Saturday, December 7, 2019
Cyber security
Question: Discuss about Cyber Security ? Answer : Introduction In the term of information security, social engineering refers to the psychological manipulation of people in divulging the confidential information of them or performance of their actions. It is considered as the art of manipulating people so that they give away their confidential information. In todays era many people become victim of the internet attacks where the attacker does a theft of the victims useful data. This assignment consists the overview of social engineering with the description of social engineering strategies, which are used to engage the targeted victim. It consists a detailed analysis of the environment in which the attack is done on the victim. The strategies, which can be implemented to prevent those attacks, are mentioned. First of all a brief description of social engineering is provided followed by the terms of attack and rescue. Social Engineering The attack is based totally on the interaction of human and it indulges humans in breaking down the security measures. The act of social engineering can also be said as the con game. The techniques involved in the procedure are appeal to vanity, appeal to legal greed and appeal to authority. Social attacks are done effectively only when the victim is willingly helpful to the attacker. The attacker pretends to be a co-worker or a friend of the victim and performs the theft (Krombholz et al. 2015). Social engineering strategies There are many strategies, which the attacker adopts in order to manipulate peoples to get any type of confidential information. The information, which is given by the people willingly to the attacker is used for various illegal purposes. The data which the persons (criminals) doing these attacks are looking for may be different in each and every case. Whenever any person in particular is at target by the Social Engineering Criminals, then these criminals usually try to manipulate them into giving the passwords or the bank account details. The attackers even try to get an access to their computer so that they could install any software, which will thereafter run on the victims computer and store the passwords and the bank account details and also these software gains control over the victims computer (Bulle et al. 2015). There are various processes to do social engineering attacks, some of them are mentioned below : Phishing This is the most common attack process. In this attack, the attacker copies the whole look of your website and sends you a request to login or even give you a password reset form, which contains old password and new password thus the attacker getting your original password, which is what they were looking for (Heartfield and Loukas 2016). Vishing In this process a attacker calls a victim with some pre-recorded clip, simulating that they are calling from his company or from the companys bank. After doing this they will tell the victim to call on a number, and when the victim calls, attacker will ask all the details about the debit or credit card, registered number, pin, first four or last four or even full digits of the victims social security number and all other important details (Greitzer et al. 2014). After enquiring about these things the attacker will tell the victim about some transactions, which would be fake but the victim, will think them as real and the attacker will promise to cancel all the transaction so that the victim has hiss full faith upon the attacker and thereafter the attacker will use the debit or credit card. Botnet It is a group of conciliated computers, which are designated as zombies. They are corrupted by some malware, which gives the attacker an access to have a control over the peoples data (Heartfield and Loukas 2016). The Botnet is mainly used to send fake mails, which are spam in general or even used to transfer any malicious software or any virus and also used in many types of cybercrimes. Tailgating It is also knows as piggybacking. In this type of attack, the attacker dresses up like a delivery person and they wait outside of the companys building. When any employee passes through the security, the attacker follows the employee to skip to security or when then employee opens a security door, the attacker requests the employee to hold on to the door so that they can get the delivery boxes through them (Mouton et al. 2014). Rootkit It is fraudulent computer software or a simple program. It is created to give continuous authorized access to a particular computer and at the same time this program hides the existence of the computer (Tetri and Vuorinen 2013). Social networks Social networks are in trend these days. Almost everybody uses Websites like LinkedIn, Twitter and Facebook today and their users are increasing day by day. These offer a great source to the users to remain in touch with each other. The dark side of social media is that the attackers or the spammers to get close to the victim use it. The social networks help the scammer to send fraudent mails to the victim. The attacker may ask the victim to click on a video or image which contain the malicious software (Krombholz et al. 2013). Analysis of the environment The First step taken by the attackers in the process of social engineering is creating an environment suitable for the theft. The social engineers to get the passwords and the data use a wide variety of ways. First of all, the attacker starts looking for the information which ca be used to penetrate the organization. The attacker approaches the employee who is supposed to have all the information related to the company. The attacker takes the form of a technician or a co-worker who can be easily trusted by the victim employee. There are certain other environments created by the attackers in order to get in touch with the victim. The ways are trawling the parking lot for goodies as the vehicles may contain security badges, smartphones, and confidential paperworks (Watson, Mason and Ackroyd 2014). The other method used is spending time with the victim in order to create a friendly relation and implementing the theft. Sometimes, it takes large amount if time to get familiar with the vic tim and get the information. If the attacker is impatient enough, he/she gets in acquaintance with the bar or public place which is visited most frequently by the victim. There, the attacker gets in touch with the victim and becomes familiar to him/her. The other technique used is visiting the company building often, thus becoming a familiar face, which can be trusted by the employees, and then implementing