Social Engineering Techniques and Security Countermeasures

Introduction

In modern times, one of the most common ways of manipulating the security of information of an organization or individual is through social engineering. The successful application of techniques in this technology has enabled attackers and hackers to access information that is sensitive and crucial from computer and network systems.

Social engineering is a method of accessing data, systems, or buildings by making the best use of human psychology instead of using complicated methods for hacking or breaking in. The attackers manipulate individuals to provide or reveal the information that they need to gain access to secured systems. In most cases, the victims never realize that they have been tricked, manipulated or their systems have been hacked (Hardnagy, 2010).

The common reasons for social engineering are getting access to information or network systems without authorization, committing fraud, theft of identity, industrial espionage, and disruption of a network or system.

Attackers use different methods in social engineering. One of the methods is exploitation of familiarity. The attackers get trust from the individuals they want to exploit by familiarizing with them. An attacker may impersonate someone who is in authority and request for sensitive information through emails and phone calls. Pretending to be someone well known by other employees, the attacker may send emails directly to the employees email accounts with intention of obtaining some sensitive information. An attacker may also access important organizations documents from the organization dumpster. An attacker may come up with pop-ups, hack into an individual search web, and direct the search to their own page (Williams and Sawyer, 2012). The hacker may also send an online form to his targets portraying that there is a sweepstake competition and request for the individuals details. Once this information is availed, they would use it for their intended purpose. Another complicated method used by the attackers is reverse social engineering. The hacker impersonates someone in authority and the employees find themselves asking him questions. This last method needs adequate planning, research and execution for it to be successful (Tolman, 2008).

The attackers use tactics that convince their targets to trust them and eventually provide crucial and private information. The attackers also ensure that they never ask for too much information from one individual but ask for little information from several people.

Impact of social engineering and prevention

Social engineering in most cases impact negatively on an organization especially with regard to information security. It may lead to hacking of employees email accounts and retrieving vital information that the attacker could use to gain access to an organizations financial information. Gaining access to such information may result to lose of revenues, reduction of productivity and loss of reputation by the organization.

Fighting or preventing social engineering should be an organizations priority. One of the strategies would be deploying strict security rules at all levels and securing organizations network. Employees with high positions and authority in an organization should have access to minimum sensitive accounts. Only those who must access the accounts and specific resources of importance require the accounts. These powerful accounts would need regular audits and strong authentications. It would be important to do regular audits on both successful and unsuccessful attempts of accessing company information (Mann, 2012).

An organization should also have in place systems for detecting and investigating potential attacks. It should also deploy virtual teams able to counter the attacks by detecting targeted areas and the resources compromised. The team would also counter any attack that is in the process without interfering with the company operations and establish ways of preventing such attacks in future. There should be a determination on whether the company policies and technology have loopholes that may make it vulnerable to such attacks. The company should make it a priority to alter or minimize the use of such processes or technologies.

Putting in place courteous policies to ensure secure actions among the employees and the organizations partners without having a feeling of being offended would be of great help. To access information or locations considered sensitive would require approval from the concerned authorities. Program awareness is critical especially in the policies, processes, and technology. A guidance to be established should be realistic, durable, memorable, proven to be effective, consistent and concise (Mann, 2012).

Social engineering can also occur through opening of malicious files. The organization should therefore ensure that they train their employees on matters regarding opening untrustworthy emails sent though their email addresses so that the organization is not too vulnerable to the attacks.

It is very important for an organization to ensure security of its information. To do this the organization would need to train their employees on security awareness and use ways that are creative to ensure there is an understanding of the threats posed by social engineering to the organization. Employees should also be educated on the skills and methods that the attackers use, the roles they have to play in the protection of the organization and given advice on how to ensure they do not become victims of the attacks. There ought to be regular updating and refreshing of the available information on how to uphold security. The meaning and importance of the message needs continuous refreshing to avoid people losing sight (Mann, 2012).

There should be emphasis on enforcement of good behaviors where necessary. The attackers in most cases take advantage of the positive social norms and qualities that people posses in carrying out their attacks. Behaviors that encourage asking individuals to clarify their reasons for intending to access specific locations or information from an organization or individuals need to be encouraged. At times, organizations or individuals need to emphasize that saying no to some requests may not be an offense or a way of denying one any right. This would restrict access to the specific locations and information. Policies that ensure practice of safe behaviors by users or individuals in realistic ways also need enforcement when the necessity arises. The users or individuals should be aware that the necessity of such measures would help in protecting them and the organization from the consequences caused by attacks through social engineering.

References

Hardnagy,Christopher. (2010). Social Engineering: The Art of Human Hacking. New York: John Willey & Sons

Mann, Ian. (2012). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Aldershot: Gower Publishing

Tolman, William H. (2008). Social Engineering. South Carolina: BiblioBazaar

Williams, Brian & Sawyer, Stacey. (2012). Using Information Technology 10e Complete edition, 10th edition McGrew-Hill higher education. A. Kindle Edition.

Social Engineering Attack and Response Methods

In the era of rapid data digitalization, the notion of cybersecurity has become an extremely important matter in terms of enterprises data storage, privacy, and confidentiality. In order to make themselves feel more protected, companies make great financial contributions to cyber engineering and IT data protection. However, in order for the investment to be efficient, it is mandatory to anticipate all kinds of information leak probability, along with the appropriate attack response rate. Considering these peculiarities, one might reach the conclusion that the most crucial factors in terms of modern cybersecurity include individual awareness and the development of a proper neural cybersecurity network.

To dwell upon the necessity of these attributes, an example of a social engineering attack, along with the process of responding to the issue, will be presented. Thus, several years ago, a medium-sized enterprise was exposed to a cyber-attack, which was aimed at stealing all the crucial data about access to the companys bank accounts. Since the overall financial situation within the enterprise did not allow the management to develop an extensive cybersecurity department, by the time they discovered an intrusion, the attackers had already managed to access the confidential information.

The companys CEO issued a lawsuit on cybercrime, and the first thing assigned by the law enforcement facilities was an immediate initiation of an internal investigation. The detectives interrogated each of the employees in order to eliminate the risk of information leaks inside the company. Although no employee was found guilty of a crime, a thorough investigation showed that one of the financial department workers shared some confidential information during a private social media conversation with an acquaintance. Prior to filing a criminal charge, the detectives found out that nobody in the company was responsible for cybersecurity education for the employees. At present, the attackers have not been found, and the charges against the employee have been put on hold.

The following example demonstrates the primary importance of educating individuals on the subject of basic cyber protection patterns. Researchers claim that currently, the vast majority of people believe cybersecurity to be the IT departments responsibility exclusively, feeling no need to be educated on how to manage confidential data (Ghafir et al.). That is, people do not understand how sharing sensible information on the Web might influence their employers and safety in general. For this reason, it is of crucial importance to develop a full-scale agenda of HR management education on basic labor rights, obligations, and cyber protection.

The issue described in the example tackled another problem relevant for modern enterprises  lack of finance allocation on cybersecurity and IT department in general. However, with todays rapidly enhancing technology, supporting cyber safety departments will not obligatory benefit the level of the companys protection. The only way to ensure such security is the implementation of a recurrent neural network, which enables the cyber protection mechanism to store the ways of attack attempts in order to anticipate and deal with future threats (Berman, 2019). Adherence to this advice, although costly for the overall companys budget, significantly decreases the risks of social engineering attacks by limiting ones possibilities of information leak and studying the patterns of cyber-attacks. Hence, the underestimation of cyber-attacks is a major mistake made by the enterprises management, as it leads to irrevocable damage.

Works Cited

Berman, Daniel S., et al. A Survey of Deep Learning Methods for Cyber Security. Information, vol. 10, no. 4, 2019, pp. 122.

