ArticlePDF Available

Cybersecurity:risks, vulnerabilities and countermeasures to prevent social engineering attacks

Authors:

Abstract and Figures

The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology infrastructure, which include hardware and software systems, transmission media, local area networks, wide area networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer optimism that social engineering attacks can be reduced.
Content may be subject to copyright.
International Journal of Advanced Computer Research, Vol 6(23)
ISSN (Print): 2249-7277 ISSN (Online): 2277-7970
http://dx.doi.org/ 10.19101/IJACR.2016.623006
31
Cybersecurity:risks, vulnerabilities and countermeasures to prevent social
engineering attacks
Nabie Y. Conteh1* and Paul J. Schmick2
Assistant Professor of Computer Information Systems, Department of Computer Information Systems,
College of Business & Public Administration, Southern University at New Orleans, Louisiana, USA1
Department of Cyber Security and Information Assurance, Graduate School of MGT and Technology
University of Maryland University College, Adelphi, Maryland, USA2
Received: 21-December-2015; Revised: 07-February-2016; Accepted: 10-February-2016
©2016 ACCENTS
1.Introduction
Social engineering, also known as human hacking, is
the art of tricking employees and consumers into
disclosing their credentials and then using them to
gain access to networks or accounts. It is a hacker’s
tricky use of deception or manipulation of people’s
tendency to trust, be corporative, or simply follow
their desire to explore and be curious. Sophisticated
IT security systems cannot protect systems from
hackers or defend against what seems to be
authorized access. People are easily hacked, making
them and their social media posts high-risk attack
targets. It is often easy to get computer users to infect
their corporate network or mobiles by luring them to
spoof websites and or tricking them into clicking on
harmful links and or downloading and installing
malicious applications and or backdoor's.
*Author for correspondence
In a 2013 study conducted by TNS Global for Halon
an email security service, 30 percent of the surveyed
populace comprised of 1,000 adults in the U.S.
disclosed that they would open an e-mail even if they
were aware it contained a virus or was suspicious [1].
Even with robust campaigns conveying the dangers
of opening suspicious e-mails a large majority of
email users remain vulnerable to social engineering
attacks [2]. To confront the challenges posed from
social engineering attacks, recommendations deriving
from research offer options to reduce the probability
of success of a social engineering attack.
With cyber security incidents growing exponentially
in terms of frequency and damage to an organizations
reputation in their respective marketplace, users and
organizations have not adequately deployed defenses
to discourage would-be attacker’s intent to strike.
The terms information and network security continue
to dominate U.S. headlines with a large-scale cyber-
attack surpassing the probability of a physical
terrorist attack on U.S. soil. In fact, in a 2013
interview of FBI Director James Comey, the Director
Review Article
Abstract
The broad objective of this study is to evaluate the vulnerabilities of an organization’s information technology
infrastructure, which include hardware and software systems, transmission media, local area networks, wide area
networks, enterprise networks, intranets, and its use of the internet to cyber intrusions. To achieve this objective, the
paper attempts to explain the importance and the role of social engineering in network intrusions and cyber-theft. It also
discusses in vivid detail, the reasons for the rapid expansion of cybercrime. The paper also includes a complete
description and definition of social engineering, the role it plays in network intrusion and cyber identity theft, a
discussion of the reasons for the rise in cybercrime and their impact on organizations. In closing the authors recommend
some preventive measures and possible solutions to the threats and vulnerabilities of social engineering. The paper
concludes that while technology has a role to play in reducing the impact of social engineering attacks, the vulnerability
resides with human behaviour, human impulses and psychological predispositions. While literature supports the dangers
of psychological susceptibilities in social engineering attacks investment in organizational education campaigns offer
optimism that social engineering attacks can be reduced.
Keywords
Cyber security, Cyber theft, Social Engineering, Cybercrime, Phishing, Network Intrusions.
Nabie Y. Conteh et al.
32
testified before a Senate Homeland Security
Committee that cyber-attacks have surpassed
terrorism as a major domestic threat, with the threat
continuing to rise [3].
In this paper social engineering is defined along with
the types of social engineering attacks. In addition,
this research will identify why cyber theft continues
to advance at an alarming rate. Furthermore,
psychological variables that contribute to
vulnerabilities will be discussed. And finally, studies
will be presented that identify key considerations
regarding social engineering, testing and training, and
point to how users can be coached to prevent attacks
which offers a promising methodology to reduce
system and user's risk.
2.What is social engineering?
Engebretson (2011) [4] defines social engineering as
“one of the simplest methods to gather information
about a target through the process of exploiting
human weakness that is inherit to every
organization.” The foundation of an attack is to
persuade the forfeiture of information that is
confidential then exploit an individual or an
organization. In essence, an attacker engages social
engineering as a tactic to use human insiders and
information to circumvent computer security
solutions through deceit.
