Towards a Social Engineering Test Framework

David Kelm, Melanie Volkamer

Abstract

A growing number of hacking attacks use social engineering techniques to exploit the human factor of computer systems. They include versatile sophisticated approaches like reciprocity, authority or manipulation techniques to capitalize on in general positives of humans such as helpfulness. These attacking techniques are used in the private as well as in the business context. In the latter they form a main tool for industrial espionage. While there exist evaluation standards for security critical software and hardware as well as their operational environment, due to our knowledge there is no evaluation standard available in order to evaluate vulnerability of organizations with respect to social engineering. This paper will present a framework to evaluate this kind of vulnerability. This framework includes whitebox as well as blackbox tests. The framework enables organizations to elaborate the level of resistance as well as to identify concrete vulnerabilities. These can be used to implement concrete measures to improve the situation, i.e. the level of resistance.

References

  1. Bowen, P., Hash, J. and Wilson, M. 2006. SP - 800-100.
  2. Bright, P. 2014. Anonymous speaks: the inside story of the HBGary hack. [online] Feb 16 2011. Available at: http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-theinside-story-of-the-hbgary-hack/ [Accessed: 27 Mar 2014].
  3. Chowanetz, M., Laude, U. and Klinner, K. 2013. "Ein Kennzahlensystem für die Informationssicherheit", paper presented at, 13. Deutscher IT Sicherheitskongress 2013, Bonn, Mai. Bonn: pp. 455-469.
  4. Dvorsky, G. 2013. Stuxnet has infected a Russian nuclear plant and the space station. [online] 11. November. Available at: http://io9.com/stuxnet-has-infected-a-russian-nuclearplant-and-the-sp-1462375259 [Accessed: 27 Mar 2014].
  5. Federal Office for Information Security (BSI). 2014. Study - A Penetration Testing Model. BDO, Ernest & Young.
  6. Flick, U. 1998. An introduction to qualitative research. London: Sage.
  7. Hadnagy, C. 2011. Social engineering. Indianapolis, IN: Wiley.
  8. Hadnagy, C. n.d. The Official Social Engineering Framework - Real World Social Engineering Examples. [online] Available at: http://www.socialengineer.org/framework/Real_World_Social_ Engineering_Examples [Accessed: 27 Mar 2014].
  9. Hasle, H., Kristiansen, Y., Kintel, K. and Snekkenes, E. 2005. Measuring resistance to social engineering. Springer, pp. 132-143.
  10. Herzog, P. 2009. ISECOM - Open Source Security Testing Methodology Manual (OSSTMM). [online] Available at: http://www.isecom.org/osstmm [Accessed: 27 Mar 2014].
  11. Holz, T. and Bos, H. 2011. Detection of intrusions and malware, and vulnerability assessment. Berlin: Springer.
  12. Nohlberg, M. 2008. Understanding, Measuring and Protecting against Social Engineering Attacks. Ph.D. Stockholm University.
  13. Pierce, J., Warren, Matthew and Corray, X. 2004. "A critical review of penetration testing methodologies", paper presented at 5th Australian Information Warfare and Security Conference 2004, Edith Cowan University, Perth, pp. 167-173.
  14. Sasse, M. A., Brostoff, S. and Weirich, D. 2001. Transforming the 'weakest link'-a human/computer interaction approach to usable and effective security. BT technology journal, 19 (3), pp. 122-131.
  15. Smith, J. K. and Shorter, J. 2010. Penetration testing: A vital component of an information security strategy. Issues in Information Systems, XI, 1 pp. 358-363.
Download


Paper Citation


in Harvard Style

Kelm D. and Volkamer M. (2014). Towards a Social Engineering Test Framework . In Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014) ISBN 978-989-758-031-4, pages 38-48. DOI: 10.5220/0004980000380048


in Bibtex Style

@conference{wosis14,
author={David Kelm and Melanie Volkamer},
title={Towards a Social Engineering Test Framework},
booktitle={Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)},
year={2014},
pages={38-48},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004980000380048},
isbn={978-989-758-031-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)
TI - Towards a Social Engineering Test Framework
SN - 978-989-758-031-4
AU - Kelm D.
AU - Volkamer M.
PY - 2014
SP - 38
EP - 48
DO - 10.5220/0004980000380048