World of Computer Science and Information Technology Journal (WCSIT) ISSN: 2221-0741 Vol. 1, No.

9, 409-413, 2011

Awareness of Social Engineering Among IIUM Students

Mutasim Elsadig Adam , Omer Yousif ICT, collage of information and communication technology, IIUM KL, Malaysia Yusra al-Amodi, Jamaludin Ibrahim ICT, collage of information and communication technology, IIUM KL, Malaysia

Abstract Although most organizations around the world currently pay more attention to securing information systems by means of sophisticated security tools, their information systems still remain breachable. The interpretation of this reality is that the hackers resort to the use of social engineering instead of using their technical skills to acquire information. The concept of social engineering is essentially to manipulate the users of a system, that are considered to be the weakest links on the chain, in order to get said information. The objective of this study is to prove that users of information systems are considered to be the real threat themselves. In this study, we assume that the lack of awareness of social engineering among users makes information systems susceptible to numerous kinds of breaches. In addition to that, the study aims to examine whether IT students possess more awareness of social engineering than students from other faculties. To address these problems, the data was collected from 245 students of the International Islamic University Malaysia (IIUM), via an online survey and questionnaire. Moreover, a phishing phone experiment conducted among a small number of students. The exhibited results showing that a total of 114 students were exposed to social engineering attacks during the last six months, and almost 38% of these attacks through E-mail. Keywords- Social Engineering; Phishing; Fraud; Awareness; IIUM.

I.

INTRODUCTION

We are living in an era of the internet and it may be undoubtedly said that the internet has played an important role in our life. As an example of this, one finds the benefits of internet in education, business, and healthcare which cannot realistically be denied. However, with growing dependence on the internet, security has become an ever-important issue among organizations. For instance, students in IIUM depend on the internet in their education as well as to manage their bank accounts. This high dependency on the internet exposes students to many kinds of cyber-crimes, most especially while dealing with banks. These crimes do not happen due to the weakness of the University or bank security system, but rather due to a dangerous lack of social engineering awareness among students themselves. Fundamentally speaking, the concept of social engineering is to utilize psychological tricks in order to extract information from people and in effect, use this information to breach a system. Social engineering as defined by Granger, to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network, [7]. Social engineering is different from technical attacks, because Social engineering attacks always have specific aim such as to steal money. However, the most other attacks and threats to security are found in the shape of script kiddies, viruses, Trojans and other broad attacks,

therefore, executed without particular aim. In fact, these wannabe hackers with downloaded software are mostly just a nuisance, [3]. A number of forms of social engineering attacks exist; the most popular being impersonation, phishing, and dumpster diving. In the present day, it has become exceedingly commonplace to hear from individuals that they were exposed to fraud through email, phone or other forms of fraud used by hackers. This research aims to measure the awareness of social engineering among students of the International Islamic University Malaysia (IIUM). A survey was conducted among a sample of IIUM students including students from the faculty of ICT and students from other faculties. The goal is to examine how students behave when exposed to this kind of fraud. According to the security intelligence report regarding Malaysia, released by the Microsoft Corporation on the 12th of May, 2011: There are cyber-criminals using more accessible attack methods including social engineering tactics and leveraging exploits created by the most skilled criminals to take a small amount of money from a large number of people. [11]. In addition to this, during the last four months, an international student of IIUM was exposed to a social engineering attack and lost RM 3000 from her CIMB account. This incident, alongside Microsofts dire report clearly illustrates a spread of social engineering attacks, most obviously due to a lack of awareness of social engineering; which ultimately exposes people to