Regarding the human vulnerability of social
engineering [5] note that while social engineering is
identified as a low-tech attack; the attack aims at
manipulating victims to divulge confidential
information and is successful in its attempt due to
exploiting personality vulnerabilities. Social
engineering as a tactic deploys techniques to gain
access to private and confidential information by
exploiting flaws in human logic know as cognitive
biases [5]. While security technology measures aim
at improving information system security, human
factors represent a weak-link which is exploited
during a social engineering attack. Bisson (2015) [6]
notes that social engineering is “a term that
encompasses a broad spectrum of malicious activity”
and identifies five of the most common types of
social engineering attacks to target victims which
include:
Phishing: Phishing scams attempt to obtain personal
information such as names, addresses and other
personal identifiable information (PII) such as social
security numbers.
Phishing scams may embed links to redirect users to
suspicious websites that appear legitimate. These
types of scams create a sense of urgency to
manipulate users to act in a manner that challenges
good judgment.
Pretexting: This type of social engineering attack is
driven by a fabrication scenario attempting to
confirm and steal personal information from a target.
Advanced attacks attempt to exploit a weakness of an
organization or company. This method requires the
attacker to build a credible story that leaves little
room to question doubt by a target. The strategy is to
use fear and urgency while building a sense of trust
with a victim to confirm or obtain sought
information.
Baiting: Baiting is similar to a phishing attack, but
lures a victim through enticement strategies. Hackers
use the lure of promised goods if a user surrenders
log-in credentials to a specific site. Baiting schemes
are not limited to, digital on-line schemes and can
also be launched through the use of physical media.
Quid pro quo: Similar to Baiting, but this type of
threat is presented as a technical service in exchange
for information. A common threat is for an attacker
to impersonate an information technology
representative and offer assistance to a victim who
may be experiencing technical challenges. The
attacker aims to launch malware on a user’s system.
Tailgating: This type of attack uses tailgating and
piggybacking to gain access to restricted areas. This
attack exposes those who have an ability to grant or
gain access to a restricted area by an attacker who
may impersonate delivery personnel or others who
may require temporary access.
3.Social engineering and its role in cyber-
theft
Information Security is defined as “protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction” according to U.S. law
[7]. And while so much attention in terms of
resources and training to overcome information
security breaches have been deployed, Nakashima
and Peterson (2014) [8] note the center for Strategic
and International Studies identifies the annual cost of
cybercrime and economic espionage to cost to global
economy more than $445 billion annuallyor almost
one percent of total global income [9].
International Journal of Advanced Computer Research, Vol 6(23)
33
Hackers are getting increasingly sophisticated and
adept at their social engineering attacks. They are
able to piece together disparate data from various
sources and namely, social media, corporate blogs,
and data and to painstakingly pull crucial and key
data from well-meaning employees, which these
cyber-criminals use to attack networks and steal
invaluable data and even hold corporations hostage
and in some cases damage the object of their targets.
Regarding the rise of cybercrime and theft, Grimes
(2014) [10] identifies key indicators as to the rise and
cause of cybercrime which financially impacts both
individuals and organizations. One reason for cyber
theft appeal is the benefit of theft by ambiguity.
Internet crimes are committed by thousands of cyber
criminals world-wide, but few are prosecuted and
jailed. In addition, cyber criminals do not have to be
intelligent to be successful in digital theft, but are
willing to take risks because of the benefits of
distance from a victim while taking little risk and
little exposure.
Many cyber thefts take place globally and law
enforcement agencies are limited to the jurisdictional
boundaries to pursue cyber criminals. The pursuit
also includes working with other law enforcement
agencies outside of domestic jurisdictions. While
this is less complex domestically, getting
international support to pursue international theft
remains a challenge for U.S. Law enforcement. In
essence, most international governments do not
cooperate with each other [11].
Evidence plays another factor and a lack of
successful convictions is due to a lack of evidence
that can be delivered in court to prosecute cyber
criminals. Two primary variables relate to evidence
fulfilment, such as obtaining evidence that is credible
to hold individuals accountable. Second, few
organizations have the legal expertise to prepare legal
evidence in cybercrime cases which takes planning,
commitment and resources. These challenges lower
the probability that a criminal even if caught will be
prosecuted and jailed.
To overcome crime in the cyber domain, a lack of
resources is perhaps the leading contributor to its
exponential growth. Few organizations have the
dedicated resources to pursue internet crimes and
criminals. The challenge of pursuing cyber theft is
costly and without a potential return-on-investment
(ROI) dedicated resources are difficult to justify.
While the cost of cyber victimization is nearly a half
trillion dollars, it has not hurt global economies and
may even be in the realm of appearing as a cost of
doing business. For meaningful change to occur,
once cybercrime hurts individuals and organizations
to an unbearable point, the reality or managing risk
and loss have been built into the fabric of
organizations, and individual victimization from
small-scale occurrences have become noise that is
expected.
4.Psychological variables and
contribution to cybercrimes
Social engineering attacks challenge information
security professionals because no technical
countermeasures to-date can eliminate the human
vulnerability [5]. Identifying the cause of human
error and successful social engineering attacks Luo,
et al. (2011)[5] argues the social psychology
influences of “alternative routes to persuasion,
attitudes and beliefs that affect human interactions,
and techniques for persuasion influence” expose the
psychological vulnerabilities that enable a successful
social engineering attack.
