Published on March 11, 2014
Social Engineering Training Jan-Willem Bullee
2 Cyber-crime Science Background Effectiveness of authority on compliance We can get some of the answers from » Literature (Meta-analysis) » Attacker stories/interviews But the answers are inconclusive » Different context » Hard to measure human nature » Difficult to standardize behaviour. 2
3 Cyber-crime Science Persuasion Principles Authority Conformity Commitment Liking Reciprocity Scarcity 3
4 Cyber-crime Science Authority Titles: Professionals vs Lay people Clothing: Formal vs Casual Trappings: Status vs Insignificance 4 [Cia01] R. B. Cialdini. The science of persuasion. Scientific American Mind, 284:76-81, Feb 2001. http://dx.doi.org/10.1038/scientificamerican0201-76
5 Cyber-crime Science Literature on Authority Classical Milgram Shock Experiment » 66% full compliance Nurse-Physician relationship » 95% compliance Login credentials » 47% compliance 5 [Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.
6 Cyber-crime Science Success factors of Authority Sense of duty Obedience to authority 6
7 Cyber-crime Science Attacker Stories Books about Social Engineering Six Principles of Persuasion Provisionally Results: » 4 books » 100 cases. 7 [Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception: Controlling the Human Element of Security. Wiley, Oct 2002. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
8 Cyber-crime Science Mitnick Analysis 8
9 Cyber-crime Science Nurse Study: Design Attacker: Doctor Target: Nurse Goal: Violating policy » Maximum dose of medicine Interface: Phone Persuasion Principle: Authority 9 [Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
10 Cyber-crime Science Stealing a key What is the influence on compliance on a request of: » Social Engineering (e.g. Authority) You are the researchers! 10
11 Cyber-crime Science Our: Design Attacker: You (Student) Target: Employee Goal: Violating policy » Sharing office key with 3rd party Interface: Face 2 Face Persuasion Principle: Authority 11
12 Cyber-crime Science Method : Our design Dependent and Independent variables 4 experimental conditions » Intervention / No Intervention » Authority / No Authority Dependent variable » Compliance / No Compliance to request. 12 Request Comply [Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd edition, Jan 2009. http://www.uk.sagepub.com/field3e/main.htm
13 Cyber-crime Science Method : Our procedure Subjects from the Carré building » 14 research groups » 4 conditions Intervention vs No intervention Authority: Suite vs Casual Randomized sample Attack in 1 day 13
14 Cyber-crime Science Method : Our procedure Attack targets » Impersonate facility manager, and ask for the key of the employee » Short Questionnaire » Note date, time, location, condition, compliance, difficulty, etc. More details on the course-site 14
15 Cyber-crime Science What to do on Wed 11 Sep Attacker training in the morning CR2022 Execute experiment individually (or in duo’s) » One or two attackers per area » Condition and area allocation: Jan-Willem Bullee On the course-site soon » Debrief directly after attack 15
16 Cyber-crime Science What to do on Wed 11 Sep We have permission to do this only at » UT: Carré Enter your data in SPSS » Directly after the attack » Come to me ZI4047 Earn 0.5 (out of 10) bonus points 16
17 Cyber-crime Science Ethical issues Informed consent not possible Zero risk for the subjects Approved by facility management Consistent with data protection (PII form) Approved by ethical committee, see http://www.utwente.nl/ewi/en/research/ethics_protocol/ 17
18 Cyber-crime Science Conclusion Designing research involves: » Decide what data are needed » Decide how to collect the data » Use validated techniques where possible » Experimental Design, pilot, evaluate and improve » Training, data gathering » Start again... 18
19 Cyber-crime Science Further Reading 19 [Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895 [Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295
The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical ...
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging ...
Social engineering (security), obtaining confidential information by manipulating and/or deceiving people; This disambiguation page lists articles ...
Social Engineering (Phishing and Deceptive Sites) ... A social engineering attack is when a web user is tricked into doing something dangerous online.
In security, social engineering is a broad term used to describe an information technology attack that relies heavily on human interaction and often ...
Social engineering has existed for thousands of years; the idea of scamming or conning someone is not new. However, cyber attackers have learned that ...
Social engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to ...
Social Engineering. Unter dem Begriff Social Engineering versteht man die bewusste Manipulation von Personen, um Sicherheitsvorkehrungen zu umgehen.
Social Engineering Fundamentals, Part I: Hacker Tactics by Sarah Granger last updated December 18, 2001: A True Story . One morning a few years back, a ...
Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks Original release date: October 22, 2009 | Last revised: October 01, 2016