409

WCSIT 1 (9), 409 -413, 2011 numerous risks. As such, this research measures the awareness of social engineering among IIUM students; while also attempting to answer an important question in this context, How do students behave when they expose to any kind of social engineering fraud?. In addition to that, the research tends to achieve the following goals: To measure the awareness of social engineering among IIUM students. To address the main factors which make students susceptible to social engineering fraud To identify the most popular fraud that students are constantly exposed to. II. RESEARCH BACKGROUND were only 220 responses to the fake email. Interestingly enough, the analysis of the results revealed a high number of victims among senior students; as compared to freshman and junior students. This study is different from [4],[9] studies by classifying the victims based on gender. Lastly, but not least, a study worthy of note was conducted by [1] among 40 staff from the Federal Polytechnic, Ilaro, Ogun State, Nigeria. The objective of the survey was to measure levels of awareness regarding safeguarding against social engineering. Unfortunately, the findings of the survey illustrated that that the implementation of safeguarding against social engineering in Federal Polytechnic, Ilaro, Ogun State Nigeria was still in its awareness stage. Therefore, the researchers suggested increasing efforts towards amplifying awareness among staff. Moreover, a commitment is also required from higher level staff. Despite fluctuations found in the numbers of previous studies, the fact remains that there are still a large amount of individuals susceptible to this specific form of attack. The lack of social engineering awareness among people is the main reason behind this problem.

A number of studies have been conducted to measure the awareness of social engineering among different sectors of computer users. For example, [5], used the physical approach, by posing as an individual from an organizations computer support department and asking employees for a wide range of information; namely user names and passwords etc. The findings of the study were alarming, and showed that around 80% of participants provided their user name, while almost 60% provided their password. Two other similar studies were conducted by [4], [9]. For the purposes of the two surveys, the researchers made a mix of legitimate and illegitimate emails; upon which the participants were asked to distinguish between the legitimate and illegitimate emails. The findings of [9] revealed that 43% of participants succeeded in identifying legitimate emails correctly. In contrast, the findings of the [4] survey showed a lower percentage; one in which only 36% of respondents proved successful in identifying legitimate emails, out of a total of 179 participants. Moreover, [4] noted that, in some cases, participants who identified legitimate emails correctly were not able to provide convincing reasons for their selection. On a general level, the findings reflect the lack of awareness of social engineering among users. [8] Conducted a survey among 152 staff members from the University Of Plymouth (UK). The purpose of the study was to investigate levels of susceptibility to social engineering among the staff. An experiment was carried out by sending a message to participants, and asking them to follow a link and install a claimed software update. The result of this experiment revealed that 23% recipients were successfully snared by the attack. Another modern study in this field was conducted by [2] in 2010 at the American University of Sharjah (AUS). The objective of the study was to measure the awareness of social engineering among staff and students of the AUS. The researcher did a number of experiments in order to achieve the goal of the study. Firstly, the researcher made use of a phishing method by sending fake emails to all staff and students. According to the findings, the number of victims was 485 male and 469 female from a total of 5166 students and 351 staff. In the second experiment, the researcher duped the targeted persons by sending them a fake email, and asking them to send their personal information to participate in a research survey conducted by AUS, with the promise that any participant would receive a USB Flash Drive. The number of victims in this experiment is much lower than the previous one. There

III.

RESEARCH METHODOLOGY

Correlative and experimental researches were used to measure social engineering awareness. A questionnaire and online survey were conducted targeting IIUM students. The research requires that the questionnaire and online survey be distributed and sent to 245 participants from IIUM students, 68 from the faculty of ICT and 177 from other faculties. The questionnaire and online survey consist of 20 questions grouped into three respective sections. First, the demographics section of participants which includes basic information regarding respondents such as the gender of participants and whether the respondent is an IT student or not. Moreover, the level of study of respective IT participants is also identified in this section. The second section covers computer usage and types of operating system used by participants. Additionally, this section defines the type of computer user; namely as to whether they are novices, power users, or experts, or hackers. The last sectionwhich also forms the majority of the questionnaireconsist of many questions that aims at examining how students behave when exposed to any kind of fraud. Furthermore, we conducted a phishing phone experiments among 12 students from IIUM. IV. TYPES OF SPCOICAL ENGINEERING