To seek foundations of the interest to open
potentially damaging e-mails, Ragan (2013) [1] notes
the diversity of intent to engage in such behaviour is
specific among genders with women enticed to open
malicious e-mails appearing from social networks,
while men fall prey to e-mails communicating power,
money and sex. Because social engineering attacks,
tap into human psychological impulses reducing
engagement remains a challenge because occurrences
aim at human psychological vulnerabilities [12].
Further evaluating the social psychological
influences, alternate routes to persuasion contribute
to successful social engineering attacks through
influencing a victim’s emotions towards fear or
excitement which may alter a responsible action.
Regarding attitudes and beliefs, this refers to the
differences concerning the beliefs between the victim
and his/her social engineering attackers. And lastly,
influencing techniques relies on peripheral paths to
persuasion that influence behaviour and action [5].
Because of the emotional exposure and triggered a
response initiated by social engineering attacks,
without awareness of the vulnerabilities revealed by
artful exposure of human susceptibility to engage in
the process, denying an attackers ploy is a challenge.
Nabie Y. Conteh et al.
34
However, studies demonstrate awareness through
corporate education campaigns may provide a virtual
barrier to reduce the success rate of social
engineering attacks. In totality, the chief strategy
may reside in awareness in the manipulation tactics
to obtain valuable and confidential information to
prevent social engineering attackers’ from acquiring
information to exploit a user or organization.
5.Social engineering techniqueshuman
and technical
Luo et al. (2011) [5] identifies several human or
technical means that social engineering attackers can
deploy from phishing to dumpster diving as tactics to
gain visibility or obtain confidential information. For
aggressive and successful attackers a synergy of
human and technical strategy may be deployed to
obtain ample information on an individual or to gain
access to an organization. Regarding the steps of
gathering information through execution of a social
engineering attack Luo et al. (2011) [5] identify the
steps in the attack process.
Figure 1 Four steps of social engineering [5]
Figure 1 above graphically explains the stepwise
approaches in the execution of social engineering
attacks. The process begins with the first phase of
studying and gathering information, then a
relationship is established. In the exploitation phase,
access into the system is gained and in the final
phase, the attacked is implemented.
Social engineering attacks can be categorized in
either human or technology deployments. Direct
human engagement stems from an attacker who has
obtained personal information about a victim and
develops a relationship with the user. Because the
attacker deploys a strategy of a known or trusted
party, the victim becomes susceptible and exploited,
and relinquishes sensitive or personal company
information; therefore contributing to the pieces of
the puzzle the attacker can use to his/her advantage.
Technical attacks are more unambiguous and
deployed through a host of options such as; software
programs, email attachments, pop-up windows and
websites [5]. Perhaps the most successful technical
ploy to draw a user into divulging account usernames
and passwords by prompting victims to input user
and password information in pop-up windows.
Websites and pop-up windows can appear as a site
frequently visited by a user, however, the script-
embedded pop-up window manipulates the user to
enter a username and password which delivers the
information to the attacker.
6.Preventive measures against social
engineering
It is evident that regardless of how technologically
secure a network seems the human element will
always be a vulnerability. The success rate and the
number of cybercrimes are steadily on the rise due to
the level of anonymity social engineering offers
malicious actors. Businesses have to remain
cognizant of the various threat actors and their
plethora of attacks so they are able to respond
accordingly. There are technical and non-technical
safeguards that can be implemented to lower the risk
associated with social engineering to a tolerable
level. Companies are adding multiple layers to their
security schemes so that if the mechanism in the
outer layer fails, a mechanism in at least one inner
layer can help prevent a threat from turning into a
disaster (Risk Mitigation). This concept is known as
multi-layer defense or defense in depth. A good
Defense in Depth structure includes a mixture of the
following precautionary measures:
Security Policy: A well written policy should
include technical and nontechnical approaches that
are downward driven by executive management.
Every organization should integrate security into
their operational objectives.
Education and Training: Employees ought to be
required to attend initial training during orientation
and recurring refresher trainings. This builds
awareness by exposing users to commonly employed
tactics and behaviors targeted by a social engineer.
Network Guidance: The organization have to
safeguard the network by whitelisting authorized
websites, using Network address translation (NAT),
and disabling unused applications and ports. Network
users have to maintain complex passwords that are
changed every 60 days.
Audits and Compliance: Organizations have to
actively verify that their security policy is being
adhered to. Some detective controls include
International Journal of Advanced Computer Research, Vol 6(23)
35
reviewing network logs, re-validating employees’
permissions, and checking desktop configurations at
least bi-monthly.
Technical Procedures: The network should have
multiple layers of defence to protect data and core
infrastructure. Software like Intrusion Prevention
Systems (IPS), Intrusion Detection Systems (IDS)
and firewalls should be installed on every device.
Demilitarized Zones (DMZ), web filters and Virtual
Private Network (VPN) should be installed on all
external facing services.
Physical Guidance: There is a range of options that
can be implemented to protect physical assets. Using
a combination of security guards, mantraps and
security cameras to deter intruders from entering the
premises is beneficial. In places where physical
hardware is located businesses should employ
multifactor authentication, biometrics or access
control list before access is granted.
To overcome the challenges of social engineering
attacks Luo et al. (2011) [5] identify the necessity of
a multidimensional approach to overcome threats
through a holistic approach of addressing
organizational policies, procedures, standards,
employee training and awareness programs, and
incident response. While all areas to combat this
threat are critical, without employee training
expensive infrastructure and network security
investment means little considering only seven
percent of U.S. organizations deploy training
programs and materials in phishing education [13].
