Abstract
At the highest abstraction level, an attempt by a social engineer to exploit a victim organization either attempts to achieve some specific target (denial of service, steal an asset, tap some particular information) or it wishes to maximize an outcome, such as to disable the organization by a terrorist attack or establish a permanent parasitic relationship (long-term espionage). Seen as dynamic processes, the first kind of exploit is a controlling (“balancing”) feedback loop, while the second kind is a reinforcing feedback loop. Each type of exploit meets a first line of defense in control processes or in escalating (“reinforcing”) processes of resistance. The possible combinations of the two modes of attack and the two modes of defense yield four archetypes of exploit and natural defense. Predictably, the social engineer would seek to outsmart the first line of defense; it is shown that each archetype implies a particular strategy to do so. Anticipation of these modes of attack must be the starting point for an effective multi-layered defense against social engineering attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Greene, S.: Security Policies and Procedures: Principles and Practices. Prentice-Hall, Upper Saddle River (2006)
Keeney, M., et al.: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Carnegie Mellon, Software Engineering Institute, Pittsburgh (2005)
Winkler, I.S.: The non-technical threat to computing systems. Computing Systems 9(1), 3–14 (1996)
Wikipedia. Social engineering (computer security) (2006) [cited 2006 May 13], Available from: http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29
Barrett, N.: Penetration testing and social engineering: hacking the weakest link. Information Security Technical Report 8(4), 56–64 (2003)
Harl. The psychology of social engineering (1997) (cited: May 13, 2006), Available from: http://www.cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html
Dennet, D.C.: Freedom Evolves. Penguin Books, London (2004)
Hasle, H., et al.: Measuring resistance to social engineering. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439. Springer, Heidelberg (2005)
Winkler, I.S.: Corporate Espionage: what it is, why it is happening in your company, what you must do about it. Prima Publishing, Rocklin (1997)
Winkler, I.S.: Spies Among Us. Wiley Publishing, Inc., Indianapolis (2005)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, New York (2003)
Chabris, C.F., Hearst, E.S.: Visualization, pattern recognition, and forward search: effects of playing speed and sight of the position on grandmaster chess errors. Cognitive Science (27), 637–648 (2003)
Dolan, A.: Social Engineering (2004) (cited: May 19, 2006), Available from: http://wwwsans.org/
Granger, S.: Social engineering fundamentals, Part I: Hacker tactics (2001) (cited: May 12, 2006), Available from: http://www.securityfocus.com/infocus/1527
Senge, P.: The Fifth Discipline. Doubleday/Currency, New York (1990)
Kim, D.: Systems Archetypes. Pegasus Communications, Cambridge (1992)
Wolstenholme, E.F.: Towards the definition and use of a core set of archetypal structures in system dynamics. System Dynamics Review 19(7), 7–26 (2003)
Wolstenholme, E.F.: Using generic system archetypes to support thinking and modelling. System Dynamics Review 20(4), 341–356 (2004)
Melara, C., et al.: A system dynamics model of an insider attack on an information system. In: Gonzalez, J.J. (ed.) From Modeling to Managing Security: A System Dynamics Approach. Norwegian Academic Press, Kristiansand (2003)
Martinez-Moyano, I.J., et al.: Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model. In: The 23rd International Conference of the System Dynamics Society, July 17-21. The System Dynamics Society, Boston (2005)
Schultz, E.E.: A framework for understanding and predicting insider attacks. Computers and Security 21(6), 526–531 (2002)
Suler, J.R., Phillips, W.: The Bad Boys of Cyberspace: Deviant Behavior in Multimedia Chat Communities. CyberPsychology and Behavior 1, 275–294 (1998)
Gragg, D.: A Multi-Level Defense Against Social Engineering (2003) (cited: May19, 2006), Available from: http://www.sans.org/
Gaudin, S.: Case Study of Insider Sabotage: The Tim Lloyd/Omega Case. Computer Security Journal (2000) (cited: May19, 2006), Available from: http://www.gocsi.om/pdfs/insider.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gonzalez, J.J., Sarriegi, J.M., Gurrutxaga, A. (2006). A Framework for Conceptualizing Social Engineering Attacks. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_7
Download citation
DOI: https://doi.org/10.1007/11962977_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69083-2
Online ISBN: 978-3-540-69084-9
eBook Packages: Computer ScienceComputer Science (R0)