The role of Education and Awareness Training in mitigating Social Engineering Attacks Introduction Social Engineering in the context of Information Security is any act that manipulates a person into divulging sensitive information, to act in a way that breaches security or to create a vulnerability to information security. Over a decade ago, Bruce Schneier, a respected security expert said Only amateurs attack machines, professionals target people (Schneier, B. 2013), with the advances in security technology making traditional hacking harder this is more relevant today.By trying to prevent infiltration on a technical level, and ignoring the physical-social level, companies are leaving themselves open to attacks. (Granger, S. 2006).Large organisations now spend on average 11% of their IT budget on security (Department of Business Innovations & Skills, 2014), most of this spend is on technology based mitigations. This paper aims to prove that Social Engineering attacks are a real threat that are often overlooked or understated by organisations, whilst also showing that awareness training and education are the strongest form of defence against such attacks.Summary of Papers The articles researched for this paper comprised two research articles and one professional article.Below is a summary of the individual papers Social engineering in social networking sites: Affect-based model Algarni, A. et al Algarni et al (2013) focus their research specifically on Social networking sites and how they are used in Social Engineering, they answer two questions from their research, What entities and sub-entities affect social engineering in Social Networking Sites (SNSs) and How do they affect social engineering.To do this, they focus on four key areas ; The Site, The Attacker, The Technique and The Victim.They present a comprehensive overview of the different aspects of social engineering threats in SNSs along with some suggested countermeasures. Social Engineering-Based Attacks: Model and New Zealand Perspective Fu, L., Janczewski, L. Lingyan and Janczewski take a wider view of social engineering, their overall research objective was to explore the significant entities and relations within social engineering-based attacks.They address this by asking 5 specific questions utilising interviews with subjects from various IT backgrounds.A conceptual model of an attack was created utilising existing literature.This was then modified after the data analysis from the interview was completed.Their research shows that a key factor in mitigating social engineering is security policy, yet this is also added as a vulnerability in the revised conceptual model. The Defcon 22 Social Engineer Capture the Flag (SECTF) Report - Fincher, M., Hadnagy, C. The report from Fincher, M. & Hadnagy, C. (2014) is a report of the annual Social Engineering contest held at the Defcon Security event.The SECTF event is a practical demonstration of Social Engineering in action, and provides a context to the research conducted in the other papers.The report sets out the rules of the contest along with the specific flags to be captured.All entrants were given a target organisation and had three weeks to gather Open Source Intelligence followed by 30 minutes of live calls on the day.The report highlights just how easy it is for relatively inexperienced attackers to utilise social engineering attacks to obtain potentially damaging information from an organisation, they conclude that over the five years the contest has run they have not seen consistent improvements that directly address the human factor.They emphasise that to change this a fundamental change to policy, awareness and education is required. Critical Review of Selected Papers The evidence presented in the papers all contributes to the understanding of what comprises a social engineering attack and highlight the importance of mitigation of these attacks, particularly in todays environment where technical security mitigations are becoming more complex making it extremely difficult for traditional brute force hacking to succeed. Algarni et al (2013) look at one specific vector that is used in Social Engineering attacks (SEAs), this is Social Networking Sites. As shown by Fincher, M. & Hadnagy, C. (2014) social networking sites are indeed a highly valuable tool in the attackers arsenal, with much information needed to craft a targeted attack attainable from these sources.In the presentation of their research, Algarni et al (2013) state that social engineering threats are on the rise due to continued improvements in protections against technology based attacks, they go on to list out the entities and dependencies that affect social engineering threats in SNSs.In sections I-VI of their paper, they do not contribute anything new to this area; instead they are simply collating and reiterating existing knowledge.Of more use, is section VII where they provide some analysis of the SNS User (or Victim). Of particular interest is the socio-psychological factors and the motivation and drive theories.This provides valuable information into the reasoning why people are prone to social engineering attacks.Understanding these motivations is necessary to be able to form mitigation techniques that are effective and will allow for a relevant awareness and education program to be formulated.Algarni et al (2013) postulate that SNSs are among the most common means of SEAs and on this basis present some commonly suggested countermeasures.The evidence they present for the risk of SNSs to security is compelling,a survey carried out on behalf of Checkpoint showed that Phishing attacks were believed to be the most common source of SEAs followed by SNSs (Dimensional Research, 2011). Despite the evidence presented above, it is easier to conclude that a SNS forms part of a process in developing a threat or vulnerability to an organisation or person as shown in the research from Fu, L. & Janczewski, L. (2010) rather than necessarily being an attack itself.The research from Algarni et al (2013) is useful to the information security field to highlight dangers of social media in relation to SEAs but does not present any novel ideas, it is however a good basis for further research in this field.It should be noted