Security threats to critical infrastructure: the human factor

In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management. By replacing manual tasks with automated decision making and sophisticated technology, no doubt we feel much more secure than half a century ago. As the technological advancement takes root, so does the maturity of security threats. It is common that today’s critical infrastructures are operated by non-computer experts, e.g. nurses in health care, soldiers in military or firefighters in emergency services. In such challenging applications, protecting against insider attacks is often neither feasible nor economically possible, but these threats can be managed using suitable risk management strategies. Security technologies, e.g. firewalls, help protect data assets and computer systems against unauthorised entry. However, one area which is often largely ignored is the human factor of system security. Through social engineering techniques, malicious attackers are able to breach organisational security via people interactions. This paper presents a security awareness training framework, which can be used to train operators of critical infrastructure, on various social engineering security threats such as spear phishing, baiting, pretexting, among others.

[1]  T. Truta,et al.  Impact of security awareness training on phishing click-through rates , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[2]  Radha Gulati The Threat of Social Engineering and Your Defense Against It , 2003 .

[3]  Mohammad Hammoudeh,et al.  Social Engineering Attack Strategies and Defence Approaches , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

[4]  IBRAHIM GHAFIR,et al.  Botnet Command and Control Traffic Detection Challenges A Correlation based Solution , 2016 .

[5]  Ibrahim Ghafir,et al.  DNS traffic analysis for malicious domains detection , 2015, 2015 2nd International Conference on Signal Processing and Integrated Networks (SPIN).

[6]  Bamidele Adebisi,et al.  A state of the art survey - Impact of cyber attacks on SME's , 2017, International Conference on Future Networks and Distributed Systems.

[7]  Mohammad Hammoudeh,et al.  A Survey on Network Security Monitoring Systems , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW).

[8]  Mohammad Hammoudeh,et al.  Defense Methods Against Social Engineering Attacks , 2018, Computer and Network Security Essentials.

[9]  Mohammad Hammoudeh,et al.  Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence , 2017, ICFNDS.

[10]  Niloy Ganguly,et al.  Stop Clickbait: Detecting and preventing clickbaits in online news media , 2016, 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[11]  Taimur Bakhshi,et al.  Social engineering: Revisiting end-user awareness and susceptibility to classic attack vectors , 2017, 2017 13th International Conference on Emerging Technologies (ICET).

[12]  Michael J. Donahoo,et al.  TCP / IP sockets in Java - practical guide for programmers , 2002, The Morgan Kaufmann practical guides series.

[13]  Ibrahim Ghafir,et al.  Blacklist-based malicious IP traffic detection , 2015, 2015 Global Conference on Communication Technologies (GCCT).

[14]  Michael J. Donahoo,et al.  TCP / IP sockets in C# - practical guide for programmers , 2004, The Morgan Kaufmann practical guides series.

[15]  Václav Přenosil,et al.  Network Monitoring Approaches: An Overview , 2015 .

[16]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[17]  Václav Přenosil,et al.  A Survey on Botnet Command and Control Traffic Detection , 2015 .

[18]  Václav Přenosil,et al.  Advanced Persistent Threat Attack Detection: An Overview , 2014 .

[19]  Václav Přenosil,et al.  A Survey on Intrusion Detection and Prevention Systems , 2014 .

[20]  Shirley Payne Developing Security Education and Awareness Programs , 2003 .

[21]  A. Govardhan,et al.  A Comparison Between Five Models Of Software Engineering , 2010 .

[22]  Ibrahim Ghafir,et al.  Proposed Approach for Targeted Attacks Detection , 2016 .