You are on page 1of 6

Role of Social Engineering in Compromising

Network Security
Oladotun Joseph Ojebode
Department of Computing
Edge Hill University
United Kingdom
Student ID: 22758267
Email: joseph.ojebode@go.edgehill.ac.uk

Abstract This academic paper critically evaluates the role


social engineering plays in aiding network attacks, and why it
should be an area of concentration when conducting penetration
testing for organizations. This document explains what social
engineering means in context of information and network
security, why it is dangerous, how it aids as a method in
compromising network security and steps that can be taken to
mitigate it. In order to make a point on why social engineering
should be given attention when evaluating the security of a
network, this paper presents a recent real world case scenario of
an attack incident that was made possible through the use of
social engineering technique. Based on the presented analysis, the
paper concludes on how addressing the issue of social engineering
can improve network security and prevent attacks that uses
social engineering techniques.
Keywords Network security; Penetration testing; Security
awareness; Social engineering attacks

I.

INTRODUCTION

Due to the rate at which internet crimes has been occurring


in recent years, organisations are taking proactive approach in
ensuring their information and network system are kept secured
from intruders. Most organisations portray this high level of
security by implementing information security standards like
ISO27001. Although a system cannot be hundred percent
secured, the certification standards allows organisations to
show a near maximum level of security based on thorough risk
assessment and implementing security controls where
necessary. However, despite all the security controls
implemented by organisations, many of these organisations still
suffer from data breaches because technical measures to protect
information are useless against manipulative non-technical
social engineering attacks. These attacks take advantage of the
weakness of natural human tendency. The use of social
engineering techniques to breach organisations security is
increasing daily with reports of big companies suffering from
large financial loss as a result.
The remaining sections of this paper looks into what social
engineering means, whether it should be included in the
penetration testing process or not, the various forms in which it
can be used in performing attacks, and controls that can be put

in place to reduce the likelihood of organisations been


penetrated through the use of social engineering techniques.
II.

UNDERSTANDING SOCIAL ENGINEERING

Social Engineering is the use of nontechnical means to


infiltrate a system or network [1]. Rather than exploiting
vulnerabilities in technical network systems, social
engineering focuses on exploiting human vulnerabilities by art
of manipulating people to give up sensitive information or by
gaining their trust to exploit them. However, it is important to
know that manipulating people to give out information is only
a process in the attack and not the actual attack itself. The
actual attack takes place only after the information given out
or discovered by hackers is used to compromise a target. Very
trivial information found or disclosed through social
engineering can turn out to be an effective input to subsequent
attacks; therefore, every information, no matter how trivial it
may be, should be handled properly by organisations to
prevent been attacked by that information that seems less
significant. This statement was reinforced according to [2]
where it was stated that social engineering could be difficult to
perform if there is not enough information gathered on the
target. This is because performing social engineering requires
getting every single bit of information about a target to
prevent suspicion or being caught in the process.
What makes social engineering attacks dangerous is that
no amount of money spent on deploying sophisticated
perimeter security systems can avert it [3]; as a result, the role
of social engineering in compromising network security
cannot be overemphasized.
A recent survey [4] showed that 76 percent of IT
professionals suggested that defending against recent attacks
requires organisations to protect their network perimeter by
increasing their endpoint security. Another studies [5] showed
that 87 percent of IT decision makers are optimistic that their
organisation perimeter security defence will be effective in
preventing against unauthorised users and attacks.
However, despite the deployment of various sophisticated
endpoint security devices by organisations, a more recent
studies [6] showed that the number of organisations that was
breached in the year 2015 as a result of phishing attack which

is a form of social engineering attack was 85 percent. The


studies also revealed that 67 percent of the surveyed
participants reported spear phishing attacks, 55 percent
reported vishing (phone calls) and smishing attacks (SMS) and
six percent reported been attacked through USB phishing. This
study concluded that organisations staff members are the
greatest vulnerable point of entry into a system.

recognise it and take necessary actions as stated by the


security personnel. With the proper settings in place, a social
engineering penetration test will do more good than harm to a
company.

