The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems

Authors:
Gregory L. Orgill;Gordon W. Romney;Michael G. Bailey;Paul M. Orgill
Affiliations:
Brigham Young University, Provo, UT;Brigham Young University, Provo, UT;Brigham Young University, Provo, UT;Brigham Young University, Provo, UT
Venue:
CITC5 '04 Proceedings of the 5th conference on Information technology education
Year:
2004

Citing 0
Cited 7

Redefining computer literacy in the age of ubiquitous computing

Proceedings of the 6th conference on Information technology education
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Puppetnets and botnets: information technology vulnerability exploits that threaten basic internet use

Proceedings of the 4th annual conference on Information security curriculum development
InfoSec technology management of user space and services through security threat gateways

Proceedings of the 4th annual conference on Information security curriculum development
Whispers in the hyper-space: high-speed covert channel attacks in the cloud

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Secure and usable authentication on mobile devices

Proceedings of the 10th International Conference on Advances in Mobile Computing & Multimedia
A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Trusted people can fail to be trustworthy when it comes to protecting their aperture of access to secure computer systems due to inadequate education, negligence, and various social pressures. People are often the weakest link in an otherwise secure computer system and, consequently, are targeted for social engineering attacks. Social Engineering is a technique used by hackers or other attackers to gain access to information technology systems by getting the needed information (for example, a username and password) from a person rather than breaking into the system through electronic or algorithmic hacking methods. Such attacks can occur on both a physical and psychological level. The physical setting for these attacks occurs where a victim feels secure: often the workplace, the phone, the trash, and even on-line. Psychology is often used to create a rushed or officious ambiance that helps the social engineer to cajole information about accessing the system from an employee. Data privacy legislation in the United States and international countries that imposes privacy standards and fines for negligent or willful non-compliance increases the urgency to measure the trustworthiness of people and systems. One metric for determining compliance is to simulate, by audit, a social engineering attack upon an organization required to follow data privacy standards. Such an organization commits to protect the confidentiality of personal data with which it is entrusted. This paper presents the results of an approved social engineering audit made without notice within an organization where data security is a concern. Areas emphasized include experiences between the Social Engineer and the audited users, techniques used by the Social Engineer, and other findings from the audit. Possible steps to mitigate exposure to the dangers of Social Engineering through improved user education are reviewed.