Ghafir, Ibrahim, et al. Social Engineering Attack Strategies and Defence Approaches. 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

Social Engineering Techniques for Bills Meat Packing Plant

Social engineering techniques are various methods used by hackers to get access to peoples personal information. In most situations, such techniques are considered unethical because they allow social engineers to deceive computer users and take advantage of their trust, low awareness, and lack of suspiciousness. Overall, to collect information from the identified organization, it is essential to focus on its weaknesses, including health violations, an enormous turnover, and an extended area occupied by the company. Thus, the following methods can be used: bribery, impersonation, and conformity.

To begin with, it is necessary to explore how bribery can be effective when attacking the selected company. Overall, as noticed by Basta et al. (2014), when using this technique, the hacker pits an employees greed against his or her loyalty to the organization (p. 22). Bribery is more likely to work when a worker is unsatisfied with the firm. Since the identified organization has a massive turnover, it is possible to suggest that the level of employee satisfaction is quite low. Further, conformity can be effective for the same reason: the hacker can use this sense of conformity to convince victims that they have a lot in common and that they share the same values (Basta et al., 2014, p. 22). Consequently, since not many employees seem loyal, they can share secure information with the attacker.

Further, impersonation can also be rather efficient for getting access to private information. For instance, since the company has health violations, it is possible for a hacker to pretend to be a health inspector and request access to relevant data. Once this access is granted, the hacker can use the organizations computers to get the secured information they need. What is more, since the company has many employees who often change, and the area it occupies is quite large, it is unlikely that all workers know each other. Consequently, it should be easy for the hacker to pretend to be an expert or an IT professional and intrude on the firm.

Reference

Basta, A., Basta, N., & Brown, W. (2014). Computer security and penetration testing (2nd ed.). Cengage Learning.

Social Engineering Techniques and Security Countermeasures

Introduction

In modern times, one of the most common ways of manipulating the security of information of an organization or individual is through social engineering. The successful application of techniques in this technology has enabled attackers and hackers to access information that is sensitive and crucial from computer and network systems.

Social engineering is a method of accessing data, systems, or buildings by making the best use of human psychology instead of using complicated methods for hacking or breaking in. The attackers manipulate individuals to provide or reveal the information that they need to gain access to secured systems. In most cases, the victims never realize that they have been tricked, manipulated or their systems have been hacked (Hardnagy, 2010).

The common reasons for social engineering are getting access to information or network systems without authorization, committing fraud, theft of identity, industrial espionage, and disruption of a network or system.

Attackers use different methods in social engineering. One of the methods is exploitation of familiarity. The attackers get trust from the individuals they want to exploit by familiarizing with them. An attacker may impersonate someone who is in authority and request for sensitive information through emails and phone calls. Pretending to be someone well known by other employees, the attacker may send emails directly to the employees email accounts with intention of obtaining some sensitive information. An attacker may also access important organizations documents from the organization dumpster. An attacker may come up with pop-ups, hack into an individual search web, and direct the search to their own page (Williams and Sawyer, 2012). The hacker may also send an online form to his targets portraying that there is a sweepstake competition and request for the individuals details. Once this information is availed, they would use it for their intended purpose. Another complicated method used by the attackers is reverse social engineering. The hacker impersonates someone in authority and the employees find themselves asking him questions. This last method needs adequate planning, research and execution for it to be successful (Tolman, 2008).

The attackers use tactics that convince their targets to trust them and eventually provide crucial and private information. The attackers also ensure that they never ask for too much information from one individual but ask for little information from several people.

Impact of social engineering and prevention

Social engineering in most cases impact negatively on an organization especially with regard to information security. It may lead to hacking of employees email accounts and retrieving vital information that the attacker could use to gain access to an organizations financial information. Gaining access to such information may result to lose of revenues, reduction of productivity and loss of reputation by the organization.

Fighting or preventing social engineering should be an organizations priority. One of the strategies would be deploying strict security rules at all levels and securing organizations network. Employees with high positions and authority in an organization should have access to minimum sensitive accounts. Only those who must access the accounts and specific resources of importance require the accounts. These powerful accounts would need regular audits and strong authentications. It would be important to do regular audits on both successful and unsuccessful attempts of accessing company information (Mann, 2012).

An organization should also have in place systems for detecting and investigating potential attacks. It should also deploy virtual teams able to counter the attacks by detecting targeted areas and the resources compromised. The team would also counter any attack that is in the process without interfering with the company operations and establish ways of preventing such attacks in future. There should be a determination on whether the company policies and technology have loopholes that may make it vulnerable to such attacks. The company should make it a priority to alter or minimize the use of such processes or technologies.

Putting in place courteous policies to ensure secure actions among the employees and the organizations partners without having a feeling of being offended would be of great help. To access information or locations considered sensitive would require approval from the concerned authorities. Program awareness is critical especially in the policies, processes, and technology. A guidance to be established should be realistic, durable, memorable, proven to be effective, consistent and concise (Mann, 2012).

Social engineering can also occur through opening of malicious files. The organization should therefore ensure that they train their employees on matters regarding opening untrustworthy emails sent though their email addresses so that the organization is not too vulnerable to the attacks.

It is very important for an organization to ensure security of its information. To do this the organization would need to train their employees on security awareness and use ways that are creative to ensure there is an understanding of the threats posed by social engineering to the organization. Employees should also be educated on the skills and methods that the attackers use, the roles they have to play in the protection of the organization and given advice on how to ensure they do not become victims of the attacks. There ought to be regular updating and refreshing of the available information on how to uphold security. The meaning and importance of the message needs continuous refreshing to avoid people losing sight (Mann, 2012).

There should be emphasis on enforcement of good behaviors where necessary. The attackers in most cases take advantage of the positive social norms and qualities that people posses in carrying out their attacks. Behaviors that encourage asking individuals to clarify their reasons for intending to access specific locations or information from an organization or individuals need to be encouraged. At times, organizations or individuals need to emphasize that saying no to some requests may not be an offense or a way of denying one any right. This would restrict access to the specific locations and information. Policies that ensure practice of safe behaviors by users or individuals in realistic ways also need enforcement when the necessity arises. The users or individuals should be aware that the necessity of such measures would help in protecting them and the organization from the consequences caused by attacks through social engineering.

References

Hardnagy,Christopher. (2010). Social Engineering: The Art of Human Hacking. New York: John Willey & Sons

Mann, Ian. (2012). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Aldershot: Gower Publishing

Tolman, William H. (2008). Social Engineering. South Carolina: BiblioBazaar

Williams, Brian & Sawyer, Stacey. (2012). Using Information Technology 10e Complete edition, 10th edition McGrew-Hill higher education. A. Kindle Edition.

Social Engineering Attack and Response Methods

In the era of rapid data digitalization, the notion of cybersecurity has become an extremely important matter in terms of enterprises data storage, privacy, and confidentiality. In order to make themselves feel more protected, companies make great financial contributions to cyber engineering and IT data protection. However, in order for the investment to be efficient, it is mandatory to anticipate all kinds of information leak probability, along with the appropriate attack response rate. Considering these peculiarities, one might reach the conclusion that the most crucial factors in terms of modern cybersecurity include individual awareness and the development of a proper neural cybersecurity network.

To dwell upon the necessity of these attributes, an example of a social engineering attack, along with the process of responding to the issue, will be presented. Thus, several years ago, a medium-sized enterprise was exposed to a cyber-attack, which was aimed at stealing all the crucial data about access to the companys bank accounts. Since the overall financial situation within the enterprise did not allow the management to develop an extensive cybersecurity department, by the time they discovered an intrusion, the attackers had already managed to access the confidential information.