The reason why many organisations are still being


breached despite the level of advanced security measures in
place is because they fail to realise that the majority of the
recent point of entries into compromising systems security
takes advantage of the weaknesses in staff members rather
than directly exploiting vulnerabilities in technical hardware
and software.

Social engineering attacks can be classified into two main


categories which are human based and computer based [1],
[11].
1. Human Based: This type of social engineering attack
depends on human interaction to retrieve required
information. The following are forms in which human
based social engineering attacks could be used [12].
a) Masquerading- Masquerading is a technique
used by hackers to pretend as a legitimate user of
a system. This type of attack technique is often
successful where there is no adequate
authentication system in place and in large
organisations where there are large number of
employees.
b) Pretending as an important person- In this
technique, an attacker pretends to be in a role of
authority, and tries to retrieve information by
leveraging the fear imposed on a lower level
employee to question the authority of a higher
level position.
c) Shoulder surfing- Shoulder surfing is a technique
of spying on other users in order to get personal
information about them.
d) Third person authorisation- Using this approach,
an attacker is able to gain access to a system by
pretending to have been given access by an
authorised user of the system. This attack
requires a hacker to have done enough findings
about the user to be impersonated in order to
know what time and duration the authorised user
will be absent.
e) Technical support callCalling technical support
is a common form of human based social
engineering attacks. Attackers take advantage of
the willingness of tech support staff to help out
users of their services.
f) Dumpster diving This approach involves
checking of trash cans for confidential
information that might have been disposed
without been destroyed.
2. Computer Based: This type of social engineering attack
depends on the use of tools that helps design attack baits
that looks convincing. The following are categories of
computer based social engineering attacks [12].
a) Phishing Phishing is the most popular form of
computer based social engineering attacks. It
accounts for the highest used method for

.
III.

SOCIAL ENGINEERING PENETRATION TESTING: GOOD


OR BAD?

As stated earlier in the previous section that the role of social


engineering in compromising network security cannot be
overemphasized, yet [7] argued that some professional
security personnel are against the inclusion of the use of social
engineering techniques as part of the penetration testing
process. The reason stated was that organisation staff members
need to be able to trust the security personnel in their
organisations because without the trust, staff members may
disregard security advice from people who have deceived
them in the past as part of the social engineering penetration
testing process. Furthermore, [8] also stated that due to pen
testers eagerness to discover vulnerabilities in an
organisations network, they might take unethical means
which might lead to negative reactions from the employees.
Nevertheless, [9] argued that the best defense against attacks
is a good offense. Considering all the points from [7], [8], [9],
they are all reasonable points that has been extracted from past
experience of both good and bad penetration tests. However,
issues arising from points stated by [7], [8] can be argued that
they are as a result of poor planning, and vague or unstated
boundaries. Regardless of how detailed a security plan and
procedure are, if they are not tested, there is no assurance of
its effectiveness. Conducting a successful penetration test
without having any negative effect on the organisation
requires a clear level of agreement between the organisation
and the pen testers. The pen testers cannot go beyond what
boundaries were agreed within the contract. Organisations
should also avoid making security awareness training confined
to compliance, instead, it should be used to protect
organisation from social engineering attacks by showing the
employees how a breach will affect both the company and the
staff members. This allows employees to take the matter as a
serious one rather than seeing the awareness program as a
boring lecture. Social engineering test is also meant to find
flaws before a real threat does; therefore, both management
and pen testers should handle the social engineering testing
process in such a way that it engages employees rather than
blaming them [10]. This allows employees to learn and be at
alert so that when a real attack occurs, they will be able to

IV.

