A B S T R A C T. Index Terms : Framework, threats, skill, social engineering, risks, insider. I. INTRODUCTION

Transcription

1 A Framework to Mitigate the Social Engineering Threat to Information Security Rakesh Kumar*, Dr Hardeep Singh. Khalsa college for women, Amritsar, Guru Nanak Dev University, Amritsar A B S T R A C T In today s scenario the threat and risks posed to organizational IS by a malevolent insider are more dangerous in comparison to those posed by an outsider attacker. An insider definitely takes advantage of their internal system knowledge to perform harmful actions. The hackers can through their social engineering skills easily make use of internal staff for their own benefits. The awareness programs about the threats posed by social engineers are need of the hour. This study relates social engineering with the information security and provides a logical framework against the social engineering threat to information system. Index Terms : Framework, threats, skill, social engineering, risks, insider. I. INTRODUCTION It was well said by Schneier in dawn of twenty first century that Only amateurs attack machines; professionals target people. This sentence still finds precision in context to internal risks faced by organizations from the internal staff [5]. The technology alone is not quite enough to mitigate and tackle the risks of internal threats [1]. The focus needs to be shifted toward developing systems that assist humans in the working and making the things more secure instead of making technology that can itself become a risk if gone in wrong hands [3]. Timely awareness about the social engineers who pretends to be right guy and make use of one s organizational staff is need of hour and topic of concern in this study. II. RELATED LITERATURE In year 2010, Colwill put forward a four point approach combining encryption, access control, minimum privilege, and monitoring, auditing and reporting [10]. He elaborated key issues relating to insider threats to information security. He considered loyalty, cultural factors, economic and social factors as main parameter for his study. A key priority is to focus on insiders within security risk assessments and compliance regimes. This requires a focus on human factors, education and awareness and greater attention on the security 'aftercare' of employees and third parties. In year 2004, kratt [11] illustrated that the disgruntled employees can be a big threat for the organization. His work focused on behavioral aspects of humans. He further added that while countering the external threats we cannot overlook the internal threat of disgruntled employees. In year 2003, FBI s Computer Crime and Security Survey report said that about 77% of organizations who went through security breach suspected disgruntled employees as main accuse. These disgruntled employees can easily be targeted by using social engineering tool [4]. Intruders are always looking for ways to access the vital resource such as computer systems or corporate or personal information that can be used by them maliciously or for personal gain [7]. The gaps in the security help them achieve their malicious goals. Many a times they get through because of human , IJAFRSE and ICCICT 2015 All Rights Reserved

2 behavior like trust, ignorance and carelessness. They achieve this through their social engineering skills [4]. III.SOCIAL ENGINEERING AS A TOOL IN HANDS OF ATTACKERS A disgruntled employee can surely and easily bypass existing security measures and cause costly damage to the organization once he comes in contact with some attacker through social engineering. The disgruntled employee may also use a combination of social engineering and commercial software tools to steal sensitive customer information. Because social engineering is an attack on human nature, there are no technical signatures that we can use to detect this type of attack. Authority, liking, reciprocation, consistency, social validation and scarcity are major human tendencies that can be exploited in social engineering attack [4][6]. The social engineering is used as a tool by theses peoples to gain access to any system irrespective of the layers of defensive security controls. It is a kind of art of decoding and mastering the human behavior to cause security breach by manipulating the victim. We can categorize social engineering as technology based deception, and human based deception. All the Social Engineering methods of attack target some very natural human attributes. IV.BEHAVIORAL AND PSYCHOLOGICAL FACTORS AFFECTING THE INTERNAL SECURITY The understanding of human behavior cannot be ignored while making use of preventive and protective innovative security techniques for critical information. The behavioral related critical security problems of employee deviance, employee compliance, effective decision-making, emotions or stressful conditions can lead to higher risk in decision by staff [7]. The security practitioners should include these human factors with possible perceptions to provide more effective security [4]. Below is a brief introduction of prominent factors. Cognition: Cognition refers to the way people process and learn information. There are several findings from research on human cognition that are relevant to cyber security. Bias: Bias describes a person s tendency to view something from a particular perspective. This perspective hinders the person from being objective and impartial. Heuristic: In psychology, by heuristic, we mean a simple rule inherent in human nature or learned in order to reduce cognitive load. Heuristic can help addressing the cognitive load issues. The heuristics rules are used to explain how people make judgments, decide issues and solve problems. The heuristic failure can cause systematic errors or cognitive biases. V. HUMAN BEHAVIORAL ATTRIBUTES WITH THEIR EFFECTS ON IS WHEN THESE ARE EXPLOITED BY SOCIAL ENGINEERING It has been widely accepted that misleading the peoples by winning their trust is much easier than hacking or cracking. The rising concern between researchers in security and in psychology has integrated peoples from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. See the following table to realize this interesting fact: TABLE I The human attribute and corresponding effects on IS security , IJAFRSE and ICCICT 2015 All Rights Reserved