The companys CEO issued a lawsuit on cybercrime, and the first thing assigned by the law enforcement facilities was an immediate initiation of an internal investigation. The detectives interrogated each of the employees in order to eliminate the risk of information leaks inside the company. Although no employee was found guilty of a crime, a thorough investigation showed that one of the financial department workers shared some confidential information during a private social media conversation with an acquaintance. Prior to filing a criminal charge, the detectives found out that nobody in the company was responsible for cybersecurity education for the employees. At present, the attackers have not been found, and the charges against the employee have been put on hold.

The following example demonstrates the primary importance of educating individuals on the subject of basic cyber protection patterns. Researchers claim that currently, the vast majority of people believe cybersecurity to be the IT departments responsibility exclusively, feeling no need to be educated on how to manage confidential data (Ghafir et al.). That is, people do not understand how sharing sensible information on the Web might influence their employers and safety in general. For this reason, it is of crucial importance to develop a full-scale agenda of HR management education on basic labor rights, obligations, and cyber protection.

The issue described in the example tackled another problem relevant for modern enterprises  lack of finance allocation on cybersecurity and IT department in general. However, with todays rapidly enhancing technology, supporting cyber safety departments will not obligatory benefit the level of the companys protection. The only way to ensure such security is the implementation of a recurrent neural network, which enables the cyber protection mechanism to store the ways of attack attempts in order to anticipate and deal with future threats (Berman, 2019). Adherence to this advice, although costly for the overall companys budget, significantly decreases the risks of social engineering attacks by limiting ones possibilities of information leak and studying the patterns of cyber-attacks. Hence, the underestimation of cyber-attacks is a major mistake made by the enterprises management, as it leads to irrevocable damage.

Works Cited

Berman, Daniel S., et al. A Survey of Deep Learning Methods for Cyber Security. Information, vol. 10, no. 4, 2019, pp. 122.

Ghafir, Ibrahim, et al. Social Engineering Attack Strategies and Defence Approaches. 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

Role of Social Engineering in Penetration Testing

Penetration testing is an attempt to evaluate the degree of security of IT or any functioning infrastructure by attacking it from various aspects. There could be many vulnerabilities in an IT system which could be exploited to perform unauthorized actions on the system. That is why penetration testing is done on the system beforehand to make it immune to those attacks. But then also, there is the issue of ensuring that the human element of the infrastructure do not compromise the security by leaking out confidential information out to evil intended people such as hackers or rival organizations. This loose point of any infrastructure is exploited using the means of social engineering.

Since, it is the act of manipulating or tricking people to undertake actions knowingly or unknowingly as well as against their will to make them give up any kind of confidential information, hackers can easily get the information. Social engineering can be done using many methods such as emails, telephone, SMS, fake websites or links and even face to face. There are various social engineering techniques that uses aforementioned methods to attack and exploit. Attackers can use several human or technical means from Phishing to dumpster diving as tactics to get hands on confidential data. For successful attacks these techniques and methods work in synergy to obtain ample information on individuals or organizations.

There are 4 steps in any social engineering attack:

  1. Information gathering that is studying and gaining information about the target.
  2. Developing relationship to gain their trust.
  3. Exploiting and gaining access to the systems.
  4. Execution, the final step where the attack is implemented

There are many live examples of attacks which uses social engineering on their targets to lay down a successful attack. One of those attacks include Cross-Site Request Forgery (CSRF). Cross-Site Request Forgery is an attack that forces a web application user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state changing requests. social engineering comes into play here by sending the victim a malicious link via email or chat by which the attacker can trick the user of the web application in executing actions of attacker’s intent. For a normal victim, this attack can force the user to perform state-changing requests like transferring funds or changing their email address, passwords etc. If the victim is an administrative account, CSRF can compromise the entire web application. Other attacks that use social engineering techniques or penetration testing techniques such as SQL Injection, Cache Poisoning, Man-in-The-Browser Attack, etc.

In conclusion, we can say that because of the different personality traits that different individuals possess, it is almost impossible to fully protect organizations against social engineering attacks. As the most vulnerable connection of the security the infrastructure forefront, social engineering interruptions that are activated by human components can’t be just moderated through a general solution which is mostly clear against programming or equipment glitches.

Reflections on the Effectiveness of Social Engineering

After reflecting on the quote from Dr. Thomas Plante about social engineering and learning about behavior intervention, I believe that both approaches can lead to effective behavior change depending on what the behavior is. I agree with Dr. Plante’s quote to an extent because it can be very hard for people to make significant, lasting behavior changes in their lives using just willpower alone, even if they know what they’re doing is bad for their health. However, even with social engineering, individuals could still find ways to stick to their unhealthy behaviors.

One example is using social engineering to add an extra tax on sugary drinks. This approach would only be effective in somewhat reducing the consumption of them, not eliminating it completely. In this example, social engineering alone wouldn’t be enough to significantly change people’s behavior of consuming sugary drinks because the individual would still have to display enough self-motivation to not just pay the extra tax to get the drink that they want. I think that some better venues for health-habit modification in that situation would be the family of the individual or their physician. If the person’s family is also willing to eliminate the consumption of sugary drinks, they would all be able to motivate each other and stick to it since everyone is participating in the health behavior change. A physician could also help by suggesting alternatives to sugary drinks to the patient such as sparkling or infused water in order to help them transition off of soda and sugary juices.

However, in some situations, social engineering would be more effective than other behavior interventions that primarily rely on motivating people to change a behavior on their own. An example of this would be lowering the speed limit to reduce the amount of accidents leading to death and injury. Social engineering works better for this situation because people wouldn’t be motivated to slow down unless they are reinforced by the law to drive slower. Most people abide by the speed limit laws in order to avoid getting a speeding ticket or a fine. Safe driving campaigns and interventions might have a very slight impact on the amount of accidents due to speeding, but the impact of social engineering in this example is far greater and more effective.

In conclusion, I partially agree with Dr. Plante’s quote about the effectiveness of social engineering, however I also agree that there is value in people learning to self-monitor their own health behaviors and practice self- reinforcement. Self-monitoring and self-reinforcement are both part of cognitive-behavior therapy which emphasizes self-control. It is important for individuals to feel like they have control over their decisions and are properly educated on the outcomes of unhealthy behaviors instead of everything being legally mandated and decided for them by the government.

Argumentative Essay on Real Work of Social Engineering

Does Social Engineering Really Work?

Does social engineering really work? Yes, I believe it does. The main two reasons that I believe social engineering in the context of cybercrime works, is because firstly, it targets what I think is the weakest link in any digital security system, the human. The second reason why I believe social engineering works is because it has been around since humans have existed. It is still used to this day. Why? Because it works. The reason for this is because social engineering doesn’t just involve digital threats like phishing or ransomware, it also sometimes involves manipulating humans, more specifically, manipulating them by taking advantage of their qualities or emotions.[footnoteRef:1] Social engineering is used and works all the time, by everyone. Whenever we try to get someone to give us something or do something for our benefit, we are social engineering.[footnoteRef:2] [1: Jovi Umawing and Jovi Umawing, ‘Social Engineering Attacks: What Makes You Susceptible? – Malwarebytes Labs’ (Malwarebytes Labs, 2019) accessed 13 October 2019.] [2: Christopher Hadnagy, Social Engineering (Wiley Pub 2011) Ch. 1.]

One of the most common forms of social engineering, phishing, tries to take advantage of human rashness and recklessness.[footnoteRef:3] Phishing scams may try to trick users by getting them to click on links and attachments that seem legitimate but are actually not. These types of scams are so successful due to the sense of urgency created in an individual.[footnoteRef:4] This technique is especially effective due to the fast-paced world that we currently live in. We consume information at an unprecedented speed and due to this, phishing is highly effective. [3: Ibid (n 1)] [4: Nabie Y. Conteh and Paul J. Schmick, ‘Cybersecurity: Risks, Vulnerabilities And Countermeasures To Prevent Social Engineering Attacks’ (2016) 6 International Journal of Advanced Computer Research 32.]