TYPES OF SOCIAL ENGINEERING ATTACKS.

breaching organisations. Phishing attempts to


gain confidential information by sending fake
email that appears to be from a legitimate
organisation. The email carries information that
requires urgent action to be taken by telling users
to click on a link and redirecting them to a fake
website in an attempt to capture their
confidential information such as usernames and
passwords.
b) Baiting Baiting aims to lure users to click on
images or information that looks fascinating to
them in an attempt to download malicious
payload associated with the bait to their system.
c) Online scams This involves the use of social
websites to establish trust with a potential target.
After trust has been established and the attention
of the target has been gotten, malicious files are
exchanged with the target in an attempt to
compromise the target system.
An example of computer based tool that is used to design
social engineering attacks is the Social Engineering Toolkit
(SET). The images below are screen shots from Kali Linux
social engineering toolkit that shows different attack vectors
that can be used to compromise a target.

Fig.2 SET spear phishing attack menu


Fig.2 shows the spear phishing attack module. One of the two
options available within the spear phishing menu allows the
SET tool to create the attack payload. Even though the use of
the auto feature of SET may seem very obvious and easy to
detect to someone with security knowledge, it can still be used
to successfully attack users who are ignorant of such methods
of attack. Pulling off a spear phishing attack vector can be
difficult because most exploits are applications version
dependent [2]; nevertheless, a properly crafted spear phishing
attack that only requires ignorant users to click or download
attached files is all it takes to compromise the information
security of an organisation.

Fig.1 Social engineering toolkit menu


Fig.3 SET website attack vectors
Fig.3 shows the website attack vectors. These attack vectors
have high rate of success and takes advantage of people
believability. The Java applet attack is unique in the sense that
it does not take advantage of the latest exploit but instead
leverages the design of Java. The attack is as simple as giving
SET the address of the website page to be cloned and SET
rewrites the page with an injected malicious Java applet with

several payloads. After a website has been cloned, the next


step is to make the attack believable to the target by sending
an email that creates a sense of urgency and directing the
target to go to the registered malicious website. What makes
this attack mostly successful is that ignorant users without any
security awareness knowledge will fall for the bait, and once
they have been redirected to a malicious website, the java
applet pops up [2]. The user has two options: either to accept
and run the java applet or cancel. If the user clicks accept, the
user will be redirected to the legitimate website without
noticing any attack occurring. What makes users more
susceptible to this attack is that when a user attempts to
cancel, the pop up reappears again, this gives users the
impression that unless they run the applet they cannot visit the
website to see what they have been directed to do in the
crafted email. A similar attack that also clones website like the
Java applet in Fig.3 is the credential harvester. The credential
harvester allows to clone a website that requires credentials to
log in [2]. The attacker registers a domain name that is nearly
similar to the target website. After cloning the website, the
attacker sends a believable email to the target. An ignorant
user who is not aware of the various phishing techniques will
visit the page and enter the log in credentials.
This attack vectors and open source tools available to perform
them shows how easy a social engineering attack could be
carried out without adequate or no knowledge of coding.
Although system users might be given security awareness
training such as not entering credentials on websites that does
not start with https://, attackers who are desperate will go to
the extent of placing a genuine SSL certificate to make the
cloned website believable. This shows that security awareness
alone without a penetration test to simulate real life attacks
can prove futile. Organisations staff members can only learn
and recognise manipulative attack techniques when they have
been trained and tested to recognise various forms in which
those attacks can occur.
V. HOW SOCIAL ENGINEERING AIDS IN PERFORMING NETWORK
ATTACKS
This section presents a real world case scenario of a social
engineering attack and explains how it was successfully used to
compromise the network security of the attacked organisation.
This scenario [13] was about a manufacturing industry that
became suspicious of a main competitor after it released an
equipment that has many similar attributes to one of its own.
The company was worried that the equipment blueprint must
have been stolen from their system and that other projects
might have been compromised. This prompt the company to
call the investigation team to carry out forensic analysis on the
company. After interrogating majority of the staff involved in
the project design, it was discovered that the chief design
engineer was the entry point into the system. The chief design
engineer felled victim of a social engineering attack on
LinkedIn because he was looking for a new job prior to the
design process of the stolen equipment blueprint. During the

