Social Engineering & Cyber Security. Marianne Junger University of Twente. M.Junger@Utwente.nl http://www.utwente.nl/bms/iebis/staff/junger

Similar documents
INFOCOMM SEC RITY. is INCOMPLETE WITHOUT. Be aware, responsible. secure!

Red Flags in International Payments and Trade. Presented by Paul Warfield and Despina Margiori

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Malware & Botnets. Botnets

Security And Backups. Topic Website Tutorial 18

Phoenix Information Technology Services. Julio Cardenas

Practical guide for secure Christmas shopping. Navid

Authenticating and policing the internet for consumer confidence and security

HOW ICT CHANGES VICTIMIZATION

+GAMES. Information Security Advisor. Be a Human Firewall! The Human Firewall' s Top Concerns in the Cyber, People & Physical Domains

Perception and knowledge of IT threats: the consumer s point of view

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

How to Spot and Combat a Phishing Attack Webinar

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

National Cybersecurity Awareness Campaign Families Presentation

INFORMATION SERVICES SOCIAL MEDIA GUIDE FOR STAFF

Learning to Detect Spam and Phishing s Page 1 of 6

NATIONAL CYBER SECURITY AWARENESS MONTH

Is There Such a Thing as Internet Privacy?

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

A New Era. A New Edge. Phishing within your company

Fighting spam in Australia. A consumer guide

"CYBER DIALER ATTACKS" Issue Paper. The Problem

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Practical tips for a. Safe Christmas

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Protection from Fraud and Identity Theft

guide to staying safe online How to shop, bank, socialise and protect your identity online.

Social Media and Cyber Safety

Not-For-Profit Finance Forum Westpac New Zealand Limited

Protect yourself online

Phishing Scams Security Update Best Practices for General User

TLP WHITE. An introduction to social engineering 1.

Cyber Security. Maintaining Your Identity on the Net

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Avoid completing forms in messages that ask for personal financial information.

Safety precautions for Internet banking or shopping How to avoid identity theft online

SOMETHING PHISHY IS GOING ON!

Fraud. Your guide to protecting yourself from fraud

10 Quick Tips to Mobile Security

current and previous addresses name/ssn Medical Insurance info UNCLASSIFIED credit info family info phone & fax #

Hint: Best actions: Find out more in videos and FAQ: Hint: Best actions: Find out more in videos and FAQ:

Internet basics 2.3 Protecting your computer

Preventing Corporate Account Takeover Fraud

Everyone s online, but not everyone s secure. It s up to you to make sure that your family is.

Identity Theft. CHRISTOS TOPAKAS Head of Group IT Security and Control Office

Connect Smart for Business SME TOOLKIT

F-Secure Anti-Virus for Mac 2015

FAKE ANTIVIRUS MALWARE This information has come from - a very useful resource if you are having computer issues.

FEMALE PRIVACY AND CLOUD SECURITY 1

Personalized Search Under Attacks

STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN UNDERGRADUATE STUDENT PRESENTATION

Identity Theft: A Growing Problem. presented by Melissa Elson Agency Liaison Office of Privacy Protection - Bureau of Consumer Protection

Online Security Information. Tips for staying safe online

Protecting your business from fraud

Know the Risks. Protect Yourself. Protect Your Business.

Safeguard your business against fraud.

The SMB Cyber Security Survival Guide

S.A.F.E. Recognize a scam before you become a victim of fraud Division of Consumer Protection

Contents Security Centre

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

2016 Cyber Security Calendar. Neela, Grade 4 State of Delaware

Why you need. McAfee. Multi Acess PARTNER SERVICES

Security Awareness for Social Media in Business. Scott Wright

Identity and Access Management in the Commonwealth

PREP Course # 20: HIPAA Security Presented by: Joe Baskin, Manager, Information Security

Help Protect Your Firm and Clients from Cyber Fraud

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

MySpam filtering service Protection against spam, viruses and phishing attacks

Are you Smarter than a Scam Artist? 2015 AASC National Conference Nashville, Tennessee

Many of these tips are just common sense and others are tips to keep in mind when doing a transaction, at ATMs, restaurants and merchants.