There is irrefutable evidence to suggest that social engineering works. The annual cost of cybercrime and economic espionage to the global economy is more than $445 billion annually–or almost one percent of total global income[footnoteRef:5] If even one percent of this is through the use of social engineering, it would account for tens of billions of dollars in annual losses. Therefore, it can not simply be overlooked. Furthermore, it can not simply be said that social engineering doesn’t work. It can easily be inferred from the above data that social engineering is not just working, it is working very well. [5: Ibid.]

Social engineering also takes advantage of some innate human characteristics and emotions, such as fear and desire. Ransomware tries to scare people into paying sums of money, which if unpaid, locks individuals out from their own digital devices, and consequently their data. The advance-fee scam still works to this day because it appeals to the human desire for money and it also takes advantage of peoples’ greed. Cat-phishing scams are also very powerful because they involve a cybercriminal pretending to be someone they are not in order to develop a fake, online, romantic relationship with an individual with the aim usually being to either waste someone’s time or to extract money from an individual. These types of scams will always continue to work because humans will always be born with and will naturally develop innate characteristics and emotions which make them vulnerable to these types of attacks. No technical countermeasures can eliminate the human vulnerability.[footnoteRef:6] These scams still exist, because they still work. If they didn’t work anymore, they wouldn’t exist. [6: Ibid 33.]

Another form of social engineering is tailgating. This attack exposes those who have the ability to grant or gain access to a restricted area by an attacker who may impersonate delivery personnel or others who may require temporary access.[footnoteRef:7] This type of attack takes advantage of general human decency and common courtesy. This type of attack gives criminals access to restricted areas from where a large amount of data can be stolen and from where viruses and malware can be installed onto an organization’s machines. This allows for further spying by the cybercriminal. What may start off as a social engineering attack can soon balloon into a threat that is much bigger and much more dangerous? Again, this type of attack also takes advantage of the fast-paced environment that we live in. We often don’t question and stop people who look like they know what they are doing and who look like they belong in a certain place. [7: Ibid 32.]

There are preventative measures that may use to stop social engineering attacks from working. However, these measures have their owns problems and therefore social engineering still works. For example, companies could provide all their employees with security training and teach them how to identify social engineering attacks and how to prevent them. This would condition employees to be cautious, keep a close eye on everything, and allow them to easily identify social engineering attacks. However, a lack of resources is perhaps the leading contributor to the exponential growth of social engineering and cybercrime. Not a lot of organizations have the resources to implement thorough security training and invest in anti-cybercrime solutions. “While the cost of cyber victimization is nearly a half trillion dollars, it has not hurt global economies enough and may even be in the realm of appearing as a cost of doing business.”[footnoteRef:8] Unless social engineering and cybercrime become unbearable and heavily eat into the profits of companies, they probably won’t take action. [8: Ibid 33.]

Despite all of this, the best way to combat social engineering is to simply develop the knowledge that people have about socially engineered attacks.[footnoteRef:9] Unfortunately, no matter what sort of measures are put into place to prevent social engineering, once cybercriminals are aware of the countermeasures taken by an organization, they can develop new methods of social engineering that most people would be unfamiliar with.[footnoteRef:10] Furthermore, as I have mentioned already, humans are the weakest link in any countermeasures taken against social engineering. Hackers can engineer their attacks towards specific people based on data that they have already collected.[footnoteRef:11] For example, employees that are anxious, angry, vulnerable, and/or depressed have a higher chance of responding to phishing emails.[footnoteRef:12] Additionally, extroverted people are more likely to give out information easily; these types of people leave behind personal information and digital footprints which can be used by hackers to gain access into the target organization.[footnoteRef:13] Employees also develop complacency in that they trust their company’s IT infrastructure too much and are therefore more susceptible to attacks.[footnoteRef:14] Another factor that causes organizational vulnerability is the fact that some employees just don’t care enough and simply lack the motivation to protect their organizations from socially engineered attacks.[footnoteRef:15] Even if organizations were able to successfully implement measures against social engineering and were able to get their employee to perfectly adhere to these measures, I would still not make them invulnerable[footnoteRef:16] Criminals are always developing new methods of social engineering which individuals will be unaware of no matter how much training they receive.[footnoteRef:17] [9: Hussain Aldawood and Geoffrey Skinner, ‘Reviewing Cyber Security Social Engineering Training And Awareness Programs—Pitfalls And Ongoing Issues’ (2019) 11 Future Internet.] [10: Ibid 3.1.4] [11: Ibid 3.1.6.] [12: Ibid.] [13: Ibid. ] [14: Ibid.] [15: Ibid.] [16: Ibid.] [17: Ibid.]

In conclusion, the answer to the question as to whether social engineering really works is a resounding yes. Through my research, I have learned that social engineering in the context of cybercrime is highly effective. It is simply the use of a system that has worked on humans for the past hundreds of thousands of years, only this time it is applied to successfully carry out cybercrime. The essence of social engineering, I believe, is the manipulation and exploitation of innate human characteristics and emotions. For as long as humans exist, social engineering will work on them. Humans are the weakest link in any security system in the world. There are many ways that individuals and organizations have tried and continue to try to prevent social engineering. Despite this, social engineering is as prevalent as ever and the same scams that have worked for ages continue to work to this day. I don’t believe that social engineering will ever be eliminated, and that is because humans will always be humans, and humans will always have emotions and weaknesses. Humans will always make mistakes. Therefore, they are much easier to “hack” than any computer system. That is why they are socially engineerable.

Role of Social Engineering and Online Influence on Users in Cyber Security: Analytical Essay

Chapter 1: Literature Review

What is Social Engineering?

The term Social Engineering is simply the process of manipulating the user into disclosing either his sensitive information or his personal identifiable information (which could be referred to as PII) to the social engineer. According to (Conteh and Schmick, 2016) social engineering is also known as human hacking. Additionally, it is regarded as the hacker’s strategy to trick and manipulate people’s tendency to trust and engage in a specific behavior online for malicious and financial gain (Conteh and Schmick, 2016). Social engineering is arguably the single greatest security risk a company can experience when even the most sophisticated protective security measures are ineffective and powerless when users are getting manipulated by social engineers. Furthermore, (Krombholz et al., 2015) argue that it is repeatedly simple for social engineers to get users to infect their computers or mobile phones by tempting them to click on harmful links or visiting fake websites that seem legitimate for them, or downloading and installing malicious applications. Eventually, the victims of such attacks are widely known as a company’s insider threats regardless of whether their error was intentional or not.

Primary operations of Social Engineering

As it has been previously mentioned that protective security measures such as firewalls or antivirus software will definitively be significant if users are easily tricked into clicking on malevolent links or revealing their credentials online. (Williams, Beardmore, and Joinson, 2017) discuss that social engineering has been proven to be relatively a successful method to get inside the organization in the sense of pressuring or persuading the users to perform irrational actions such as disclosing their credentials and sensitive information. In order for social engineers to succeed in their attempts, (Williams, Beardmore, and Joinson, 2017) also discuss that several psychological procedures are executed that exploit social norms and obligations in the process. These include reciprocity, conformity, and authority.

The term reciprocity according to (Happ, Melzer, and Steffgen, 2016) is basically a psychological principle that exists in cultures all around the world. It’s the feeling of being obligated to return a favor regardless of the original favor. Additionally, reciprocity is a fundamental factor of social interactions amongst individuals in society. Ultimately, reciprocity is an important factor of social interactions amongst people in society, and in terms of online communication, it increases the inclination to reveal personal information.

Secondly, the term conformity can be referred to according to (Bullée et al., 2017) as social proof which is the process of convincing a user that his coworkers have already performed the requested tasks or have already provided their personal information. Social engineers tend to usually adopt a friendly stance in an attempt to obtain information. Furthermore, (Bullée et al., 2017) explain that the hacker tries to convince certain users that their coworkers has been giving him the same information so in that case, they will feel pressure to conform eventually. In some cases, especially for male users when they respond kindly, especially to women who may use flattering techniques or flirtation to tempt their target to confidently carry on the interaction further.