course of the investigation, it was discovered that an attacker


on LinkedIn had been exchanging messages with the engineer
on available job opportunities. During the course of the
information exchange, the attacker sent a malicious job
position listing file. After the file was opened by the engineer,
the command and control phase was initiated, and a backdoor
Trojan was installed on the engineer system. As initially
suspected, blueprints of equipment were stolen and given to
Chinese industries.
Profiling the attack.
It is obvious from the scenario that the attack was made
possible by using social engineering tactics. The attack was
directed specifically at the manufacturing industry and a
suitable target (chief design engineer) was selected through the
social media. The attacker appeared as a legitimate recruiter on
LinkedIn in order to deceive the chief design engineer by
establishing trust with a false recruitment profile. The attacker
also knew that the chief design engineer would have the
privilege to access restricted area of the network. Therefore, by
compromising the chief design engineer system, other
restricted area of the network could be accessed through
pivoting. This attack was made possible because it exploited
one of the factors that was listed among the tactics being used
in making human vulnerable to social engineering attacks:
attitude to trust [14]. It is certain that a well conducted
awareness training on phishing attacks, which is the most used
method of computer based social engineering, could have
prevented the attack from happening. If the engineer was
enlightened about the threats posed by various bogus recruiters
on social media, he might have thought twice before accepting
any file on the company network system that had access to
valuable assets of the company. This attack showed how
dangerous social engineering could be through enough
information gathering about the target, and by exploiting the
need of the chief design engineer for a job which is at that time
a weakness also to the engineer. It also showed how it saves
hackers the stress of finding technical vulnerabilities to exploit.
Hackers are aware that humans are the weakest link in the
security chain [15] [16]; therefore, they are likely to attack the
human weakness first before attempting to look for
vulnerabilities in technical hardware and software.
VI.

MITIGATING AGAINST SOCIAL ENGINEERING ATTACKS

It can be argued that prevention against social engineering


attacks can be nearly impossible but can be mitigated against.
This is because attackers are not always strangers to the victim
and attackers are also coming up with sophisticated techniques
that looks too convincing to the target to be ignored. An
attacker can be someone who already has a close relationship
with a potential victim that works with or for the target, and
can leverage the relationship trust to convince the potential
victim to perform certain activities that might lead to assisting
the attacker to achieve his aim. Nevertheless, a well-designed
and adequate security awareness and training program about
various possible methods known to be used by social

engineers in manipulating people can reduce the chances of a


social engineering attack been successful.
The following measures below can be taken to minimize
social engineering attacks on organisations.
The first step in a social engineering attack is an open source
information gathering. An attacker needs to gather information
on a target by searching social sites for useful information that
can be used in manipulating the target. When performing
penetration testing, the pen tester should also gather all
possible information from open sources [17]. This allows the
pen tester to analyse public information about the target that is
available on the internet and how the information can be used
against an organisation. Once information that should not be
publicly available about the company is found, corrective
steps should be taken to remove or minimize such
information. Organisation staff members should also be
cautious of what information they post about their
organisation on their social pages as this might be the first
motive for an attacker. Staff members should also control the
privacy settings of who are allowed to see what on their
profiles. Although this is not always possible in case of social
website like LinkedIn whose main purpose is to allow
individuals share information about their career status for
more opportunities. Nevertheless, privacy settings of social
sites like Facebook can be adjusted in such a way that only
known contacts on friend list can see profile information.
Another known method of information gathering by attackers
is through dumpster diving. Dumpster diving is the most
preventable form of information gathering [11]. Organisations
should ensure that every file that contains confidential
information is passed through a shredding machine first before
been dumped.
As stated by [18] that untested plans and procedures are one
of the main reasons why social engineering attacks are
facilitated, organisations should ensure that penetration test
that uses social engineering techniques are carried out. This
allows to determine the adequacy of the security programs and
how susceptible employees are to social engineering attacks.
Employees who fall victims of the social engineering
penetration test are to be given extra lectures and training.
Studies [19] showed that employees will be at alert by
learning from falling victims of social engineering pen testing.
Also, the chances of an employee falling for a social
engineering scam reduces with each pen test failure by
employees and repetition attempt.
In the case whereby an attacker was able to manipulate his or
her way in to an organisation either physically or through the
systems, an effective prevention and alert mechanism should
be in place as a second level of defense. In the case of USB
drops, organisations can create group policy that obstruct
identification of USB drives and can afterwards manage the
settings as appropriate [20]. Organisations systems should also
be equipped with antivirus and antimalware detection
programs to fight off attacks from technical standpoint [21].