that whilst BSI 27001 (2005) does not specifically mention social networking sites, Calder, A. and Watkins, S. (2013) do specifically cover the threat of data loss through Social Media and indeed highlight that an ISMS should cover the risks and threats posed by such sites.They also list the relevant controls that are applicable. In contrast to the research conducted by Algarni et al (2013), Fu, L. & Janczewski, L. (2010) look at the broader topic of SEAs and present a conceptual model of how these attacks are formed.Their overall research objective was dfefined as Exploring the significant entities and relations within social engineering-based attacks, to this end they following specific research questions were formulated; RQ1.What are existing security vulnerabilities which can be exploited by social engineering-based attacks? RQ2.What are the methods of social engineering-based attacks? RQ3.What are the consequences of a successful social engineering attack? RQ4.What can be done to mitigate Social Entineering-based attacks? RQ5.What is New Zealands perspective of social engineering-based attacks? Of great interest here is the summary of Security Threats and Attack Methods that they produce as shown in Figure 1 below.This shows that across all types of threat initiators and attacks, social engineering is a key method utilised to realise the attack.Like Algarni et al, Fu & Janczewski cite the widespread adoption of technological solutions reducing the effectiveness of technical attacks and therefore encouraging hackers to use the alternative, Social Engineering. Figure 1 Summary of Security Threats and Attack Methods Based on their literature review they produce the conceptual model shown in Figure 2 below.This shows online social engineering as just one of many vectors that can be used in a social engineering attack and importantly lists three defences for such attacks.To verify this model, a total of twenty five interviews were conducted with participants from various IT related background and experience spanning seventeen organisations of which ten were international. The interview responses added to the findings of the literature review to produce the revised conceptual mode as shown in Figure 3 below.Of note, RQ1 provided some interesting perspective with regards to Security policy.Whilst security policy is a defence, Fu & Janczewski suggest that it is also a vulnerability.This vulnerability arises as poorly developed security policies allow for uncertainty and it is this uncertainty that attackers will target. RQ2 added the additional Human based attack of Questionnaire to the model whilst RQ4 added Technical Controls,Security Enhanced Product and Education to the Defences. Figure 2 Conceptual Model of the Major Aspects of Social Engineering-Based Attacks Figure 3 Revised Conceptual Model In the answer to RQ4, Fu and Janczewski advance that the most important element of a good defence is the security policy as this reduces the uncertainty that Social Engineering relies on.They also hypothesize that ultimately the policy should be supplemented by education and training as peoples vulnerability to SEAs can be measured in terms of their awareness to them.This is reinforced by the requirement of Control A8.2.2 of BSI 27001 (2005) which covers Information Security awareness, training and education. The research and evidence presented by Fu and Janczewski highlights the issues and threats that organisations face from Social Engineering.The scope of the research was deliberately kept to an audience of IT literate participants as the purpose was to establish a realistic view from an IT perspective.However, the opportunity exists to take the research as a starting point and to expand the audience to a wider, non IT literate audience.This would allow the investigation of different attack vectors and also show the level of understanding, and therefore the likelihood of successful SEAs on members of the public in general. Differing to the two research papers, the SECTF report (Fincher, M. & Hadnagy, C., 2014) is a report of a practical demonstration of Social Engineering attacks.The contest comprised of nine teams of two people that had to conduct a social engineer attack against one of nine retail companies that were randomly assigned to the team.The retail industry was targeted due to the high number of security breaches that have been publicised in this sector over the past couple years such as Target, Home Depot, TJX, Heartland Payment Systems and Ebay (Robinson, R. 2014).The teams each had three weeks to gather Open Source Intelligence (OSINT) which involved using publicly available resources such as google, linked in, facebook etc to passively gather information.This was compiled into a professional social engineering report.They then had a thirty minute live call at the Defcon event to gather additional information, during this call they gained additional points for tagging out or handing off the call to the other team member.The objective of the OSINT and live call was to capture flags, each flag was assigned points.A flag was effectively a piece of information that could provide value to an attacker, these flags are listed in Figure 4 below along with their points values. The report highlights that this years contest saw the majority of points earned through the Live call part of the contest, whereas last year this was the opposite.They posit that this may be an indicator that companies are becoming more vigilant about securing their most obvious information online.Importantly, Fincher, M. & Hadnagy, C. (2014) conclude that the success of the competitors demonstrates that effective security awareness training is not in place, despite more companies reportedly investing in this area.They go on to say that companies must set clear definitions of what is an isnt allowed, and that the policy must be backed up with strong security awareness training.A third mitigation put forward is the use of realistic penetration testing, including an element of social engineering. Figure 4 SECTF Flag List Conclusion Whilst both of the research papers are useful to educate and inform the wider security community, the work completed by Fu, L. & Jaczewski, L. (2010) provides a more detailed overview of