The Human Factor

Introduction

Thanks to technology, our chances of survival have been drastically improved, in the event of an emergency. In fact, technology has positively improved how we live, how we travel, how we interact, how we learn, how we are medically treated and most importantly how we lead our lives. The technology used in critical infrastructure that supports our day to day life is becoming a necessity, without which life seems unimaginable. However, this necessity of life has also attracted a lot of interest from those who are illegally trying to gain access to personal, business or corporate data to satisfy their objectives. Many citizens fall victim to these attacks and suffer from minor to life-changing consequences. From losing access to personal photographs of sentimental value due to a ransomware attack to losing the custody of your children, the result of these attacks can mean life or death in some severe cases . When these attacks are targeted towards critical infrastructure, the consequences can be even more devastating. Consider the case of ransomware attack on the NHS in May 2017. The attack resulted in a significant meltdown of emergency services in the UK. It is now being argued that the attack on NHS could have been prevented through due care, regular updates to NHS IT infrastructure and employee training. However, the question is, how others critical infrastructure operators learned from this calamity and what they intend to do to avoid a similar situation?

With the emergence of smart cities, the opportunities of gain for malicious attackers have grown, along with their motivation. Great damage and substantial financial loss have been caused by malware, botnets and targeted attacks through deceiving the user to connect to malicious domains or websites. Although intrusion detection systems and monitoring tools play a significant role in the network security, the human factor should be taken into consideration. It is imperative that due care and caution is taken at all level during interaction with technology to ensure that users do not accidentally introduce malware to the organisation. While security awareness training solutions have been known to provide effective mechanisms for learning and knowledge transfer on security measures, they suffer from few shortcomings. For instance, the monitoring aspect of the employees going through the training process may not be efficient nor effective. This lack of effectiveness occurs because in cases where critical organisations have large numbers of employees requiring awareness training, adequate progress monitoring is a monotonous task with a higher margin of error. Similarly, upon completion of the courses, most employees may have forgotten some of the knowledge and information related to security awareness, acquired earlier on in the training workshops. A recent research found that after attending a business training session, employees, in general, tend to lose 50% of the information in an hour, 70% of the information is forgotten in twenty-four hours and 90% in a week. Thus, it is vital that awareness training is integrated into employees day to day tasks, to support retention and application of the knowledge acquired.

Other prevention aspects such as vulnerability assessment, physical security and the implementation of effective policies and procedures in critical infrastructure systems are equally as important as staff awareness training. To improve technical challenges and shortcomings faced by organisations, the proposed cyber defence strategy will focus on offering concise cyber incident prevention guide to organisations, who operate critical infrastructure. Our proposed cyber defence strategy will enable these organisations to protect their assets, as well as efficiently train their employees, so they are better prepared to deal with cyber and social engineering attacks. This paper proposes a context-aware education tool to be deployed in a business environment to raise the security awareness of the employees. The developed application utilises a client-server model, which can be configured by the administrator to set different modules to be presented according to the current user activity. Each module covers a specific aspect or topic related to security awareness in the business environment. In case the user activity does not trigger the application to display information, then the application autonomously selects tips and present them to the user. The administrator can also monitor the progress of each user while allowing for the setting of deadlines for completion of each module.

The remainder of this paper is organised as follows. Section 2 discusses the continuously growing threat of social engineering. Section 3 lists human traits, which are actively exploited by social engineers during an attack. Section 4 presents the current security awareness programmes in the market. The design and implementation of a proposed security awareness training programme is explained in Sect. 5 Section 6 shows the software testing and evaluation methodology. Section 8 concludes the paper.

Source: Ghafir, I., Saleem, J., Hammoudeh, M. et al., https://link.springer.com/article/10.1007/s11227-018-2337-2#citeas
This work is licensed under a Creative Commons Attribution 4.0 License.

Social engineering: a growing threat

In the recent years, organisations of all types and sizes, including those offering critical and emergency services, have been the victim of social engineering attacks. As more organisations acquire enhanced IT solutions and robust encryption tools to protect their data, attackers will continue to resort to old-fashioned methods of exploiting human weaknesses, to achieve their objectives.

Social engineering is an ultimate psychological manipulation technique that is used by attackers to generate responses from unwilling targets, which are not in their best interest and coerce them into a position of disadvantage. This act is mostly conducted with the aim of influencing the other party to carry out actions, either lawful or unlawful, which may go against them, or others around them. The influence could be as simple as tricking an office employee to allow an actor into their workplace unchallenged, or it could be as complicated as obtaining state secrets through coercion, blackmail, manipulation, extortion or intimidation.