Impersonation: Social engineering usually requires some form of impersonation in order to win the trust of the target. A tactic that is used quite often consists of impersonating an IT support person who happens to be checking the network and asks for a password, or asks for the installation of a piece of software [7]. Phishing: An act of fraud that can be legally prosecuted. Phishing is a process that is used to acquire an individuals

410

WCSIT 1 (9), 409 -413, 2011 private information or details of by posing as a trusted entity in any exchange of information [5]. Dumpster Diving: This occurs when people are not aware of the value of information they possess and are careless with regards to safeguarding it. This involves the careless throwing away of vital documents such as company policy manuals as well as a companys phone book [4]. shown by students, there were considerable numbers of students who showed indifference towards handling sensitive information. A total of 69 students answered that they would throw away the letter containing sensitive information instead of keeping it or shredding it. Surprisingly enough, 15 of them answered that they knew of social engineering, and also selected the right meaning of the term. This carelessness from students will most definitely cause them to be vulnerably exposed to numerous forms of hacking see the( graph 5). In the experiment of phishing phone, we claimed that we are from the information technology department (ITD). When we called a student asked him first whether he installed a program yesterday or not. If his answer was yes, then we said to him the program that you have installed caused a problem in the system of university so please give us your password to solve this problem. The finding of this experiment showed that only one student out of 12 revealed his password. Finally, the result of this study showed a remarkable awareness among students; and especially IT students. However, on the other hand findings also revealed that there are significant numbers of students susceptible to attack by hackers; namely due to spontaneous behavior of students in some cases, or carelessness in others, see (figure 6). VI. CONCLUSION

V.

FINDINGS AND ANALYSIS

A total of 245 students have participated in this study. 70% percent of data was collected by means of a direct questionnaire, whereas the rest of the data was collected through online surveys. The participants are classified into two groups: 177 non-IT students and 68 IT students. On an overall scale, the findings showed that a high number of students were exposed to fraud. Of the participants, 114 students were exposed to social engineering attacks during the past six months. The most popular form of attack came through E-mail, there were 95 students were exposed to attack via Email.( Figure 1,2). By asking students whether they held knowledge regarding the social engineering term; findings showed that only 84 students knew the terms. Furthermore, results revealed that the percentage of IT students who were aware of the term of social engineering was higher; a total of 50%, as compared to a mere 28% from non-IT students. Moreover, the results showed that there were 37 students who answered that they were aware of the meaning of social engineering; yet did not give the right answer when asked about its meaning. This is illustrated in the following (graph 3). Interestingly enough, when postgraduate IT students were compared with undergraduate IT students in terms of knowledge of social engineering, the percentages were 61% and 45.5% respectively (Figure 4). Exploiting people in order to acquire their bank accounts as well as other related information is considered one of the most popular social engineering attacks. In this study, reflected results showed that there was a higher awareness among students when exposed to this kind of fraud. It should be noted however, that there were 16 students classified as victims as they answered with the affirmative with respect to providing information in the eventuality that they received an e-mail from a bank requesting them to do so. However, it is worthy of note here the percentage of victims was lower among IT students, as compared to non-IT students; 4.4% and 7.3% respectively. Additionally, respondents also exhibited a certain level of awareness upon receiving an e-mail from friends. There was nonetheless, a lack of awareness among some of students; which were estimated at approximately 23% and 16% among non IT students and IT students, respectively. In order to examine how students dealt with sensitive information; such as the information located in bills and ATM receipts as an example. Respondents were asked to identify whether they binned, kept or shredded documents that contain sensitive information. Irrespective of the awareness level