3 Human Attribute Trust The desire to be helpful The wish to get something for nothing Curiosity Fear of the unknown, or of losing something Ignorance Carelessness Effect on security of IS Security password can be obtained easily once trust is established. By posing helpful the planted employee can steal secret data or passwords. This can make a way for malware to settle in yours organizational information systems. The malware finds an easy way to yours IS. This will invite many virus and malware codes to your IS. This factor makes every security plan a failure. Results in rise in security breaches. VI. A LOGICAL FRAMEWORK FOR PREVENTING SOCIAL ENGINEERING ATTACKS ON INFORMATION SYSTEM Now we purpose and recommend following framework that can logically prevent the threat of social engineering attacks to information system of any organization. The framework is suitable for architects and designer concerned with secure architecture for their information system. The various concepts are mapped to logical design level phase of development. The framework is able to control the wrong intentions of disgruntled employees who some way or other can cause huge damage to IS after they become prey to some outsider through the social engineering skills of later. Table 2. Proposed logical framework Step 1- a) Guidance and education to staff for social engineering threat. 1-b) Awareness about new skills and techniques adopted by social engineers to cause the damage. Step 2 - Provision for generation of login trails for employees. a- To keep track of the login id s of internal staff. b- To keep record of login logout time stamp. Step3 Avoidance of shared accounts while designing the information system. Step4- Centralized authority should be there for controlling the access rights. Step 5- No access to USB drive or other media to staff member having less than one year tenure in organization , IJAFRSE and ICCICT 2015 All Rights Reserved

4 Step 6- No access to social media sites via organizational resources. Step 7- No access to social media sites from personnel devices during the office hour. Step 8- Social and Psychological Behavior Test a. Before hiring a person for your organization, get thorough details about social behavior /status of person. b. Check for any cyber crime related involvement of that person. c. Get a psycho test of person through some psychiatrist so as to understand the KSAs suitability of person in better way. VII. CONCLUSION This paper done qualitatively, focused on mapping the different aspects of human behavior that can be exploited by social engineers to access the organizational IS illegally. The main characteristics of behavior has been picked and mapped with the corresponding security risk that occurs through social engineers. A logical framework has been proposed to counter this threat. The topic is need of hour in current context of rising security breaches worldwide. A more rigorous approach and research is recommended in the field. VIII. REFERENCES [1] Anderson R, Moore T 2008, Information Security Economics and Beyond, Information Security Summit [2] Anderson R, Moore T 2009, Information security: where computer science, economics and psychology meet, Philosophical Transactions of the Royal Society vol 367, pp [3] H.Tipton, M. Krause (Ed.), Computer Security Handbook,4thEdition(pp ). USA: Auerbach Publications. [4] Sternberg, G. (2010). The Psychology Behind Security. ISSAJournal.Retrievedfrom [5] Magklaras, G.B. & Furnell, S.M. (2002). Insider threat prediction tool: Evaluation the probability of IT misuse. Computer and Security, 21(1), [6] Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: An empirical test of the threat control model. Journal of Computers in Human Behavior. [7] Zhou, C. V., Leckie, C., & Karunasekera, S. (2010). A survey of coordinated attacks and collaborative intrusion det ection. Computers and Security, 29(1), , IJAFRSE and ICCICT 2015 All Rights Reserved

5 [8] Whitman, M. E. (2003). Enemy at the gate: Threat to information security. Communications of the ACM, 46(8), [9] Kazman, R.; Nord, R. L.; & Klein, M. A Life-Cycle View of Architecture Analysis and Design Methods (CMU/SEI-2003-TN- 026). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, [10] Colwill, C. (2010). Human factors in information security: The insider threat- Who can you trust these days? Information Security Technical Report, 14, [11] The Inside Story:A Disgruntled Employee Gets His Revenge by Heather Kratt, December , IJAFRSE and ICCICT 2015 All Rights Reserved