Evaluating variables of cause and identifying those
who are susceptible in an organization Chitery,
Singh, Bag, & Singh (2012) [14] identify the drivers,
targets and motivation behind social engineering
attacks. The 2012 study attempted to demonstrate an
analytical approach towards social engineering
attacks and identify attacker trends. The study,
which surveyed an undisclosed amount of IT
professionals, sheds light on potential training
measures for organizations that are eager to deploy
information security awareness programs to reduce
the risk of employee proneness to a social
engineering attack.
Figure 2 Questionnaire results regarding the motivation behind social engineering attacks
According to a study conducted by Chitery, Singh,
Bag, & Singh (2012) [14] as introduced in the
preceding paragraph above, figure 2 depicts the
motivating factors behind social engineering attacks.
It is evident that the access motivated by the need to
gain proprietary information ranks the highest in
terms of the volume which is 30%. Financial gain
ranks second, followed by the need for competitive
advantage, then by “just for fun”, revenge and last
and least by unnamed others. Figure 3 depicts the
results from the same study as above obtained on
entities that are vulnerable to social engineering
attacks. The most vulnerable group is the new
employees (41%), followed by clients and customers
(23%), then by IT professionals (17%), by Partners
and Contractors (12%) and lastly followed by others.
23%
30%
21%
10%
11%
5%
Motivation Behind Social Engineering Attacks
FINANCIAL GAIN
ACCESS TO PROPRIATARY
INFORMATION
COMPETITIVE ADVANTAGE
REVENGE
JUST FOR FUN
OTHER
Nabie Y. Conteh et al.
36
Figure 3 Questionnaire results regarding entities which present risk of falling prey to a social engineering attack
In another study by Bowen, Devarajan & Stolfo
(2011)[15] this Columbia University study measured
enterprise susceptibility to phishing attacks which is a
technical path and deployment mechanism to
instigate a social engineering attack. The 2011
study’s primary focus conducted by Columbia
University was on reinforced training and the impact
to prevent social engineering attacks. As the results
shown in table 1 and 2 below, the study tested user
vulnerabilities using decoy e-mails to lure users to
supply information or access phony e-mails so data
could be gathered and utilized for training purposes
to prevent future attacks.
Table 1 The number of responses for each round for
the first experiment to measure the user response to
phony phish
Decoy Type
1st
Round
3rd
Round
4th
Round
Email with
internal URLs
52
0
NA
Email with
external URLs
177
1
0
Forms to obtain
credentials
39/20
0
NA
Beacon
Documents
45
NA
NA
Table 2 The number of responses for each round of
the second experiment to measure the user response
to phony phish
Decoy Type
1st
Round
2nd
Round
3rd
Round
4th
Ro
un
d
Email with
internal URLs
69
7
1
0
Email with
external URLs
176
10
3
0
Forms to obtain
credentials
69/50
10/9
0
NA
Beacon
Documents
71
2
0
NA
The Bowen, et al. (2011) [15] study was conducted
by deploying two rounds of experiments. Users were
probed repeatedly, then educated each time to
understand how the luring techniques occurred until
victims stopped falling prey to attacks. The data
ultimately support that both repetitious probes
followed by education offers value and a return on
investment (ROI) to limit successful probes of users
regardless of psychological predispositions or gender.
Evaluating the data from both rounds of the
Columbia University experiment confirms users can
be coached to deploy caution before opening
suspicious e-mail messages.
41%
17%
23%
12%
7%
0%
Entities which fall prey to social engineering attacks
NEW EMPLOYEES
IT PROFESSIONALS
CLIENTS & CUSTOMERS
PARTNERS & CONTRACTORS
TOP LEVEL MANAGEMENT
OTHERS
International Journal of Advanced Computer Research, Vol 6(23)
37
As the data supports, by reaffirming threats through
repetitive communication, although slower learners
had the highest probability that they would fall-prey
to social engineering attacks, users were still able to
be coached to disengage in the luring process of
social engineering attacks.
7.Limitations of the Study
Luo et al. (2011) [5] recognizes key considerations
that can be learned from social engineering
penetration testing and education. Most importantly,
the 2011 Columbia University study noted in this
research paper identifies that education followed by
additional social engineering, testing leads to a
dramatic reduction in social engineering attack
success, therefore reducing information system and
network vulnerability. However, the 2011 Columbia
University study offers no consideration to how
frequently testing and training may be required to
maintain the same results. In essence, the limitations
of the Columbia University study prevents drawing
an absolute conclusion that the same results should
be expected if further testing was conducted. This
leaves consideration to the deployment of recurrent
training models after periods of time to determine if
similar results can be produced by users after one
phase of testing to determine if training efforts are
lasting.
