You’ve heard about social engineering. You know your weakest links. You have the task of defending your network against intruders. You know how to do this with your web applications, networks, clients and servers. All these things have neat classifications of attacks, best practice lists and lots of other resources.
What about social engineering? How do you keep the wrong people out and your critical information in? How do you classify the attacks?
Toby Foster of the University of York, student of Computer Science and intern at First Defence Information Security, tries to address this problem by talking about modelling and categorising and solving the attacks: „There are many definitions of social engineering; almost every book or website on the subject has a different definition. Probably the only consistent point is that it relies upon taking advantage of a human user, usually through some form of manipulation, and ideally, with the user not realising that they have been manipulated. … Up to this point very little research has been done into social engineering (compared with other types of attack, e.g. hacking), and the majority of the research that has been done is into how the attacks work and how social engineering has changed through the ages.“ True, you usually recognise social engineering exploits if you hear about them. However in order to design suitable defenses, you need some kind of classification or guideline as to what to expect and then how to derive counter-measures. „The main motivation behind this project is to improve the way in which businesses safeguard against social engineering attacks. The current approach is to train staff to be vigilant and aware of the types of attacks that could be used against them. The main problem with this approach is that it is time consuming and imperfect.“ Improving things is never a bad idea.
„At the moment attacks are not divided up at all, unlike other types of attacks. For example Web Application attacks have numerous categories, like SQL injection, cross-site scripting, etc. The only universally accepted categorisation for social engineering attacks, is the division between physical and psychological attacks. Physical attacks include things like gaining unauthorised entry to a building, lock picking, etc. Psychological attacks are those that are based on the manipulation of a user.“ Toby Foster’s project is work in progress, so the focus is on psychological attacks, but if successful it could revolutionise how we defend against social engineering attacks.