Eventually, the most effective social strategy method that most users fall victim to is authority. (Bullée et al., 2017) defines the term as the principle that describes the tendency of users to comply with the requests of authority figures. It is typically the case when the social engineer creates a sense of trust with the user by impersonating an authoritative figure in an attempt to gain access to their account credentials. (Bullée et al., 2017) also argues that hackers tend to instill a sense of urgency in their target victims luring them to make decisions quickly instead of considering other potential options.

The attack vectors of Social Engineering

Although the strongest security measures are increasingly advanced, promoted, and implemented, the number of data breaches within organizations is still increasing and that’s for good reason. Cyber-criminals regularly target the weakest defense line to a company which is the user, because human error, whether or not it is intentional, is still the simplest way the hacker gets access into the system. Conteh and Schmick, (2016) argue that social engineers apply alternate routes to persuasions that exploit the psychological vulnerabilities of users which leads to influencing their emotions towards: Fear, Obedience, Greed, and helpfulness. These are the four human emotions and behaviors hackers most commonly utilize to take advantage of the user’s emotions in order to carry out their attacks.

(Hadnagy, 2011) defined the term Fear in his book as an unpleasant emotion that is triggered by the notion that someone is dangerous. Fear is arguably one of the most manipulated emotions when it comes to social engineering. A user may receive an email message informing them that their account has been compromised and requires a new password for example. These kinds of malevolent email messages strike fear in the mind of the user and manipulate him to react abruptly in order to avoid serious consequences.

The second emotion is Obedience, which is defined by (Hadnagy, 2011) as complying with an order, request, or submission to an authoritative figure. Generally, individuals are taught throughout their childhood to always obey and trust the authorities without questioning the validity of their correspondence and comply with their instructions and guidance. There are some scamming attempts that are frequently disguised as an email message, instant message, or a phone call from an individual or a group of authority. Falling to those attempts can have some serious consequences.

Thirdly, the term Greed is typically the desire to acquire more money or anything else for that matter. Scammers are widely known for their attempt to persuade their victims to perform a certain action and reward them afterward. The reward can typically be an amount of money provided that the victims share their banking information beforehand.

Eventually, Helpfulness which is typically about the willingness to provide any sort of help to others. The social engineer will generally disguise himself as someone who needs assistance. The attacker can pose as a new employee and may start asking questions concerning account passwords or the location of the server room or security offices etc…

The motivation behind social engineering attacks

(Kumar and Carley, 2016) argues that to effectively prevent social engineering attacks, it is essential to consider the reason and the motivation of hackers. Furthermore, many researchers have analyzed the effective security measures used to prevent social engineering attacks in addition to trying to investigate the motivation behind these attacks. Moreover, sometimes the real purpose for deploying the attack remains unknown and the situation might get more complicated if the attacker were in a different country.

The motives behind social engineering attacks vary massively. They can attack the users for a number of reasons. According to (Halaseh and Alqatawna, 2016), some of the potential reasons for the attacks are:

  • Financial. The motivation of a social engineer when deploying an attack on the users is to lure them into disclosing their sensitive information and credentials so that hackers can have full access to their bank accounts. Alternatively, the hacker may as well sell that information to others on the dark web.
  • Access to proprietary information. The social engineer typically intends to gain access to the system and gain as much information about the company as possible. The system in that case will be inevitably compromised, however the intent of the hacker is not to inflict damage upon the system but to understand the procedure and the policies and the sensitive information. That can kind of attack can also be done by launching Advanced Persistent Threat (APT) attacks whereby the hacker infiltrates the network through a phishing email and remain undetected for a long period of time.
  • Revenge. According to (Conteh and Schmick, 2016), it is one of the ways to cause problems to someone indirectly. That kind of motive is now very common and can be also utilized for scamming and fraudulent purposes, and even for inappropriate content online
  • Fun. There are social engineers whose intent is to create chaos among the general public, like for instance the spread of email messages about a fictitious computer virus.

Types of social engineering attacks

With regard to the human vulnerabilities of social engineering (Conteh and Schmick, 2016) argues that, as far as cyber security specialists are concerned, social engineering attacks are regarded as totally ineffective against advanced security measures while it aims primarily to exploit humans’ vulnerabilities and lure them into divulging sensitive data. Social engineering attacks have many different aspects and features such as the physical, social, reverse social engineering, and Socio-technical aspects.

  • Physical approach. In that kind of approach, the hacker performs some sort of physical actions in an attempt to gather sensitive data ranging from personal information such as names, and dates of birth about the users to valid credentials for computer systems. (Krombholz et al., 2015) notes that the often method used in that attack is dumpster diving in which the hacker attempts to search for valuable information in the organization’s dumpster which can be a significant source of information for hackers.
  • Social approach. According to (Krombholz et al., 2015) it is comparatively the most important approach that leads to successful social engineering attacks. The process involves the attacker relying on persuasion methods to manipulate their targets. The attacker first tries to develop a relationship with their victims to the extent that he will be viewed positively by the recipient and therefore will be highly likely to be trusted.
  • Reverse Social Engineering. In that kind of attack, (Krombholz et al., 2015) discuss that the attacker attempts to convince the user that they are having a problem on their computer and that they are a trustworthy entity. The social engineer’s main objective is to get the user to make the first move by asking him for a plausible solution. The process the hacker goes through consists of three main steps and which include sabotaging, advertising, and assisting. Basically, the hacker first attempts to sabotage the user’s computer by infecting it with malicious software. The attacker advertises that they possess the solution to fix the problem afterward. Finally, when the user asks for help, the hacker will resolve the problem he created by asking the user for their password beforehand.
  • Socio-Technical Approach. In that kind of attack, (Krombholz et al., 2015) discuss that the hackers use a method called the Baiting attack. The hacker leaves storage devices infected with malevolent software in places where it could be easily picked up by individuals. Additionally, in order for their hacking attempt to be successful, hackers exploit the curiosity of users by adding tempting labels on the devices such as “private contents” or “confidential”. Another common socio-technical method is phishing which is usually done by sending fake email messages that look legit containing malicious downloadable attachments to a large group of people instructing them to follow the instructions which eventually lure them into revealing their credentials.

Preventive measures against Social Engineering

Regardless of how effectively secured the network might seem to cyber security specialists, the human aspect will always remain a vulnerability. Users are inevitably the last line of defense against social engineering attacks. Conteh and Schmick, (2016) discuss the important countermeasures that companies ought to deploy in order to prevent their users from falling victim to social engineering attacks:

  • Training and Education. Training the staff to identify and take action against social engineering attacks is essential and a step forward from getting their system compromised. Conteh and Schmick, (2016) also argue that exposing users to previously engaged social engineering techniques to familiarize themselves with the attacks and build awareness amongst them.
  • Security Policy. The company ought to have a well-written policy that includes technical and non-technical elements that are driven by executive management.
  • Technical Procedures. The network should have multiple layers of defense to protect sensitive data and the networking infrastructure.

Conteh and Schmick, (2016) argue that software such as Intrusion Detection Systems (IDS) and sophisticated firewalls have to be implemented on all computers.

  • Audits and Compliance. It is important for companies to verify that their security policy is being adhered to on a regular basis. Furthermore, executing some of the important detective controls including reviewing networking logs, re-validating employees’ permissions, and checking desktop configurations should at least be done every week.

Aims and Research Questions:

1) Aims

The goal of this research is to attain a better comprehension of social engineering attacks that basically exploit human psychological weaknesses, luring online users to engage in particular behaviors online for financial gain and other malevolent gains.