VII. CONCLUSION
Social engineering attack is a dangerous attack that can be
carried out without any knowledge of coding. Successful
attacks often result in disastrous outcomes on organisations.
Due to exploits of human nature, social engineering attacks
cannot be prevented with end point security devices. This
makes the attack more threatening because no amount of
technical network security in place is guaranteed to thwart
these forms of attacks. Many organisations still focus their
security tactics only on technical measures. However, until
organisations begin to view the staff members as a potential
point of entry into the system, many breaches are still going to
occur as a result of social engineering attacks. Hackers are
aware of the sophisticated security measures being deployed
by organisations which makes it harder for them to infiltrate
the network or system. Therefore, they go after vulnerable
nontechnical means to breach the network security. Even
though most organisations have plans and procedures in place
against social engineering attacks, majority of them still get
breached. This is either because the plans and procedures are
not sufficient or because the plans and procedures were not
tested for its effectiveness against attacks. Regular social
engineering penetration tests can greatly prepare organisations
for upcoming real life attacks. Conducting the tests allows
organisations to determine which staffs are vulnerable to
which types of social engineering attacks in order to tailor
staff training around those attack vectors. Security awareness
training through real life simulated attacks can keep
employees at alert about the various forms through which
social engineering attacks may occur; nevertheless, staff
members should use initiatives, and think of what the
consequences of taking a particular action will be.
REFERENCES
[1] K. Graves, "Gathering Target Information: Reconnaissance, Footprinting,
and Social Engineering.," in CEH: Certified Ethical Hacker Study Guide., 1st
ed. Indianapolis: Wiley Publishing, 2010, pp. p4863.
[2] P. Engebretson, "The Basics of Hacking and Penetration Testing,"
in Social Engineering, D. Kennedy, Ed., 2nd ed. USA: Syngress Publishing,
2013, pp. p127141.
[3] H. Packard, "Hacking People: Your Greatest Security Risks Are Inside the
Enterprise," in enterprise forward, 2016. [Online]. Available: http://hpeenterpriseforward.com/hacking-people-your-greatest-security-risks-are-insidethe-enterprise/. Accessed: Apr. 09, 2016.
[4] D. Kloba, "Combining Network and Perimeter Security to Mitigate Attack
Risks,"in Security,2014.[Online].Available:http://www.securitymagazine.com
/articles/85924-combining-network-and-perimeter-security-to-mitigate-attackrisks. Accessed: Apr. 09, 2016.
[5] AMSTERDAM, "New Research Reveals Wide Gap between Perception
and Reality of Perimeter Security Effectiveness," in SafeNet, 2015. [Online].
Available:http://www.safenet-inc.com/news/2015/new-research-reveals-widegap-between-perception-and-reality-of-perimeter-security-effectiveness/.
Accessed: Apr. 09, 2016.
[6] ThreatSim, "2016 State of the Phish Report," in Wombat Security
Technologies,2016.[Online].Available:https://info.wombatsecurity.com/hubfs/
WombatThreatSimStateofPhish2016_final_web.pdf?submissionGuid=076876
df-f075-4200-87ca-06f868660ccc. Accessed: Apr. 11, 2016.
[7] E. Skoudis, "Should social engineering tests be included in penetration
testing?"inSearchSecurity.[Online].Available:http://searchsecurity.techtarget.c
om/answer/Should-social-engineering-tests-be-included-in-penetrationtesting. Accessed: Apr. 18, 2016.