In summary, through this paper we have measured the awareness of social engineering among IIUM students and examined whether IT students possess more awareness than students from other faculties. Overall, the findings showed that social engineering has become the preferable method for attackers to acquire information according to a high number of students who have been exposed to a fraud during the past six months. Many organizations or institutions have begun to realize that social engineering is the largest threat to their information system, as it exploits the vey users of the system. For example, through the CyberSAFE in its Web Site, IIUM always sends warning messages to staff and students in order to warn them from responding to any unknown e-mails or message. However, there are still a number of students who respond to unknown e-mails without authenticating the identity of the senders according to executed study. Furthermore, although IT students have a higher awareness regarding social engineering than students from other faculties results show that a number of them are still susceptible to exploitation by hackers. In order to bring about a reduction in the number of students who are susceptible to fraud and increase the awareness of social engineering among students, we recommend the following: IIUM University should conduct awareness security campaigns in collaboration with banks that have branches inside the campus. Social engineering should be taught alongside information security syllabus, especially to undergraduate students. It is necessary to provide students with methods of validation or authentication of emails received and people with claims. With regards to banks, it should be noted that the bins located by an ATM are a security flaw, and may potentially be a great source of information for intruders. Therefore, we recommend they be designed in a manner that prevents intruders from collecting the receipt

411

WCSIT 1 (9), 409 -413, 2011

Figure 1: shows the number of students who were exposed to social engineering attacks during the last six months.

Figure 4: knowing social engineering compared postgraduate and undergraduates IT students

100 80 60 40 20 0
Figure 2: shows the different methods of fraud used by hackers

98

43 21 8125 4 9 3 14 7 17
Bin it keep it

shred it

Figure 5:. The correlation between knowing social engineering

Figure 3: shows the number of students who know the meaning of social engineering Figure 6: Students at risk of hacking REFERENCES [1]. Fagoyinbo, I.S, Akinbo, R.Y, Ajibode, I. A and Dosunmu, A. O. P, Statistical analysis on the awareness and safeguarding against social engineering, Journal of Educational and Social Research, Vol. 1, No. 2, September 2011, pp 115-120. [2]. Jamshaid Mohebzada, Ahmed El Zarka, Arsalan Bhojani, An Awareness Study on Account Phishing, Spam Emails & Social Engineering Attacks, 2010, COE444 Spring 2010, Research Project Report. Available: http://www.mohebzada.com/projects/s10_coe444.pdf. accessed 10/11 [3]. Kevin D. Mitnick and William L. Simon. The Art of Deception: Con trollingthe Human Element of Security. New York: Wiley, 2002. pp 15. [online] available: http://fr.thehackademy.net/madchat/esprit/textes/The_Art_of_Deception. pdf, accessed 10/11.

412

WCSIT 1 (9), 409 -413, 2011

[4]. Karakasiliotis A, Furnell MS, Papadaki M. Assessing end-user awareness of social engineering and phishing, Proceedings of 7th Australian Information Warfare and Security Conference; 2006. pp. 6072. [5]. Orgill, G., Romney, G., Bailey, M., Orgill, P. The Urgency for Effective User Privacy-education to Counter Social Engineering Attacks on Secure, (2004) Computer Systems, Proceedings of SIGITE'04, Salt Lake City, UT 2004. [6]. S. Heikkinen, Social engineering in the world of emerging communication technologies, in the Proceedings of Wireless World Research Forum meeting #17, Nov 2006. [7]. S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics," vol. 2006: SecurityFocus, 2001. [8]. T.Bakhshi, M. Papadaki, and S. M. furnell, A practical Assessment of social engineering Vulnerability, Proceeding of the second International Symposium on Human Aspects of Information Security & Assurance. ( HAISA).2008. [9]. Ugiomo S. Odaro & Benjamin G. Sanders, Social Engineering: Phishing for a Solution, available: http://www.kaspersky.com/images/odaro,_ugiomo_susan_sanders,_benj amin__social_engineering_phishing_for_a_solution-10-98480.pdf. Accessed 10/11 [10]. http://whitepapers.hackerjournals.com/?p=23074. [11]. http://www.cybersecurity.my/en/knowledge_bank/news/2011/main/detai l/2032/index.html.

413