Another purpose of this research is to learn who is more susceptible to falling victim to fake email messages in terms of their gender, age, and their educational background, and to what extent do users know about social engineering threats, which can lead to identity theft and security breaches, and finally to learn whether users possess the notion that they are always safe online and cannot be reached or targeted by hackers.

2) Research Questions:

This research explores the questions:

  • What are the psychological factors that play a role in luring employees to follow the instructions within illegitimate email messages?
  • Who is more susceptible to be deceived by phishing attacks?
  • To what degree do online users have insufficient knowledge on social engineering techniques and lack strategies to identify vulnerabilities and scams?
  • To gain an insight into whether users believe they are immune to social engineering?

Research Methods:

1) Introduction

There are two different research methods that are applied in all kinds of studies to extract and gather empirical information. Additionally, Chu and Ke (2017) state that research methods are traditionally labeled as qualitative and quantitative methods that have comparatively far more attention in the scholarly community. Those two methods are aimed at identifying educational problems using different approaches.

Yilmaz (2013) defines quantitative research as research that explains events according to numerical data which are analyzed by means of mathematically based methods, specifically statistics. Furthermore, it can be referred to as a type of empirical research in which the process of testing a theory consists of variables that are measured with numbers and analyzed with statistics in order to determine if the theory explains or predicts phenomena of interest. Yilmaz (2013) also defined qualitative research as an emergent, interpretive and naturalistic approach to the study of people, cases, social situations, and processes in their natural settings to reveal the meanings that people attach to their experiences of the world.

2) Research Approach:

This research makes use of a quantitative research strategy in the sense that there will be empirical numeric data produced in the end of the study. It is defined as a scientific method for the collection of empirical data, modeling and analysis of data, and evaluation of results. Kumar (2019) defined in his book that quantitative methods are relatively specific, well-structured, have been frequently tested for their validity and reliability and can be explicitly defined and recognized. The reason for choosing this research method mainly because the data that will be collected can be is expressed in numerical form through online questionnaires and analyzed statistically. Furthermore, the numerical data can be organized and thoroughly analyzed statistically to produce empirical results of the study. Additionally, the quantitative research ought to help in learning how many users are getting socially engineered by having their psychological weaknesses exploited by social engineers who are characterized by (Happ, Melzer, and Steffgen, 2016) as psychology experts that exploit typical human vulnerabilities such as fear and greed, using specific classes of attacks, as well as the proportion of individuals who lack the knowledge on phishing and scams and whether they think that security measures and awareness ought to be sufficient to keep them safe online.

3) Research Method:

The methods of data gathering can be used across studies that are classified as quantitative, qualitative, or mixed methods. The way a particular method is implemented to collect data determines the classification of the study to a larger extent. Kumar (2019) argues that there are several quantitative methods that can be used to collect the data.

The choice of the chosen method depends on the purpose of the study which is learning about how likely online users are susceptible to follow instructions within phishing emails, the proportion of online users who are prone to be victimized by social engineering attacks, in addition to those users who lack the strategies to detect malicious emails, and eventually to gain an insight on the percentage of users who are under the impression that are they are always safe from social engineering attacks.

Consequently, the use of an online questionnaire to collect the information that are essentially required to answer my research questions is ought to be utilized throughout this research.

Kumar (2019) discussed in his book that online questionnaires have become quite common nowadays due to the advancement in communication technology. One of the main reasons why the online questionnaire has been selected as the quantitative research method in this research is that:

  • It is less expensive in the sense that interviewing participants is not required, and it is relatively convenient when it is administered collectively to a study population (Kumar, 2019).
  • It offers considerable anonymity and all participants will be exempt from live interaction with the interviewer. Furthermore, all sensitive questions will be answered with accurate information.

4) Data Collection:

Rowley (2014) discusses that questionnaires are one of the quantitative methods used to collect data, and therefore many researchers in business and other areas of social sciences link research with questionnaires. According to (Rowley, 2014), a lot of effort ought to be allocated into producing a good questionnaire that collects accurate data that answers the research questions.

Throughout this research, a questionnaire that will include open and closed questions will be conducted as a means of collecting accurate and relevant data in order to answer the research questions. Rowley (2014) argues that closed questions are quick for respondents and are always composed of a number of options from which the user will have to select, whereas open questions simply invite respondents to provide data or offer short comments which one or two sentences and allow respondents to use their own language and express their own views.

In terms of distributing the questionnaire, it is mandatory early in the process to explain the purpose of my research in addition to giving a brief introduction to myself and the reason for seeking their answers and opinions as clearly as possible; and assure them that it is completely confidential. Moreover, it is crucial to be clear about the amount of time that the questionnaire survey will take, because (Rowley, 2014) argues that if the questionnaire survey takes too long to complete then it will be highly likely that the participants will skip through the questions and will inevitably leave sections of the questionnaire incomplete or totally abort the whole process.

Eventually, there are several ways of delivering the questionnaire, but the one that will be used throughout this research is an email-based survey tool which will be Qualtrics to conduct data collection and analyze the responses and will ultimately be sent to all the contacts and friends I know on social media to complete the survey and carry on bypassing the questionnaire completion request onto their contacts.

References:

  1. Conteh, N. and Schmick, P. (2016). Cybersecurity: risks, vulnerabilities, and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 6(23), pp.31-38.
  2. Krombholz, K., Hobel, H., Huber, M. and Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and Applications, 22, pp.113-122.
  3. Williams, E., Beardmore, A. and Joinson, A. (2017). Individual differences in susceptibility to online influence: A theoretical review. Computers in Human Behavior, 72, pp.412-421.
  4. Happ, C., Melzer, A. and Steffgen, G. (2016). The trick with a treat – Reciprocity increases the willingness to communicate personal data. Computers in Human Behavior, 61, pp.372-377.
  5. Bullée, J., Montoya, L., Pieters, W., Junger, M. and Hartel, P. (2017). On the anatomy of social engineering attacks-A literature-based dissection of successful attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), pp.20-45.
  6. Bullée, J., Montoya, L., Pieters, W., Junger, M. and Hartel, P. (2017). On the anatomy of social engineering attacks-A literature-based dissection of successful attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), pp.20-45.
  7. Hadnagy, C. (2011). Social engineering. Indianapolis: Wiley Publishing, Inc.
  8. Kumar, S. and Carley, K. (2016). Approaches to understanding the motivations behind cyber attacks. 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp.307-309.
  9. Halaseh, R. and Alqatawna, J. (2016). Analyzing CyberCrimes Strategies: The Case of Phishing Attack. 2016 Cybersecurity and Cyberforensics Conference (CCC), pp.82-88.
  10. Chu, H. and Ke, Q. (2017). Research methods: What’s in the name? Library & Information Science Research, 39(4), pp.284-294.
  11. Yilmaz, K. (2013). Comparison of Quantitative and Qualitative Research Traditions: epistemological, theoretical, and methodological differences. European Journal of Education, 48(2), pp.311-325.
  12. Happ, C., Melzer, A. and Steffgen, G. (2016). The trick with a treat – Reciprocity increases the willingness to communicate personal data. Computers in Human Behavior, 61, pp.372-377.
  13. Rowley, J. (2014). Designing and using research questionnaires. Management Research Review, 37(3), pp.308-330.

The Role of Cyber Warrior in Cyberspace on Social Engineering Attacks

Abstract

In the Cyberspace domain, the rate of cyber-attack is rising every day. This reason initiates the need to encourage individuals to become Cyber Warriors. To have a better understanding of a Cyber Warrior, we need to know the training, requirement, skills, and knowledge to obtain and also its difference with a traditional warrior. Social engineering attacks have now become very successful, looking at the fact that most of technical devices are unreliable to prevent such attacks. The best way is that Cyber Warrior should give training to individuals and organizations to prevent such psychological attacks. We illustrated several categories of social engineering attacks in relation to Cyber Warrior training to prevent them.

