Browse > Article

A Risk Assessment Scheme of Social Engineering Attacks for Enterprise Organizations  

Park, Younghoo (중앙대학교 대학원 융합보안학과)
Shin, Dongcheon (중앙대학교 산업보안학과)
Publication Information
Convergence Security Journal / v.19, no.1, 2019 , pp. 103-110 More about this Journal
Abstract
Recently security related attacks occur in very diverse ways, aiming at people who operate the system rather than the system itself by exploiting vulnerabilities of the system. However, to the our best knowledge, there has been very few works to analyze and strategically to deal with the risks of social engineering attacks targeting people. In this paper, in order to access risks of social engineering attacks we analyze those attacks in terms of attack routes, attack means, attack steps, attack tools, attack goals. Then, with the purpose of accessing the organizational risks we consider the characteristics and environments of the organizations because the impacts of attacks on the organizations obviously depend on the characteristics and environments of the organizations. In addition, we analyze general attack risk assessment methods such as CVSS, CWSS, and OWASP Risk Rating Methodolog. Finally, we propose the risk access scheme of social engineering attacks for the organizations. The proposed scheme allows each organization to take its own proper actions to address social engineering attacks according to the changes of its environments.
Keywords
Social engineering attack; Attack risk assessment; Organization risk assessment; Human-centric security; security strategy;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Hadnagy, 'Social engineering: The art of human hacking', John Wiley & Sons, 2010.
2 A. Nyirak, "The Attack Cycle", (http://www.social-engineer.org/framework/attack-vectors/attack-cycle)
3 CVSS-SIG, 'Common Vulnerability Scoring System', (https://www.first.org/cvss)
4 P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System", IEEE Security & Privacy, Vol. 4, Issue. 6, pp. 85-89, 2006.   DOI
5 CWE, 'Common Weakness Scoring System'. (https://cwe.mitre.org/cwss/cwss_v1.0.1.html)
6 OWASP Foundation, 'The OWASP Risk Rating Methodology', (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology)
7 Microsoft, 'How to Protect Insiders from Social Engineering Threats', 2014. (https://msdn.microsoft.com/en-us/library/cc875841.aspx).
8 UK National Computer Emergency Response Team, 'An introduction to social engineering'. (https://www.ncsc.gov.uk/guidance/introduction-social-engineering)
9 M. N. Sadiku, A. E. Shadare and S. M. Musa, "Social Engineering: An Introduction", Journal of Scientific and Engineering Research, Vol.3, Issue.3, pp.64-66, 2016.
10 K. Mitnick, "How to hack peoplle" (http://news.bbc.co.uk/2/hi/technology/2320121.stm)
11 J. Long, 'No tech hacking: A guide to social engineering, dumpster diving and shoulder surfing',. Syngress, 2011.
12 K. Krombholz, H. Hobel, M. Huber, and E. Weippl, "Advanced social engineering attacks", Journal of Information Security and Applications, Vol. 22, pp. 113-122, 2015.   DOI
13 D. Bisson, "5 Social Engineering Attacks to Watch Out For", (http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/)
14 P. Chen, L. Desmet, and C. Huygens, "A study on Advanced Persistent Threats", IFIP International Conference on Communications and Multimedia Security, pp. 63-72, 2014.
15 D. C. Shin and Y. H. Park, "Development of Risk Assessment Indices for Social Engineering Attacks", Journal of Security Engineering,, Vol. 14, No. 2,pp. 143-156. 2017.   DOI