8.Conclusions
To overcome cyber security incidents involving
social engineering attacks, research supports the most
effective defence is an educated computer user. To
consider is those most vulnerable which are identified
in this research as new employees within an
organization, as specifically shown in figure 3 above,
with the attacker seeking personal identifiable
information (PII) from those engaged. Further
supported in this research are the psychological
variables that contribute to user vulnerability. This
paper concludes that while technology has a role to
play in reducing the impact of social engineering
attacks, the vulnerability resides with human
behaviour, human impulses and psychological
predispositions that can be influenced through
education. Ultimately, investment in organizational
education campaigns offer optimism that social
engineering attacks can be reduced, but an absolute
solution to overcome such cyber security threats has
yet to be put-forward.
Acknowledgment
None.
Conflicts of interest
The authors have no conflicts of interest to declare.
References
[1] Ragan S, W Staff. Social engineering: study finds
Americans willingly open malicious
emails.http://www.csoonline.com/article/2133877/soci
al-engineering/social-engineering--study-finds-
americans-willingly-open-malicious-emails.html.
Accessed 28 August 2013.
[2] Maan PS, Sharma M. Social engineering: a partial
technical attack. International Journal of Computer
Science Issues. 2012; 9(2):557-9.
[3] Anonymous. FBI: Cyber-attacks surpassing terrorism
as major domestic threat. https://www.rt.com/usa/fbi-
cyber-attack-threat-739/. Accessed 25 November
2013.
[4] Engebretson P. The basics of hacking and penetration
testing: ethical hacking and penetration testing made
easy. Elsevier; 2011.
[5] Luo X, Brody R, Seazzu A, Burd S. Social
engineering: the neglected human factor for
information security management. Information
Resources Management Journal. 2011; 24(3):1-8.
[6] Bisson D. 5 Social engineering attacks to watch
out for. The state of security.
http://www.tripwire.com/state-of-
security/security-awareness/5-social-
engineering-attacks-to-watch-out-for/. Accessed
23 March 2015.
[7] Andress J. The basics of information security:
understanding the fundamentals of InfoSec in theory
and practice. Elsevier; 2011.
[8] Nakashima E, Peterson A. Report: cybercrime
and espionage costs $445 billion annually. The
Washington Post.
https://www.washingtonpost.com/world/national
-security/report-cybercrime-and-espionage-costs-
445-billion-annually/2014/06/08/8995291c-ecce-
11e3-9f5c-9075d5508f0a_story.html . Accessed
9 June 2014.
[9] Strohm C. Cyber theft, already a $445 billion
business, to grow bigger.
http://www.insurancejournal.com/news/national/
2014/06/09/331333.htm. Accessed 9 June 2014.
[10] Grimes RA. 5 reasons internet crime is worse than
ever. Info World.
http://www.infoworld.com/article/2608631/security/5-
reasons-internet-crime-is- worse-than-
ever.html?page=2. Accessed 23 March 2015.
[11] Taylor RW, Fritsch EJ, Liederbach J. Digital crime
and digital terrorism. Prentice Hall Press; 2014.
[12] Vacca JR. Computer and information security
handbook. Newnes; 2012.
Nabie Y. Conteh et al.
38
[13] Diana A. Social engineering targets weakest security
link: employees.
http://www.enterprisetech.com/2015/05/19/social-
engineering-targets-weakest-security-link-employees/
Accessed 19 May 2015.
[14] Chitrey A, Singh D, Singh V. A comprehensive study
of social engineering based attacks in India to develop
a conceptual model. International Journal of
Information and Network Security. 2012; 1(2):45-53.
[15] Bowen BM, Devarajan R, Stolfo S. Measuring the
human factor of cyber security. In international
conference on technologies for homeland security
(HST) 2011(pp. 230-235). IEEE.
Dr. Nabie Y. Conteh is a Computer
Information Systems Professor at
Southern University at New Orleans
(SUNO). He holds a BS in information
systems from the Institute for
Information and Communication
Technology, in the Netherlands; an
MBA in information systems
management from Ferris State University; and an MS and
Ph.D. in information systems from the University of
Maryland, Baltimore County. His areas of teaching and
research interest include decision support systems, systems
modeling and simulation; artificial intelligence/expert
systems; systems analysis and design; and knowledge
management and organizational learning. Dr. Conteh
possesses many technical skills and the ability to speak
English, Dutch, Russian and German. Dr. Conteh has made
many presentations at national and international
conferences and has been published in refereed journals
and proceedings. He has worked as Assistant Professor at
Shenandoah University and is currently an Adjunct
Associate Professor of Cyberspace and Cyber Security at
the Graduate School of the University of Maryland
University College and Professor of Database Management
Systems and Global Information Technology at Florida
Tech. During the tenure of his Ph.D. program, he worked as
Research Assistant at the University of Maryland Baltimore
County. He did consulting for Datastream at College Park
in Maryland, a company whose primary activity is data
conversion. He has also worked for Getronics Transaction
Services and EuroShell International, ABN AMRO Bank at
Amsterdam, in the Netherlands.