Keywords—Cyber warrior, Cyberspace, Social engineering attacks

I. Introduction

In the world today, Cyber warrior has become an important concern that requires great attention and consideration due to the increase in many cyberattacks we are facing at the present time. The need for a Cyber warrior is highly demanded so as to fill the gap of the cyberspace workforce and to able to create new methodologies and algorithms to solve the problems. Looking at the challenges cyber-warrior faces and possible countermeasures to use. Even though the Era of Cyberwarfare is still a new paradigm, many countries, world organizations, and interested individuals are seeking the required skills, knowledge, and awareness to attain in the field. A Cyber warrior can be defined as a professional individual whose aim is involved in the activities of cyberwarfare by utilizing his/her knowledge and skills in defensive and offensive cyberattacks [1]. Cyber warfare refers to the use of cyberattacks between two parties (for example two countries) which can affect and damage the other parties’ infrastructures like attacking their network services, and computer systems resources which include theft of confidential information, power and electricity disruptions [2]. Recently due to the rise in attacks in many organizations, network facilities, and services, there is a need for studying on the awareness of Social engineering methods and defensive mechanisms which can be helpful in encountering the attacks and effects of the infrastructures that are vulnerable. Social engineering is an extremely critical psychological attack that can affect greatly when conducted successfully.

In this paper, we are going to explore the roles of a Cyber warrior by first understanding who is a Cyber warrior, the desired requirements and training to be a cyber-warrior, and the skills, and differences between a kinetic and cyber warrior domain. We also look at, different social engineering methods of attacks with their defensive mechanisms and how a cyber-warrior will control such methods. Accordingly, section II of this study presents the literature review on two concepts “cyber-warrior” and “social engineering method”, section III cyber-warrior in cyberspace, section IV social engineering methods, and section V describes the relationship between a cyber-warrior and social engineering methods. Finally, section VI presents the conclusion as well as the Recommendations of the study.

II. Literature review

In this section, we are going to view the two concepts of a cyber warrior and Social engineering and bring out what other researchers have conducted. According to [3], the paper presents the important leadership techniques required for a cyber-warrior when comparing it in the military perspective. The paper explains the differences between a kinetic and cyber warrior in the cyber domain. The leadership principles which a cyber-warrior should adopt from a military perspective by understanding one’s strengths and weaknesses for better improvements, be technically proficient, creating groups for training, and other leadership behaviors.

In the paper of T. Vinnakota [4] which is based on an academic perspective, it introduced a new program on how to teach individuals in a virtual computing manner using virtual devices in preparing individuals to become cyber warriors. The explains on how Virtual Education Laboratory can be used in the teaching process, and its functions and by this way, individuals will have the good required training to become cyber warriors. M. S. Bargh, S. Choenni, I. Mulder, and R. Pastoor [5], points out the reasons and roles on why we need individuals to become cyber warriors because these reasons or way will help to reduce the incidences of many cybercrimes. It shows the importance of the warrior paradigm and how this issue have been neglected. Lastly, the paper shows some incidents of cybercrime and solutions by enhancing the warrior paradigm.

In the work of T. Moore, A. Friedman, and A. D. Procaccia [6], introduced two different models which are the game-theoretic model using an attacker and a defender for vulnerability discovery and exploitation. This paper explains how a nation will choose between protecting itself by exposing vulnerability information or looking for an offensive advantage while remaining at risk. The cons of the paper show that it can only be applicable to only two players without consideration of a third player. An interesting paper of C. Herr and D. Allen [7], presents the idea of using video games as training tools for the next generation of cyber warriors. Traditional training will be changed to game-based methods, where individuals can participate fully in reality on how to attack and defend. It also explains the need for cyber warriors due shortage in the workforce.

In the paper [8], explained different factors that affect Social engineering attacks in social networking sites. It is based on how human is also considered as a factor, the importance of motivating individuals to understand social engineering attacks and its characteristics. According to [9], the paper selected one of the social engineering attacks and explored it fully, it presents a literature survey on Phishing attacks in Social engineering. Several types of phishing attacks, methods to prevent it, and analysis.

In the work of P. P. Parthy [10], is based on enterprise concerns and a clear description of enterprise infrastructure. It identifies the different social engineering threats and attacks that effect on enterprise, and different measures to prevent such attacks. In [11], the paper explained in detail the classification of social engineering attacks, their methods, description of the attack as well as the advantages and limitations of countermeasures.

III. Cyber-warrior

For us to have a better understanding in the domain of cyberwarriors, we need to point out four factors and examine questions such as, who is a cyber-warrior? where does it originate from? How can a cyber warrior operate? and what are they going to execute?

  • Who can be an individual or group of individuals that cooperate together in the cyber warrior domain?
  • Where does it originate from (Department of Defense strategies for operating in cyberspace)?
  • How means the methods and procedures to conduct the operations?
  • What means the types of attacks and defensives a cyber warrior should accomplish?

All these factors make us to believe that a cyber warrior has an important role to play in the cyberspace domain. The domain of cyber warrior requires to be analyzed as the recent rise in cyber-attacks and cyber weapons. The main reason behind the Cyber Warrior origin is from the five DoD strategies in Cyberspace which indicates its demands. In [12], The DoD’s first principle is that the DoD should manage and control the whole cyberspace activities so that it can be useful for now and in the future. The Second principle means that DoD should develop new mechanisms to secure the networks and system so as to improve its cyber security. The thirds want working collectively to move forward by promoting themselves and to overcome challenges together between US government and others. The fourth is to create a strong connection and cooperation with US partners and international partners to improve cybersecurity. The fifth is to train more people in the field of cyber security so as to enhance knowledge and create awareness to solve problems now and in the future. Considering this strategy, we need to know the training and requirements in becoming a cyber warrior.

A. Training of a Cyber Warrior

The training of individuals to become cyber warriors is not any task because it is very complicated and challenging as the cost is a concern. Several pieces of training like Central/ Joint training (JCAC) Joint Cyber Analysis Course which was a Navy Course that extends to the training of cyber warriors, Service-Specific Trainings, Colleges and Centres of Excellences, Competitions/Outreach, and Industry [13]. The training of cyber warriors should be standardized with both practical and theoretical aspects which will improve the future of cyberspace. The training must be extensively attacking and defensive operations in cyberspace.

B. Requirements and Skills of a Cyber Warrior

A Cyber Warrior is desired to have special skills and knowledge in the field of computing, programming, networking, and security, in [12], these skills include information gathering skills, Attacking/Defensive skills that is computer network operation which includes Computer Network Attack (CNA), Computer Network Defense (CND), and Computer Network Exploitation (CNE). The knowledge of ethics and legal issues is also very important so as to perform operations in the right manner. Leadership skills in relation to the traditional warriors, being responsible and competent in conduction of cyberwarfare operations, creating groups, and assigning the task to each member of the group. Other requirements can be Certifications and working experience.

C. Difference between Cyber Warrior and Traditional Warrior

The difference between a Cyber Warrior and a Traditional Warrior in [12] is that age is not important provided that the knowledge and skills of information security, programming, and other related subjects are acquired while Traditional Warrior needs only young age that can fight. Secondly, attitude will not be an issue while due to the age limit it may affect their attitude, there is also a conducive physical condition in cyber warfare to work which is not a Traditional Warrior. Lastly, credentials are not necessary while it is compulsory.

IV. Social engineering methods

Social engineering is the process of accessing information by creating a relationship that will lead to an attack in advance. It can be considered as one of the most dangerous attacks due to its strong effect of controlling and deceiving targets. In [12], there are five steps in conducting social engineering methods, Observation, Conversation, Interview, Interrogation, and Torture. In the observation step the attacker will try to find out information about its target, then create a way to communicate and have a conversation, the interview and interrogation is where the information is captured and used by the attacker. According to [11], social engineering attacks can be categorized in different ways;

  1. Human-based and Computer-based: Human-based attacks are usually face-to-face when the attacker uses his/her approach to access the target.
  2. Physical, Social, and Technical attacks: Social Engineering attacks can also be categorized based on how the attack is carried out.
  3. Direct, and Indirect attacks.

