protect against a Social Engineer? You should be careful and find out if a person is who he claims to be. Double check identity. Do not hand out documents to rouge persons. Contact someone in the company to help you with your computer. Common sense. Never fill out stupid forms on the Internet. Never write down your password. Interview 2 How does a Social Engineer operate? A Social Engineer uses enticement, either he works with enticement or he reverses it to make the victim contact the Social Engineer. The Social Engineer operates mainly by enticement. Human to Human interaction. Four ways, something with information. How can you protect against a Social Engineer? You should be careful with what kind of information you hand out. It is not like an ordinary virus, a Social Engineer attacks the human, not the technology. You should be critical towards the persons you hand out information to. Interview 3 How does a Social Engineer operate? The Social Engineer operates by establishing contact with his victim in some way. Social Engineer uses different steps on the way to achieve his goals, I remember collecting information and the last step, I believe, is fulfilment. Unlike a technical hacker the Social Engineer tries to cause a computer related problem that he later on can exploit in some way. He also builds trust with the victim from who he later can manipulate. How can you protect against a Social Engineer? It is pretty hard to protect against unlike traditional hackers. One should be on ones guard, stay conscious and not trust people who want to manipulate you. And you should not hand out personal stuff, consciousness. 92 Fighting Social Engineering Interview 4 How does a Social Engineer operate? They (The Social Engineer) establish contact with people within organisations and trick them to reveal secret information they want. He (The Social Engineer) uses false identities, pretends to be a repairman and plants virus and that kind off stuff into the computer. He (The Social Engineer) pretend to be a guy that can fix stuff, he wants to get hold of secret codes etc. He can install software in the computer that generates false popups to get hold of passwords. How can you protect against a Social Engineer? By being certain that you use a repairman that you know is a certified repairman. Do not use a new repairman that you do not know. Do not reveal secret information to people you do not know and who’s identity you cannot confirm. Interview 5 How does a Social Engineer work? He tricks the victim, the Social Engineer may for instance create a problem on the victim’s computer and then the victim contacts the Social Engineer to get help. While the Social Engineer helps the victim with the problem he also steals the information he is after or installs some kind of virus for later access to the computer. The Social Engineer states the he is someone he is not in order to get information. How can you protect against a Social Engineer? One must always be prepared for a Social Engineer attack. I think the most important thing is to double check the identity of the person to see if he is entitled to the information he is requesting. Interview 6 How does a Social Engineer work? He manipulates you by appearing as somebody he is not in order to get the information he wants. He can also use technical approaches to get information, for instance false pop up windows. He establishes a relation with persons and thereby he creates a possibility to get information. How can you protect against a Social Engineer? Think before you hand out information. If you are not certain that the person you give the information to is allowed to read/have it. You can control the person’s identity if you are unsure. 93 Fighting Social Engineering Scenario Method Interview 7 How does a Social Engineer operate? He contacts the person he wants to get information from, e.g. by telephone or by e-mail. He claims to be someone he is not, often an authority person. If he for instance calls his victim he puts pressure on his victim and tells him that he is in a hurry and has to have the information quickly so that the victim does not have time to reflect upon the request. The Social Engineer can install something on the victim’s computer that makes the computer malfunction so that he later can call and offer to fix the computer pretending to be a computer repairman. How can you protect against a Social Engineer? One should question the identity on authority people, for instance police officers, computer support and co-workers who you do not recognize. Double check with your manager if there is something that is supposed to be installed on the computers. Never hand out passwords or any other secret stuff. Always think twice in stressed situations so that you do not make any hasty decisions. Personally deliver documents when possible. Never let anybody you do not know borrow your computer. Never feel obliged to return kindness and favours. Interview 8 How does a Social Engineer operate? They try to trick people in different situations e.g. being helpful or act as an authority person like for instance computer support offering to install a firewall. They simply try to trick people to get what they want. They also operate by offering services and then claim a favour in return. They pretend to be in a certain position in which they are not (job related, interviewers note), pretend to be someone they are not. By getting access to someone’s computer and do mean stuff. How can you protect against a Social Engineer? One should remain critical and not fall for things people say. It is important not to automatically return favours without second thought; one must really try to find out what the other person really is after. One should not believe in what every authority person says, they might lie to get what they are after e.g. the support guy. One should not always comply with the security policy; learn some basic IT-sense. Learn how to install software, it is easier to protect against Social Engineer if you have this knowledge. Interview 9 How does a Social Engineer operate? A Social Engineer operates in six different ways. One of them is the scarcity principle, the Social Engineer offers something that the victim cannot resist for instance on a webpage and the victim register information that the Social Engineer wants. Authority principle, a person from a different department who has a lot of knowledge in an area, someone who claims to be in a higher position, false authority. Liking, the Social