Email: nconteh@suno.edu
Paul J. Schmick is a Speaker,
Professor and Vice President of
Security Technology for Alliance
Security Services headquartered in New
York. Paul is a seasoned professional
in the disciplines of security
convergence and information
technology, cybersecurity, physical
security, risk-based security and security technologies. Paul
previously held the position of Director of Corporate
Security Programs at FJC Security Services where he
directed the company’s corporate security programs,
managed FJC’s Office of Information Technology (OIT),
and was the Managing Director of FJC Technology
Solutions where he directed the organizations security
technology service division. Paul also served eight years
with the U.S. Department of Homeland Security (DHS) -
Transportation Security Administration (TSA) and in his
last role with the department was responsible for the
implementation of aviation security policy, managed
security technology equipment deployments, and
supervised training programs and personnel to enhance the
agency’s formidable defense against improvised explosive
device (IED) threats targeting U.S. aviation assets and
infrastructure. Paul earned his M.S. in Homeland Security
Management from the Homeland Security and Terrorism
Institute at LIU Post, and holds a B.A. in Homeland
Security & Emergency Management from Ashford
University. As an active member in the academic, security
and emergency management communities, Paul serves as
the Advisory Board Chair and Executive Director of the
Homeland Security and Security Management program at
the Long Island Business Institute in New York. He also
serves as an Adjunct Professor under the U.S. Department
of Homeland SecurityTransportation Security
Administration Partnership Program at Erie Community
College.
... This lack of clarity hinders the understanding of what drives implementation or how it is managed [1]. Thus, investment in cybersecurity and effective management can be viewed as preventive and proactive measures to protect reputation, ensure business continuity, and facilitate participation in business networks [18,19]. ...
... Digitalization brings forth unprecedented efficiency and connectivity, but it also exposes systems, networks, and sensitive data to new and sophisticated cybersecurity risks [32][33][34]. Cybersecurity plays a pivotal role in this landscape, serving as the safeguard against unauthorised access, data breaches, and other malicious activities that could compromise the integrity, confidentiality, and availability of digital assets [19]. ...
... Organizations face an escalating and diversifying landscape of cybersecurity threats, continually growing in sophistication [7,9,19,35]. Various types of cybersecurity attacks, employing techniques such as phishing, malware, web attacks, and the exploitation of IT system vulnerabilities, are identified in the literature. ...
... In a recent report directed by TNS Global for Halon, an email security administration, 30% of the overviewed people included 1,000 grown-ups in the US, unveiled that they would open an email regardless of whether they knew it contained an infection or was dubious [8]. According to research done by Sophos Email, it was seen that overall, 41% of organizations had been a daily phishing attack target while 77% faced monthly attacks [9]. ...
... Further assessing the social-mental impacts, backup ways add influence to effective social designing assaults by affecting a casualty's feelings towards dread or hunger, which might adjust a capable activity. Also, in conclusion, impacting methods depend on fringe ways to influence that impact conduct and activity [8]. ...
Article
Full-text available
With the advancement of technology, the Internet is becoming ubiquitous and available to everybody. There is a plethora of websites that provide various advantages. Despite their large quantity, not all these websites are genuine. Phishing sites are websites that trick people into serving their objectives. Phishing assaults, which have been around for ages and are still a huge issue today, pose a severe threat to the cyber world. Attackers are using a variety of innovative and inventive tactics to carry out phishing assaults, which are on the rise. Web browsing’s pervasiveness in our everyday lives, however, is not without security hazards. This standard web browsing habit, along with web users’ poor situational awareness of cyber dangers, exposes them to Phishing, malware, and profiling, among other hazards. Furthermore, phishing assaults are frequently used as an attack vector or the first stage in a more complex attack in today’s security climate. The usual method of comparing websites by using a blacklist and a whitelist is ineffective. As attackers have gotten more sophisticated in concealing and redirecting URLs, they may now fool users into phishing attacks without being caught. These Phishing attacks are used to commit all sorts of criminal activities like identity theft, whether in the form of Document theft, financial fraud, or medical fraud. As a result, new methodologies on machine learning algorithms (ML) are required to detect these phishing websites.
... A malevolent hacker initially investigates the intended victim in order to gather background data for the assault. The thief then makes an effort to win over the victim's trust and convince them to do other acts, including providing access to a personal profile or disclosing critical personal information, that will ultimately lead to breathing security (Contel, and Schmick, 2016). ...
Chapter
Full-text available
This chapter explores the crucial influence that human behavior and decision-making have on information system security. Human factors continue to be a major source of weaknesses in cybersecurity plans, even while technology measures constitute its core. This study looks into the several ways that human factors—such as social engineering, cognitive biases, and insufficient training—affect cybersecurity risks. The chapter illustrates how human errors, such as weak password practices, and phishing vulnerability, can undermine even the strongest technology defenses by looking at case studies. It emphasizes the significance of strategy for cybersecurity. To lower the risks associated with people, it suggests extensive training plans, approachable system designs, and organizational guidelines. In an effort to reduce human error, the chapter also examines new developments in the field, such as behavioural biometrics and AI-driven monitoring systems. In the end, this chapter highlights how important it is to address human elements in order to improve overall cybersecurity resilience
... 16,29 By investing in cybersecurity measures like encryption, access controls, and employee training, organizations can mitigate risks, reduce vulnerability, and uphold the integrity and confidentiality of their data and systems, thereby safeguarding their overall viability and success in the digital age. 3,16,30,31 This study explores two primary aspects of cybersecurity implementation in companies. Firstly, we investigate the adoption of recognized cybersecurity standards, which provide structured frameworks for enhancing an organization's security posture. ...
