Using Attack Graphs to Analyze Social Engineering Threats

The acquisition of information about computer systems by mostly non-technical means is called social engineering. Most critical systems are vulnerable to social threats, even when technical security is high. Social engineering is a technique that: i does not require any advanced technical tools, ii can be used by anyone, iii is cheap, iv almost impossible to eliminate completely. The integration of social engineering attackers with other attackers, such as software or network ones, is missing so far. Existing research focuses on classifying and analyzing social engineering attacks. The authors' contribution is to consider social engineering exploits together with technical vulnerabilities. The authors introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy.

[1]  Ira S. Winkler,et al.  Information Security Technology? Don't Rely on It. A Case Study in Social Engineering , 1995, USENIX Security Symposium.

[2]  N.C. Rowe,et al.  Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems , 2006, 2006 IEEE Information Assurance Workshop.

[3]  Thomas Peltier,et al.  Social Engineering: Concepts and Solutions , 2006 .

[4]  Navid Ahmadi,et al.  A survey of social software engineering , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering - Workshops.

[5]  Monark Bag,et al.  A Comprehensive Study of Social Engineering Based Attacks in India to Develop a Conceptual Model , 2012 .

[6]  William L. Simon,et al.  The Art of Deception , 2002 .

[7]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[8]  Kristian Beckers,et al.  Considering Attacker Motivation in Attack Graphs Analysis in a Smart Grid Scenario , 2014 .

[9]  David Mills Analysis of a social engineering threat to information security exacerbated by vulnerabilities exposed through the inherent nature of social networking websites , 2009 .

[10]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[11]  Fabio Martinelli,et al.  Towards Modelling Adaptive Attacker's Behaviour , 2012, FPS.

[12]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[13]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[14]  Douglas P. Twitchell Social engineering in information assurance curricula , 2006, InfoSecCD '06.

[15]  Kristian Beckers,et al.  Analysis of Social Engineering Threats with Attack Graphs , 2014, DPM/SETOP/QASA.

[16]  Thomas R. Peltier Social Engineering: Concepts and Solutions , 2006, Inf. Secur. J. A Glob. Perspect..

[17]  Steven Fulton,et al.  The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition , 2010 .

[18]  Edgar R. Weippl,et al.  Social engineering attacks on the knowledge worker , 2013, SIN.

[19]  Yue Xu,et al.  Social engineering in social networking sites: Affect-based model , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[20]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.