Engineer gets you to like him and you let him use your computer for instance, but he can 94 Fighting Social Engineering also ask to borrow other stuff or ask you questions that you answer. Reciprocation, the Social Engineer calls and offers to fix something that he in the intentionally caused in the first place. When he has fixed the problem he asks for something in return which you comply to. The Social Engineer can also make his victim to agree with him in some matter and then use it later in the conversation since you want to stick to your standpoint even though it might not be in compliance with the security principle (Commitment and Consistency interviewer’s note). How can you protect against a Social Engineer? One should be careful when someone offer favours, it is easy to get in a debt situation. Be alert and not make fast decisions. Be alert on other people and think about your integrity, do not hand out to much information. Double check peoples identity to see if they are who they claim to be. Interview 10 How does a Social Engineer operate? The Social Engineer can work in several different ways, but almost all of these ways starts out with that the Social Engineer pretends to be someone he is not. For instance, they can call up the person they are interested in and pretend to be an authority person e.g. a manager, someone who is respected to be able to get the information he is interested in. The Social Engineer can sound very convincing about a certain issue e.g. that all personnel in the organization is doing this thing and you should to. For instance, change password to a simpler one because the computer support finds it annoying when everybody calls when they have forgotten the password. The Social Engineer can ask you to install or download and install particular software; the software can contain a spy program. The Social Engineer can try to makes friends with you, seem to be nice and ask for favours that does not sound that bad, they can also do this via the phone. The Social Engineer can offer things they claim are not for everyone and make you feel special. The Social Engineer can make you call them about a particular problem, a problem the Social Engineer himself has caused intentionally. How can you protect against a Social Engineer? You must be 100% certain that you know that a person is who he claims to be. You should not trust people you do not know only because they seem nice. You should not for instance switch to an easy password only because the person who asks you to claims to be a manager. You do not have to return favours only because someone made you one, you should be suspicious to people you do not know. You should not act in a certain way only because you are told that others have acted that way. You should be careful when register or publish information on the internet. Interview 11 How does a Social Engineer work? The Social Engineer can offer something that I want very much which is also short in supply and thereby trick me make a bad decision that leads to that the Social Engineer gets information he is not entitled to. The Social Engineer can appear as an authority person and thereby manipulate me to give him information. The Social Engineer can by a 95 Fighting Social Engineering very nice person and good looking too and thereby increase the odds that I give him the information he wants. How can you protect against a Social Engineer? It is important to think over the situation properly when you are offered something. You can call the IT department to see if the person who is supposed to do something with my computer really is from the IT department (check the identity of the person). I can also call my colleges to see if they are using the chat program (chat scenario). Interview 12 How does a Social Engineer work? In order to get his hands on information the Social Engineer tricks the victim that he is someone he is not. He can contact you by telephone, email or come to your office personally in order to get information from you. For instance he can appear as a manager or some kind of IT- support person in order to trick the victim. He can also be nice to you and get you to like him and thereby trick you to get the information he is after. Another way to get information from the victim is to force him to make a hasty and not well made decision. How can you protect against a Social Engineer? You should double check the identity of persons that wants you to give them information. Try to think over the situation to se what the requester really wants, especially in situations where he is forcing you to make a hasty decision. Do not install something on your computer if you do not know what you are installing. 96

Related docs
US - Fighting Radar Tickets
Views: 35  |  Downloads: 0
Worth Fighting For
Views: 1  |  Downloads: 0
Fighting in Flanders
Views: 3  |  Downloads: 0
The Fighting Shepherdess
Views: 2  |  Downloads: 0
Fighting For Peace
Views: 6  |  Downloads: 0
resources for fighting prejudice
Views: 0  |  Downloads: 0
premium docs
Website Development Agreement$19.95
Website Design Non Disclosure$14.95
Web Hosting Agreement$14.95
Website Vendor Evaluation Matrix$19.95
Website Design RFP Template$49.95
Web Audit Report Tool$19.95
Web Metrics Reporting Tool$19.95
Other docs by Aladdin Dandis
Integrating Information Assurance
Views: 15  |  Downloads: 0
Information Assurance Security in the Information Environment
Views: 406  |  Downloads: 54
e-Government framework for Information Assurance
Views: 371  |  Downloads: 16
Building a Global Information Assurance Program
Views: 226  |  Downloads: 25
BOOK Information Security Business Assurance Guidlines
Views: 256  |  Downloads: 57
BOOK Assurance Book
Views: 102  |  Downloads: 14
Application Security_ Information Assurance_s Neglected
Views: 104  |  Downloads: 9
Evaluating IT security performance with quantifiable metrics
Views: 1117  |  Downloads: 86
Do the changes made in ASP .NET_ from version 1.X to 2.0_ improve the security
Views: 1032  |  Downloads: 11
Distributed Physical Access Control A Constrained Resource Solution
Views: 637  |  Downloads: 15
DISCOVERING INFORMATION SECURITY MANAGEMENT
Views: 906  |  Downloads: 50
Detection and Prevention of Malicious Content for Web Application
Views: 47  |  Downloads: 6
Declassification Dimensions and Principles
Views: 60  |  Downloads: 0
Changing Homeland Security Ten Essential Homeland Security Books
Views: 86  |  Downloads: 4
An Overview of Malware Protection Approaches on Client Computers
Views: 65  |  Downloads: 8