... Compared to physician systems, patient portal security risk is emerging as a new challenge for HIS due to the growing cyber threats. [6][7][8][9][10][11][12][13][14] Cyber threat is the collection of criminal activities that use computers to issue cyberattacks through the Internet. Hacking 8,14-17 is one of the common forms of cyberattacks, aiming to crack information systems so as to gain unauthorized identity to steal data or encrypt user files to extort money. ...
Article
Full-text available
Background Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR). Objective This work aims to evaluate the patient portal security risk of Taiwan’s EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type. Methods We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests. Results We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as “absolute low risk”, 104 hospital patient portals as “low to medium risk”, 99 hospital patient portals as “medium to high risk” and 150 hospital patient portals as “high risk”. Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P<0.001). Conclusion The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.
Article
Full-text available
The threat of social engineering attacks is highly evident in Indonesia. This is reflected in the IDADX report, which shows a significant increase in phishing attack complaints in Indonesia during the first quarter of 2023, with 26,675 reports, up from 6,106 reports in the fourth quarter of 2022. The highest number of attacks occurred in February with 15,050 cases. This also resulted in Indonesia being the 8th country with the highest number of data breach cases globally, with 820,000 cases in the second quarter of 2022, according to Surfshark. The purpose of this research is to analyze the utilization of digital forensic technology in collecting digital evidence to reveal the identities of social engineering crime perpetrators. The writing of this article uses a qualitative analysis method supported by digital forensic theory. The results of the discussion indicate that forensics focuses on the identification, collection, analysis, and preservation of digital evidence that can be used in legal proceedings. Digital forensics leverages computer technology and digital devices to uncover and secure information relevant to a crime. In social engineering crimes, which involve psychological manipulation to obtain information or certain access from victims, digital forensics plays a crucial role in identifying, collecting, analyzing, and preserving digital evidence that can reveal the identities of the perpetrators and their methods. Digital forensic technology is used to analyze emails, text messages, activity logs, and other digital traces left by the perpetrators.
Thesis
Full-text available
In the rapidly evolving landscape of cybersecurity, the role of Cyber Threat Intelligence (CTI) has become increasingly critical in identifying, mitigating, and responding to complex cyber threats. This paper explores the concept of CTI, emphasizing its significance in modern cybersecurity frameworks and its impact on enhancing an organization's defensive posture. By delving into various types of CTI-strategic, tactical, operational, and technical-the paper highlights the necessity of a proactive approach to threat management. The study also examines the diverse sources of CTI, ranging from open-source intelligence to human intelligence and technical intelligence, and discusses best practices for integrating CTI into cybersecurity operations. Furthermore, the challenges associated with CTI implementation, such as data quality, privacy concerns, and the shortage of skilled professionals, are thoroughly analyzed. Finally, the paper addresses emerging trends in CTI, including predictive threat intelligence and the increasing importance of CTI in protecting critical infrastructure. Through this comprehensive analysis, the paper aims to provide a deeper understanding of CTI's role in fortifying cybersecurity defenses and its potential to transform security practices in the face of evolving cyber threats.
Chapter
Social Engineering (SE) encompasses various tactics that exploit human vulnerabilities to execute security attacks. This paper provides a thorough review and synthesis of recent literature on social engineering by employing a multidimensional approach which examines the nature of SE, its lifecycle, methods, impact, and strategies for defense. Review papers that review recent literature while taking into consideration these dimensions of SE are still limited and do not consider 2023 literature. To achieve our aim, Materials covering the timeframe from 2016 to 2023 were sourced and reviewed from databases such as IEEE Xplore, Emerald, ProQuest, ACM, Google Scholar, ScienceDirect, and other relevant sources and online statistics. The research findings underscore the ongoing challenge of preventing social engineering attacks, with no organization in the twenty-first century being entirely immune. Among the identified attack methods, phishing emerges as the most prevalent and researched form of social engineering. From the literature review, practical implications for businesses emerge, categorized into three areas: the organization, its employees, and the technology they employ. These insights can help organizations enhance their security measures against social engineering attacks.
Article
Emerging sociocultural challenges such as malicious cybersecurity attacks and the cyber-unsafe utilization of the internet across industries highlight ways analysis of consumer perspectives pertaining to products of behavioral systems (e.g., government, universities, and business) may inform interventions relating to secure cyberbehaviors. In this study, we conducted a systematic analysis of viewpoints for two groups of college students (computer science and psychology majors) on cybersecurity using a Q methodology approach. The analysis revealed three shared viewpoints. The first one highlighted the importance of facing the security of internet utilization at the level of the entire society, thus suggesting the supply of appropriate cyber training for any type of internet users. The second viewpoint communicated a shared concern for the inability of businesses and the U.S. government to protect the privacy of their users effectively. The third viewpoint, which was only communicated by the psychology major students, emphasized the risks of cyberspace but also expressed difficulties in meeting the requirements associated with users’ safe access to the internet. These types of findings offer guidance for community leaders in making decisions about educational interventions, while accounting for the perspectives of potential recipients of educational services as part of addressing social validity concerns (see Baer et al. Journal of Applied Behavior Analysis, 1(1), 91–97, 1968).