Today, social engineering is among the top information security threat faced by the multiple industries and organisations and thus far proven to be challenging to protect against. The only practical protection available against social engineering attacks is cybersecurity awareness and training. For instance, when a social engineering attack occurs, all the technical protection systems combined cannot stop an employee from giving out their password to an attacker over the phone. But with the appropriate security training, that same employee can act as the most reliable contender in the line of defence and alert relevant department about the social engineering attack attempt, potentially saving the company from a major security incident.

To develop an understanding of the security threats, it is essential to understand what social engineering manipulations techniques are used during an attack. This understanding can be achieved through experience, taught examples as well as training, like the one discussed in Sect. 4 of this paper. The knowledge acquired through a well-developed training framework will aid the trainees in gaining an understanding of social engineering attack strategies, as well as the ability to counter and limit any potential harm.

Social engineers attack strategies

Social engineers employ a variety of tactics to trap their targets into performing actions of their choice. It could be something as simple as gaining the trust of someone over the phone to get confidential information to the setup of bait for someone to access a compromised website via phishing methods. Social engineers are the modern equivalent of con artists, with the only difference that the latter uses non-technical methods to cheat people out of their hard-earned money.

Out of the many taxonomies and models available, Kevin Mitnick's social engineering attack cycle, as described in his book The art of deception: controlling the human element of security  is the most commonly recognised social engineering attack model. As illustrated in Fig. 1, the model depicts the four phases which occur before and during a social engineering attack.

During the Research stage, information is gathered about the target, its weaknesses and information that can aid the attacker during the later phases of the attack. Develop Rapport and Trust is the second stage of the attack during which the attacker aims to acquire trust of the target, which is later exploited during the third stage Exploit Trust to elicit information from the target, manipulation of the target or merely instructing the target to carry out actions in order to gain the desired knowledge or action. The fourth and last stage in the model Utilise Information is the final act of attack, during which information and resources acquired during the first three stages is put into action to get the desired result.

The next subsections will further examine which particular human traits are generally exploited by social engineers to force compliance from the subjects.

Psychological manipulation

In many cases, the usual target of a social engineering attack is someone who is in a position of authority, or at minimum be in possession of privileged information, which is useful for social engineers. For an employee to reach that level, they naturally have to go through certain steps within their company to prove their competence. Therefore, the majority of the people being exploited by the social engineers do have the expertise or reasonable proficiency, in their line of work. Yet, we see how easily social engineers fool people into handing over sensitive information.

Social engineers use various psychological manipulation techniques to acquire the confidence of their attack subjects. The methods they use vary from the usage of emotions, play on words, charm and impersonation to get the target to feel at ease with them.

Obedience to authority

Humans are wired to respect authority. From a young age, we are taught by the elders to give respect and listen to people in authority. This implies obeying parents, teachers, law, and when one enters a professional life, this extends to managers, bosses and superiors who demand that level of adherence. This is precisely another psychological vulnerability in humans, which social engineers so eagerly exploit.

Being respectful and courteous is important, but becoming exceptionally compliant when orders are issued from superiors is an unhealthy attitude with detrimental consequences and is indeed a psychological flaw in some people, which is actively exploited by social engineers.

Exploiting naivety

Once a window of opportunity presents itself, social engineers act without any undue delay. Natural disasters, celebrity gossip news and trending topics is a popular way scammer attempt to grab the attention of their potential victims and tempt them to click on click-bait links. These links are then shared and spread across the Internet through compromised accounts. The idea usually is to get people to click on the links, which leads them to a malicious website that infects their computers with malware which obtains their login credentials, while at the same time using the profile of newly acquired victim to spread the scam further.

The trend in the enterprise to invest more in the technology, but not the people, usually turns in to regret once a breach occurs. A company can install ten different types of firewalls and intrusion detection systems to protect data, but these measures are ineffective in stopping someone from handing over their credentials to an attacker in a well-organised social engineering attack. However, training and awareness can play a crucial part in assisting people to realise how to react when they are being attacked.

The next section explains the proposed social engineering defence framework, which can be adopted by enterprises and businesses to reshape the workforce into competent guardians against social engineering threat.