Best Practices for Avoiding Getting Speared Like a Phish

Welcome to this ACT webinar

How to stay safe online

MCU Online and MFA (Multi Factor Authentication)

Online Cash Manager Security Guide

INTERNET SAFETY: VIRUS: a computer program that can copy itself and infect your computer. CAPTCHAS: type the letters to set up an online account

Information Security Awareness Training

Cybercrime Prevention and Awareness

Deception scams drive increase in financial fraud

Scams and Schemes LESSON PLAN UNIT 1. Essential Question What is identity theft, and how can you protect yourself from it?

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

KEY STEPS FOLLOWING A DATA BREACH

Introduction to WSU

SK International Journal of Multidisciplinary Research Hub

I ve been breached! Now what?

Comprehensive i-safe Curriculum International Scope of Lessons and Language Availability

Information Security Guide for Students

Enjoy #StudentLife Take part and win an ipad!

STUDENT S INFORMATION SECURITY GUIDE

How to Identify Phishing s

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

43% Recognizing and mitigating human. vulnerabilities. of companies experienced a data breach in the past year. b l a c k f i n s e c u r i t y

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

General Security Best Practices

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Texas Municipal League Annual Conference October 10, 2013

online banking guide Mediterranean Bank plc is licensed by the MFSA under the Banking Act. Co. Registration No: C

How To Help Protect Yourself From Identity Theft

Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined?

Transcription:

Social Engineering & Cyber Security Marianne Junger University of Twente M.Junger@Utwente.nl http://www.utwente.nl/bms/iebis/staff/junger

2 Colleagues Pieter Elmer Lorena Jan-Willem Wolter Hartel Lastdrager Montoya Bullee Pieters

3 Aim: Prevention experiments and what we learned 1. Door key experiment 2. Telephone-based social-engineering 3. Can I get your bank account number?

4 EXP 1. Door Key Experiment: Can I have your key, please? 118 rooms Story recharge key Compliance: 62.5% Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: reducing the success of social engineering attacks. Journal of Experimental Criminology, 11(1), 97-115. doi: 10.1007/s11292-014- 9222-7

5 Door-Key Experiment Intervention: 1. a leaflet explaining social engineering 2. a blue key chain 3. a poster with A humorous quote An explicit remark against password, key and PIN sharing 5

6 Door-Key Experiment No intervention % Intervention % Complied (versus 62.5 37.0 handed over the key) 6

7 EXP 2. Telephone phishing Frequently used method to contact consumers (29.9% of all scams) attackers targeted in total 45 UT-staff Story: your PC is sending spam, You can download a program that will remove the malware Subgroup: N (control group)=26 -> 46.2% downloaded the program Bullee, J.-W., Montoya, L., Junger, M., & Hartel, P. (2016 (accepted)). Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention. Paper presented at the SG-CRC 2016. National Consumer League http://fraudresearchcenter.org/wp-content/uploads/2012/02/national-consumers-league-2011-top-scams-of-2011.pdf

8 Telephone phishing Beware of scams! 1 out of 4 of your colleagues got scammed; are you next? I got scammed by Santa My children got a free USB thumb drive as a present from Santa in the shopping mall. Apparently, the USB drive contained malware that emptied our bank accounts over night. Merry Christmas. --Jane Don t make payments or divulge banking details to strangers. Don t follow instructions to download or type commands into your PC. Don t share credentials, passwords and PINs with strangers. Don t blindly click a link on an email. Do challenge the requester to validate his identity (e.g. by call back). Do be sure that your PC s software is up to date. Do be critical and suspicious regarding unsolicited contacts. Do check the source of the link carefully.! I never thought this would happen to me I got an email from my bank. It informed me about an opportunity to win an ipad. I clicked the link to participate in a raffle. Later that day a bank employee called me to validate my details. The next day my social media accounts were inaccessible and all my files were gone. --Jack Scams Þ can reach you out of the blue. Þ can reach you on your smartphone. Þ are designed to look genuine. Þ target both individuals and organisations. Þ caused losses of more than 5.300.000.000 Euro since 2014.!