Article
Full-text available
The objective of this research is to present and demonstrate an analytical approach towards Social Engineering. A questionnaire was created and a survey was conducted accordingly to determine the understanding of IT practitioners and social networking users based in India. Based on the responses an advanced model of Social Engineering based attacks was developed. This model can be used in development of Organization-wide Information Security policy and Information Security Awareness Program
Conference Paper
Full-text available
This paper investigates new methods to measure, quantify and evaluate the security posture of human organi-zations especially within large corporations and government agencies. Computer security is not just about technology and systems. It is also about the people that use those systems and how their vulnerable behaviors can lead to exploitation. We focus on measuring enterprise-level susceptibility to phishing attacks. Results of experiments conducted at Columbia University and the system used to conduct the experiments are presented that show how the system can also be effective for training users. We include a description of follow-on work that has been proposed to DHS that aims to measure and improve the security posture of government departments and agencies, as well as for comparing security postures of individual agencies against one another.
Article
Full-text available
Effective information systems security management combines technological measures and managerial efforts. Although various technical means have been employed to cope with security threats, human factors have been comparatively neglected. This article examines human factors that can lead to social engineering intrusions. Social engineering is a technique used by malicious attackers to gain access to desired information by exploiting the flaws in human logic known as cognitive biases. Social engineering is a potential threat to information security and should be considered equally important to its technological counterparts. This article unveils various social engineering attacks and their leading human factors, and discusses several ways to defend against social engineering: education, training, procedure, and policy. The authors further introduce possible countermeasures for social engineering attacks. Future analysis is also presented.
Book
This book presents information on how to analyze risks to your networks and the steps needed to select and deploy the appropriate countermeasures to reduce your exposure to physical and network threats. It also imparts the skills and knowledge needed to identify and counter some fundamental security risks and requirements, inlcuding Internet security threats and measures (audit trails IP sniffing/spoofing etc.) and how to implement security policies and procedures. In addition, this book also covers security and network design with respect to particular vulnerabilities and threats. It also covers risk assessment and mitigation and auditing and testing of security systems. From this book, the reader will also learn about applying the standards and technologies required to build secure VPNs, configure client software and server operating systems, IPsec-enabled routers, firewalls and SSL clients. Chapter coverage includes identifying vulnerabilities and implementing appropriate countermeasures to prevent and mitigate threats to mission-critical processes. Techniques are explored for creating a business continuity plan (BCP) and the methodology for building an infrastructure that supports its effective implementation. A public key infrastructure (PKI) is an increasingly critical component for ensuring confidentiality, integrity and authentication in an enterprise. This comprehensive book will provide essential knowledge and skills needed to select, design and deploy a PKI to secure existing and future applications. This book will include discussion of vulnerability scanners to detect security weaknesses and prevention techniques, as well as allowing access to key services while maintaining systems security. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
Book
The second edition of this comprehensive handbook of computer and information security serves as a professional reference and practitioner's guide providing the most complete view computer security and privacy available. It offers in-depth coverage of security theory, technology, and practice as they relate to established technologies as well as recent advancements. It explores practical solutions to a wide range of security issues. Individual chapters are authored by leading experts in the field and address the immediate and long-term challenges in the authors' respective areas of expertise. The book is organized into nine parts composed of 61 contributed chapters by leading experts in the areas of networking and systems security; information management; cyber warfare and security; encryption technology; privacy; data stora physical security; and a host of advanced security topics. New to this edition are chapters on intrusion detection, securing the cloud, securing web apps, ethical hacking, cyber forensics, physical security, disaster recovery, cyber attack deterrence, and more. Chapters contributed by leaders in the field cover theory and practice of computer security technology, allowing the reader to develop a new level of technical expertise. This book's comprehensive and up-to-date coverage of security issues facilitates learning and allows the reader to remain current and fully informed from multiple viewpoints. Presents methods of analysis and problem-solving techniques, enhancing the readers grasp of the material and ability to implement practical solutions.
Article
As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. Author Jason Andress gives you the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability, and then dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security. The Basics of Information Security gives you clear-non-technical explanations of how infosec works and how to apply these principles whether youre in the IT field or want to understand how it affects your career and business. The new Second Edition has been updated for the latest trends and threats, including new material on many infosec subjects. Learn about information security without wading through a huge textbook Covers both theoretical and practical aspects of information security Provides a broad view of the information security field in a concise manner All-new Second Edition updated for the latest information security trends and threats, including material on incident response, social engineering, security awareness, risk management, and legal/regulatory issues.
Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails .html
  • S Ragan
  • W Staff
Ragan S, W Staff. Social engineering: study finds Americans willingly open malicious emails.http://www.csoonline.com/article/2133877/soci al-engineering/social-engineering--study-findsamericans-willingly-open-malicious-emails.html. Accessed 28 August 2013.
Social engineering: a partial technical attack
  • P S Maan
  • M Sharma
Maan PS, Sharma M. Social engineering: a partial technical attack. International Journal of Computer Science Issues. 2012; 9(2):557-9.
Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739
  • Anonymous
  • Fbi
Anonymous. FBI: Cyber-attacks surpassing terrorism as major domestic threat. https://www.rt.com/usa/fbi- cyber-attack-threat-739/. Accessed 25 November 2013.