what comprises a social engineering attack along with the vulnerabilities and defences for them.In particular, the answer to their Research Question 4, What can be done to mitigate Social Engineering Attacks?, gives guidance that ties into the controls required by Annex A of BSI 27001 (2005).All the research presented agrees that technical mitigations alone are not sufficient to prevent SATs.The model put forward by Fu, L. & Jaczewski, L. (2010) emphasises that Security Policy must be carefully thought out and include Social Engineering within it, this must then be enforced through training and education, this is demonstrated effectively and reinforced through the SECTF report (Fincher, M. & Hadnagy, C., 2014.The work of Algarni et al (2013) highlights the dangers of SNSs in relation to social engineering and this again is reinforced from the results of the SECTF contest as a large amount of intelligence was gathered through the use of SNSs (Fincher, M. & Hadnagy, C., 2014).The three papers together form a comprehensive view of the threats of Social Engineering to an organisation along with context of how much information can be gleaned using these techniques. Importantly the papers also give guidance on how to best protect against these type of attacks.The evidence presented here can be used by the Information Security community to put a real context around the issue and begin to make the necessary changes to security policies, specifically around the information that is posted onto the publicly accessible internet and Social Media.Once the changes to policy are implemented awareness training and education can be enforced, initially the executive levels need to be educated so that the threat is fully understood and the risks measured, this education can than be fed throughout the organisation and must be reinforced with regular security awareness training that is meaningful and relevant to the company or even department within a company.The evidence has shown that there is a definite relationship between companies that provide frequent and relevant awareness training and the amount of information surrendered by a company. (Fincher, M. & Hadnagy, C., 2014) The society of the 21st century has been defined as being based primarily of knowledge (GREAVU-ERBAN and ERBAN, 2014). The protection of this knowledge has become crucial to the survivability and profitability of an organisation, with 76% of large organisations believing security is a high or very high priority to their organisations and senior management (Department of Business Innovations & Skills, 2014). The evidence presented in this paper shows that it is no longer sufficient to rely on technology based security measures.Companies are not significantly better prepared to repel Social Engineering attacks than they were five years ago (Fincher, M. & Hadnagy, C., 2014), with many of the largest breaches of 2014 enabled through the use of Social Engineering methods such as spear phishing and targeted malware. To successfully prevent this in the future a fundamental change to the security culture within an organisation needs to take place, this can only be achieved through relevant education and awareness. References Algarni, A., Xu, Y., Chan, T., Tian, Y.-C., 2013. Social engineering in social networking sites: Affect-based model, in: Internet Technology and Secured Transactions (ICITST), 2013 8th International Conference for. Presented at the Internet Technology and Secured Transactions (ICITST), 2013 8th International Conference for, pp. 508515. doi:10.1109/ICITST.2013.6750253. Available at: http://ieeexplore.ieee.org.libezproxy.open.ac.uk/ielx7/6745432/6750143/06750253.pdf?tp=&arnumber=6750253&isnumber=6750143 [Accessed 8th April 2015] BSI 27001 (2005) Information Technology Security Techniques Information Management Systems - Requirements BSI 27002 (2007) Information Technology Security Techniques Code of practice for Information Security Management Calder, A. & Watkins, S. (2013) IT Governance: An International guide to data security and ISO27001/ISO27002 Chitrey, A., Singh, D., Singh, V., 2012. A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model. International Journal of Information and Network Security (IJINS) 1, 4553.Available at:http://iaesjournal.com/online/index.php/IJINS/article/view/426/222 [Accessed 28th March 2015] Department for Business Innovations & Skills, 2014.2014 Information Security Breaches Survey Technical Report. Available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14-767-information-security-breaches-survey-2014-technical-report-revision1.pdf[Accessed 3rd April 2015] Dimensional Research, 2011. The Risk of Social Engineering on Information Security: A survey of IT Professionals.Available at http://www.greycastlesecurity.com/resources/documents/The_Risk_of_Social_Engineering_on_Information_Security_09-11.pdf [Accessed 28th March 2015] Fincher, M., Hadnagy, C., 2014. The Defcon 22 Social Engineer Capture the Flag (SECTF) Report. Available at: http://www.social-engineer.org/ctf/social-engineer-inc-releases-annual-report-def-con-22-social-engineering-capture-flag-sectf-contest/attachment/socialengineercapturetheflag_defcon22-2014/ [Accessed 1st April 2015] Granger, S. 2006. Social Engineering Reloaded. Available at:http://www.symantec.com/connect/articles/social-engineering-reloaded [Accessed 1st April 2015] GREAVU-ERBAN, V., ERBAN, O., 2014. Social Engineering a General Approach. Informatica Economica 18, 514. Janczewski, L.J., Fu, L. (Rene), 2010. Social Engineering-Based Attacks: Model and New Zealand Perspective. Proceedings of the 2010 International Multiconference on Computer Science and Information Technology (IMCSIT), p847-853: 18 - 20 Oct. 2010, Wisla, Poland; IEEE, Piscataway, NJ. Available at: http://ieeexplore.ieee.org.libezproxy.open.ac.uk/stamp/stamp.jsp?tp=&arnumber=5680026 [Accessed 28th March 2015] Robinson, R., 2014 The Top 5 Retail Breaches. SecurityIntelligence.com Available at: http://securityintelligence.com/the-top-5-retail-breaches/#.VSaaTP4U_4Y [Accessed 9th April 2015] Schneier, B., 2013. Phishing Has Gotten Very Good. Schneier on Security [blog] March 1st. Available at: < https://www.schneier.com/blog/archives/2013/03/phishing_has_go.html> [Accessed 28th March 2015]