9 Beware of scams! 1 out of 4 of your colleagues got scammed; are you next? I got scammed by Santa My children got a free USB thumb drive as a present from Santa in the shopping mall. Apparently, the USB drive contained malware that emptied our bank accounts over night. Merry Christmas. --Jane Don t make payments or divulge banking details to strangers. Don t follow instructions to download or type commands into your PC. Don t share credentials, passwords and PINs with strangers. Don t blindly click a link on an email. Do challenge the requester to validate his identity (e.g. by call back). Do be sure that your PC s software is up to date. Do be critical and suspicious regarding unsolicited contacts. Do check the source of the link carefully.! I never thought this would happen to me I got an email from my bank. It informed me about an opportunity to win an ipad. I clicked the link to participate in a raffle. Later that day a bank employee called me to validate my details. The next day my social media accounts were inaccessible and all my files were gone. --Jack Scams Þ can reach you out of the blue. Þ can reach you on your smartphone. Þ are designed to look genuine. Þ target both individuals and organisations. Þ caused losses of more than 5.300.000.000 Euro since 2014.!

percent 10 % Complied: downloaded the program 60 50 40 46,2 54,6 30 20 10 0 9,1 No intervention 1 week intervention 2 weeks intervention 1

11 EXP 3. Street questionnaires 278 questionnaires filled in in shopping area 3 page questionnaire on cyber security How easy is it to collect information for spear phishing? 1. Can you fill in your email address? 2. Bank account: XX XXXXXXX Online shoppers only 3. What kind of product you purchased? 4. Filled in the name of the web shop Junger, M., Montoya, L., & Overink, F.-J. (Under review). Warnings and cues against social engineering.

12 Street questionnaire: warnings and cues Priming/cues: Subtle warning 1. Are you familiar with the term phishing? 2. Are you aware of the amount of personal information you share on the Internet and that is publicly accessible? 3. Do you use Facebook? If so, what are generally your privacy settings? 4. Have you ever been scammed on the Internet (for example through phishing)?

Percent 13 Priming and warning: not effective 120% 100% 88% 94% 92% 99% 80% 81% 85% 87% 89% 60% 67% 49% 40% 41% 40% 20% 0% Email filled in ** Bank account number What kind of product you purchased? Control Priming Warning Filled in the name of the web shop* 13

Percent 14 Warnings: adverse effect 120% 100% 88% 94% 92% 99% 80% 81% 85% 87% 89% 60% 67% 49% 40% 41% 40% 20% 0% Email filled in ** Bank account number What kind of product you purchased? Control Priming Warning Filled in the name of the web shop* 14

15 Conclusions: trust Humans are programmed to trust: social engineering is easy 10%-90% is engineered Interventions seem easy as well: counter-manipulation

16 Why did some interventions not work? No intervention Social proof (observing others) Lack of knowledge no link intervention PII that was given Optimism bias Personal relevance when one was victimized

17 Adverse effect also in security Know in physical world When confronted with risks, people can use selfserving strategies to justify their unrealistic optimism (Weinstein & Klein, 1995). Review of perverse effects in digital world (Wolff, 2016) Resistance to manipulation : Avoidance - cognitive avoidance Optimism bias, no personal relevance Weinstein, N. D., & Klein, W. M. (1995). Resistance of personal risk perceptions to debiasing interventions. Health Psychology, 14(2), 132. Fransen, M. L., Smit, E. G., & Verlegh, P. W. (2015). Strategies and motives for resistance to persuasion: an integrative framework. Frontiers in psychology, 6.

18 How to improve our interventions? Increase personal relevance - CMU interventions only for this who have been phished Training: better-stronger trainings Repeated interventions not one training but process Question: can we really protect users against phishing?

19 Questions? M.Junger@Utwente.nl http://www.utwente.nl/bms/iebis/staff/junger/

Questions? M.Junger@Utwente.nl http://www.utwente.nl/bms/iebis/staff/junger/ 2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information