Some attacks have a combination of the above. Now let us briefly present them;

  1. Phishing Attacks: Phishing attacks are intended to deceive its target and get information using technical ways like email, webpages, messages, etc. There are many types of phishing attacks which include spear, whaling, vishing, business email compromise, and interactive voice response [11].
  2. Pretexting Attacks: Pretexting attacks that claim to be official and will request information from its target. It can be conducted physically or electronically [10].
  3. Baiting Attacks: Baiting attacks are always tricks to betray its targets. It appears as a Trojan horse that makes its target believe that it’s safe by accepting it until later when realizing it malicious intent, it is usually technically [11].
  4. Tailgating Attacks: These are the physical access attacks or piggybacking attacks where the attacker gets access to a secured and controlled place secretly, bypassing the security point [11].
  5. Ransomware Attacks: Ransomware attacks is also social engineering attack where the attacker prevents is a target from accessing information and documents from the system using encryption, until they pay some amount of money [11].
  6. Fake Software Attacks: These are software that appears to be genuine but to its targets but they are fake, targets are required put their personal information before download or accessing the fake software [11].
  7. Reverse Social Engineering Attacks: Here the attack pretends to fix the computer network fault but ends up attacking the network or accessing related information [11].
  8. Pop-Up Windows: It is an attack that occurs as a result of a sudden display of a message, advert or other information that needs attention will show up on the target’s computer when responding to it causes the attack. [11].
  9. Phone/Email Scams Attacks: These attacks are conducted directly to the targets through phone calls, email, and messages so as get the slightest information from the target [11].
  10. Robocalls Attacks: Robocalls attacks is a type of attack that come up with extensive unknown calls from the computer to its target, as soon as the target picks the call, the Robocalls program will automatically save the number and other information [11].
  11. Shoulder surfing: A shoulder surfing attack is an act of secretly recording the password and other information of its target [11].
  12. Dumpstandiving: A dumpster diving attack is an act of collecting discarded information through outdated storage devices and use it to as a weapon to gain information [11]
  13. Impersonation on help desk calls: It is also an attack where the attack claims to ask for information from the help desk [11].

V. Role of cyber warriors on social engineering attacks

Social engineering attacks can be classified among the major threats in cyberspace, it requires extensive training of individuals or groups to prevent it and reduced it occurrence, considering the fact that technical defensive measures are not reliable and sufficient enough to overcome its consequence. The need for Cyber Warrior is necessary so as to assist in the training of individuals and organizations that will combat these problems.

  1. Social engineering category
  2. Training of cyber warrior
  3. Technical devices
  • Human-based
  1. It can prevent
  2. It cannot prevent
  • Computer-based
  1. It can prevent
  2. It can prevent but not all
  • Social attacks
  1. It can prevent
  2. It cannot prevent
  • Technical attacks
  1. It can prevent
  2. It can prevent but not all
  • Physical attacks
  1. It can prevent
  2. It can prevent but not all
  • Direct attacks
  1. It can prevent
  2. It cannot prevent
  • Indirect attacks
  1. It can prevent
  2. It can prevent but not all

Table 1.

  • Social engineering category
  • Training of cyber warrior
  • Technical devices
  1. Phishing Attacks
  • It can prevent
  • It cannot prevent
  1. Pretexting Attacks
  • It can prevent
  • It can prevent but not all
  1. Baiting Attacks
  • It can prevent
  • It can prevent
  1. Tailgating Attacks
  • It can prevent
  • It cannot prevent
  1. Ransomware Attacks
  • It can prevent
  • It can prevent but not all
  1. Fake Software Attacks
  • It can prevent
  • It can prevent but not all
  1. Reverse Social Engineering Attacks
  • It can prevent
  • It can prevent
  1. Pop-Up Windows
  • It can prevent
  • It can prevent
  1. Phone/Email Scams Attacks
  • It can prevent
  • It can prevent but not all
  1. Robocalls Attacks
  • It can prevent
  • It cannot prevent
  1. Shoulder surfing
  • It can prevent
  • It cannot prevent
  1. Dumpsters Diving
  • It can prevent
  • It cannot prevent
  1. Impersonation of help desk Attacks
  • It cannot prevent
  • It cannot prevent

Table 2.

VI. Conclusion and future work

In this paper, we present the role of a Cyber Warrior in preventing social engineering attacks. A Cyber Warrior has the capability and requirement to tackle social engineering attack considering that social engineering attack is psychological and need intelligence in solving. The technical tools are not always reliable in detecting and preventing social engineering attacks, therefore a qualified and trained individual is required to help other individuals and organizations by creating awareness to prevent themselves against social engineering attacks. Now that we have understand the need for a Cyber Warrior, in the future, we may look at the measures and skills a Cyber Warrior will apply in a real-life that will help to preventing social engineering attacks.

References

  1. TechnoPedia, ‘What is a CyberWarrior,’ [Online]. Available: https://www.techopedia.com/definition/28615/cyber-warrior. [Accessed 11 11 2019].
  2. K. J. a. H. J. M.Robinson, ‘Cyber warfare: Issues and Challenges,’ Computer Security, no. 49, pp. 70-94, 2015.
  3. G. Conti and D. Raymond, ‘Leadership of Cyber Warriors: Enduring Principles and New Directions,’ Small Wars J, 2011.
  4. T. Vinnakota, ‘Understanding of cyberspace using cybernetics: An imperative need for cybersecurity of enterprises,’ in Proceeding – IEEE Cybern. 2013 IEEE Int. Conf. Comput. Intell. Cybern, 2013.
  5. S. C. I. M. a. R. P. M. S. Bargh, ‘Exploring a warrior paradigm to design out cybercrime,” Proc. – 2012 Eur. Intell. Secur. Informatics Conf. EISIC 2012,’ in Proc. – 2012 Eur. Intell. Secur. Informatics Conf. EISIC 2012, 2012.
  6. A. F. T. Moore and A. D. Procaccia, ‘Would a ‘cyber warrior’ protect us? Exploring trade-offs between attack and defense of information systems,” Proc. New Secur. Paradig. Work., pp. 85–94, 2010.,’ Proc. New Secur. Paradig. Work, p. 85–94, 2010.
  7. C. Herr and D. Allen, ‘Video games as a training tool to prepare the next generation of cyber warriors,’ Proc. 2015 ACM SIGMIS Conf. Comput. People Res, pp. 23-29, 2015.
  8. A. Model, ‘Social Engineering in Social Networking Sites,’ Inf. Sci. Technol. (ICIST), pp. 508-515, 2013.
  9. S. Gupta, A. Singhal, and A. Kapoor, ‘A literature survey on social engineering attacks: Phishing attack,’ in IEEE Int. Conf. Comput. Commun. Autom. ICCCA 2016, pp. 537–540, 2017.
  10. P. P. Parthy, ‘Identification and prevention of social engineering attacks on an enterprise,’ IEEE, 2016.
  11. F. Salahdine and N. Kaabouch, ‘Social Engineering Attacks: A Survey,’ Futur. Internet, vol. 11, no. 4, p. 89, 2019.
  12. J. Andress and S. Winterfeld, CYBER WARFARE Techniques, Tactics and Tools for Security Practitioners second edition, Elesevier.com, 2014.
  13. L. D. Jennifer J. Li, Training Cyber Warriors, Santa Monica, Califonia: Published by the RAND Corporation , 2015.
  14. J. A. a. W. Steve, Cyber Warfare and Techiques, Tactics and Tools for Security Practitioners, Elesevier.com, 2014.