the theft (Kearney and Kruger 2014). The attacker can also create a hostile environment with the attacker and thus taking advantage of the employees trust. Hypotheses/approaches for addressing security threats There are many ways by which the social engineering attack can be recognized and prevented. Hackers use clever method to fool the employees and individuals (Beckers, Krautsevich and Yautsiukhin 2015). These attack mainly involve some type of psychological manipulation and fooling the employees. The tips to prevent attacks are- The confidential information of the employee must never be provided to anyone. The employee must never give their personal data credentials such as phone number or email address. These must be provided especially with unknown persons and suspicious sources. If the employee receives an email which has the link of an unknown site, the mail must be avoided by the employee. The person must look at the Uniform Resource Locator (URL) and check whether it is suspicious. At times, the mail may seem to come from a known contact but still the employee must check the link for any phishing process involved in the mail. Before clicking on the mail, the misspells must b e checked such as @ signs and suspicious sub domains (Algarni et al. 2013). While clicking on the links, the person must take care of the uninitiated automated downloads as it can be malware piggybacking on the individuals system (Algarni and Xu 2013). Such activities must be reported immediately to the security manager of the organization. The USB devices must be blocked in order to reduce the risk of Baiting. The process of Baiting is the digital equivalent of a real-world Trojan horse where the attempt is done by the attacker in order to temp the user with found or free physical media. The attacker relies on the curiosity of the greed of victim (Applegate 2013. If the victim plugs in the USB to the system, the victim is hacked that particular moment. The organization must run a ATE-AWARENESS, TRAINING and EDUCATION security concept for all the employees. The C-level employees of the organization are most prone of becoming the victim and thus they must be made aware about all the situations and the methods to deal with them. 2-factor authentication must be used by the organization in order to ensure the safety of data in the organization. Full care must be taken to protect the data as the theft of data can pose great harm to the organization. Conclusion From the above discussion, it can be concluded that social engineering attacks are increasing day by day in todays era. The attack is based totally on the interaction of human and it indulges humans in breaking down the security measures. The act of social engineering can also be said as the con game. The techniques involved in the procedure are appeal to vanity, appeal to legal greed and appeal to authority. There are many strategies, which the attacker adopts in order to manipulate peoples to get any type of confidential information. The information, which is given by the people willingly to the attacker is used for various illegal purposes. The data which the persons (criminals) doing these attacks are looking for may be different in each and every case. Whenever any person in particular is at target by the Social Engineering Criminals, then these criminals usually try to manipulate them into giving the passwords or the bank account details. The First step taken by the attackers i n the process of social engineering is creating an environment suitable for the theft. A wide variety of ways are used by the social engineers to get the passwords and the data. First of all, the attacker starts looking for the information which ca be used to penetrate the organization. The attacker approaches the employee who is supposed to have all the information related to the company. Proper care must be taken by the organization in order to save its data and remain secure from the attacks. References Algarni, A. and Xu, Y., 2013. Social engineering in social networking sites: Phase-based and source-based models.International Journal of e-Education, e-Business, e-Management and e-Learning,3(6), p.456. Algarni, A., Xu, Y., Chan, T. and Tian, Y.C., 2013, December. Social engineering in social networking sites: Affect-based model. InInternet Technology and Secured Transactions (ICITST), 2013 8th International Conference for(pp. 508-515). IEEE. Applegate, S.D., 2013. Social engineering: hacking the wetware!.Information Security Journal: A Global Perspective,18(1), pp.40-46. Beckers, K., Krautsevich, L. and Yautsiukhin, A., 2015. Analysis of social engineering threats with attack graphs. InData privacy management, autonomous spontaneous security, and security assurance(pp. 216-232). Springer International Publishing. Bierschenk, T., 2014. From the anthropology of development to the anthropology of global social engineering.Zeitschrift fr Ethnologie, pp.73-97. Bulle, J.W.H., Montoya, L., Pieters, W., Junger, M. and Hartel, P.H., 2015. The persuasion and security awareness experiment: reducing the success of social engineering attacks.Journal of experimental criminology,11(1), pp.97-115. Greitzer, F.L., Strozer, J.R., Cohen, S., Moore, A.P., Mundie, D. and Cowley, J., 2014, May. Analysis of unintentional insider threats deriving from social engineering exploits. InSecurity and Privacy Workshops (SPW), 2014 IEEE(pp. 236-250). IEEE. Heartfield, R. and Loukas, G., 2016. A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks.ACM Computing Surveys (CSUR),48(3), p.37. Kearney, W.D. and Kruger, H.A., 2014, August. Considering the influence of human trust in practical social engineering exercises. InInformation Security for South Africa (ISSA), 2014(pp. 1-6). IEEE. Krombholz, K., Hobel, H., Huber, M. and Weippl, E., 2013, November. Social engineering attacks on the knowledge worker. InProceedings of the 6th International Conference on Security of Information and Networks(pp. 28-35). ACM. Krombholz, K., Hobel, H., Huber, M. and Weippl, E., 2015. Advanced social engineering attacks.Journal of Information Security and applications,22, pp.113-122. Mouton, F., Malan, M.M., Leenen, L. and Venter, H.S., 2014, August. Social engineering attack framework. InInformation Security for South Africa (ISSA), 2014(pp. 1-9). IEEE. Tetri, P. and Vuorinen, J., 2013. Dissecting social engineering.Behaviour Information Technology,32(10), pp.1014-1023. Watson, G., Mason, A. and Ackroyd, R., 2014.Social engineering penetration testing: executing social engineering pen tests, assessments and defense. Syngress.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.