Methods of counteracting social engineering

Authors

DOI:

https://doi.org/10.20535/2411-1031.2019.7.2.190563

Keywords:

Social engineering, social engineering counteracting, protection method, instrumentation, testing for penetration, staff recognition.

Abstract

Methods of counteracting the use of social engineering are analyzed. Relevant tools, for example, Social-Engineer Toolkit, Social Engineering Defensive Framework, Social Engineering Optimizer, Kali Linux, have been considered as examples of their practical implementation. Among the methods analyzed, penetration testing is highlighted. This method of counteraction is focused on identifying and preventing the exploitation of human (employee, client) vulnerabilities. Human vulnerability testing for penetration testing is done using the Social-Engineer Toolkit and Kali Linux, Cogni-Sense. Each of these tools is focused on the implementation of threats to social engineering. In this case, the Social-Engineer Toolkit can be used individually or as part of Kali Linux. At the same time the method of raising awareness of employees and customers is considered. To do this, he is trained on the likely scenarios of social engineering attacks. As a result of such training, technologies and policies for counteracting socio-engineering influence are being improved. In practice, the method is implemented as the Social Engineering Defensive Framework. At the same time, there are two aspects of counteracting the use of social engineering: the subject (the attacker), the object (the protector) of socio-engineering influence. This method can counteract the use of social engineering by considering likely actions by the attacker. It is considered that the sequence of its actions is determined solely in view of the attack scenarios of  social engineering. This method allows each action to counteract and, consequently, prevent the realization of threats to the use of social engineering. This method is practically implemented by the tool Social Engineering Optimizer. In addition, the method of identifying and reporting to employees (clients) about the use of social engineering is considered. Its practical application of Cogni-Sense is focused on the interpretation of humans as a sensor that responds to socio-engineering impact. Thus, the analysis of counteracting methods for the use of social engineering will allow, first, to consider their advantages and disadvantages to prevent the realization of threats of socio-engineering influence; second, to develop appropriate models, methods and tools to overcome the shortcomings of known solutions.

Author Biographies

Oksana Tsurkan, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

senior engineer

Rostyslav Herasymov, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

researcher

Olha Kruk, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

junior researcher

References

V. Mokhor, O. Bohdanov, О. Kylovyi, Guidelines for cybersecurity (ISO/IEC 27032:2012). Kyiv, Ukraine: OOO “Try-K”, 2013.

V.V. Mokhor, O.V. Tsurkan, R.P. Herasymov, and V.V. Tsurkan, “Information Security Assessment of Computer Systems by Socio-engineering Approach”, Selected Papers of the XVII International Scientific and Practical Conference “Information Technologies and Security”. Kyiv, 2017. P. 92-98. [Online]. Available: http://ceur-ws.org/Vol-2067/paper13.pdf. Accessed on: June 11, 2019.

Analysis of the Cyber Attack on the Ukrainian Power Grid. [Online]. Available: https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf. Accessed on: June 11, 2019.

M. Edwards, R. Larson, B. Green, A. Rashid, and A. Baron, “Panning for gold: Automatically analyzing online social engineering attack surfaces”, Computers & Security, vol. 69, pp. 18-34, 2017, doi: /10.1016/j.cose.2016.12.013.

Fathollahi-Fard Mohammad Amir, Hajiaghaei-Keshteli Mostafa, and Tavakkoli-Moghaddam Reza, ”The Social Engineering Optimizer (SEO)”, Engineering Applications of Artificial Intelligence, vol. 72, pp. 267-293, 2018, doi: 10.1016/j.engappai.2018.04.009.

F. Mouton, L. Leenen, and H. Vente, “Social engineering attack examples, templates and scenarios”, Computers & Security, vol. 59, pp. 186-209, 2016, doi: 10.1016/j.cose.2016.03.004.

P. Engebretson, The Basics of Hacking and Penetration Testing. thical Hacking and Penetration Testing Made Easy, 2013, doi: 10.1016/C2013-0-00019-9.

R. Heartfield, and G. Loukas, “Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework”. Computers & Security, vol. 76, pp. 101–127, 2018,doi:10.1016/j.cose.2018.02.020.

V. Thomas, Building an Information Security Awareness Program, 2014, doi:10.1016/b978-0-12-419967-5.00007-7

I. Ghafir, V. Prenosil, A. Alhejailan, and M. Hammoudeh, “Social Engineering Attack Strategies and Defence Approaches”, in Proc. IEEE 4th International Conference on Future Internet of Things and Cloud, Vienna, 2016, pp. 145-149, doi: 10.1109/FiCloud.2016.28.

K. Krombholz, H. Hobel, M. Huber, and E. Weippl, “Advanced social engineering attacks”, Journal of information security and applications, pp. 1-10, 2014, doi: 10.1016/j.jisa.2014. 09.005.

How to Cite

Tsurkan, O., Herasymov, R., & Kruk, O. (2019). Methods of counteracting social engineering. Information Technology and Security, 7(2), 161–170. https://doi.org/10.20535/2411-1031.2019.7.2.190563

Issue

Section

INFORMATION WARFARE