[8] J. Goodchild, "Social engineering in penetration tests: 6 tips for ethical


(andlegal)use,"in CSO,2013.[Online].Available:http://www.csoonline.com/arti
cle/2133330/social-engineering/social-engineering-in-penetration-tests--6tips-for-ethical--and-legal--use.html. Accessed: Apr. 18, 2016.
[9] M. Heusser, "Hackers, Security Pros Talk Penetration Testing, Social
Engineering,"in CIO,2012.[Online].Available:http://www.cio.com/article/239
0956/cybercrime/hackers--security-pros-talk-penetration-testing--socialengineering.html. Accessed: Apr. 18, 2016.
[10] D. Winder, "Phish Your Own Staff: Arming Employees to Beat Modern
Attacks," in INFOSECURITY MAGAZINE, 2014. [Online]. Available:
http://www.cio.com/article/2390956/cybercrime/hackers--security-pros-talkpenetration-testing--social-engineering.html. Accessed: Apr. 18, 2016.
[11] H. Dalziel, "Categories of Social Engineering Attacks," in Concise, 2015.
[Online]. Available: https://www.concise-courses.com/security/categories-ofsocial-engineering/. Accessed: Apr. 11, 2016.
[12]"Social Engineering: A Hacking Story," in INFOSEC INSTITUTE, 2013.
[Online]. Available: http://resources.infosecinstitute.com/social-engineeringa-hacking-story/. Accessed: Apr. 16, 2016
[13] L. Morgan, "Targeted social engineering attack sees blueprints stolen and
used,"in ITGovernanceBlog,2016.[Online].Available:http://www.itgovernance
.co.uk/blog/targeted-social-engineering-attack-sees-blueprints-stolen-andused/?utm_source=Email&utm_medium=Macro&utm_campaign=S01&utm_
content=2016-03-17&kmi=ojebode%40gmail.com. Accessed: Apr. 11, 2016.
[14] A. Thapar, Social Engineering: An attack vector most intricate to tackle.
[Online].Available:http://www.infosecwriters.com/text_resources/pdf/Social_
Engineering_AThapar.pdf. Accessed: Apr. 11, 2016.
[15] K. Lintovois, "The Human Factor: the weakest link in the chain,"
in MWRInfoSecurity,2013.[Online].Available:https://www.mwrinfosecurity.co

m/our-thinking/the-human-factor-the-weakest-link-in-the-chain/. Accessed:
Apr. 11, 2016.
[16] S. Deschatres, "Social Engineering: Attacking the Weakest Link in the
Security Chain," in Symantec Official Blog, 2014. [Online]. Available:
http://www.symantec.com/connect/blogs/social-engineering-attackingweakest-link-security-chain. Accessed: Apr. 11, 2016.
[17] "Social Engineering Scope," in Redspin. [Online]. Available:
https://www.redspin.com/it-security/penetration-testing/social-engineering/.
Accessed: Apr. 13, 2016.
[18] S. Winkler, Social Engineering and Reverse Social Engineering.
[Online].Available:http://www.ittoday.info/AIMS/DSM/82-10-43.pdf.
Accessed: Apr. 08, 2016.
[19] J. Goodchild, "3 tips for using the Social Engineering Toolkit," in CSO,
2012.[Online].Available:http://www.csoonline.com/article/2131549/malwarecybercrime/3-tips-for-using-the-social-engineering-toolkit.html.
Accessed:
Apr. 15, 2016.
[20]"Security Through Education," in The Social Engineering Framework.
[Online].Available:http://www.social-engineer.org/framework/attackvectors/how-can-you-protect-yourself-against-common-attacks/.Accessed:
Apr. 15, 2016.
[21] W. Zamora, "Hacking your head: How cyber criminals use social
engineering," in OFFICIAL SECURITY BLOG, 2016. [Online]. Available:
https://www.malwarebytes.org/articles/hacking-your-head-how-cybercriminals-use-social-engineering/. Accessed: Apr. 15, 2016.