MASTER'S THESIS - DiVA 1016104/  · MASTER'S THESIS Social Engineering ... version of

  • View
    221

  • Download
    3

Embed Size (px)

Text of MASTER'S THESIS - DiVA 1016104/  · MASTER'S THESIS Social Engineering ... version of

  • MASTER'S THESIS

    Social Engineering and InfluenceA Study that Examines Kevin Mitnicks Attacks through Robert Cialdinis

    Influence Principles

    Dimitrios Stergiou2013

    Master (120 credits)Master of Science in Information Security

    Lule University of TechnologyDepartment of Computer science, Electrical and Space engineering

  • i

    Abstract

    As technology matures, new threats rise and take the place of the traditional

    issues (insecure infrastructure, insecurely developed software, etc.), threats that

    revolve around exploiting human vulnerabilities instead of technical vulnerabilities.

    One of the most famous threats that have risen in the area of Information Security is

    Social Engineering.

    The goal of this study is to take an interpretive approach on Social Engineering, by

    using Cialdinis principles of influence. In order to be able to interpret the attacks,

    the study examines documented attacks (by Kevin Mitnick), abstracts them,

    categorizes them into four main categories (Gain Physical Access, Install Malware,

    Information Extraction, Perform an Action), models them by graphically depicting

    the execution path of the attack and finally interprets how the victims were

    influenced (or manipulated) to assist the attacker(s).

    This study is executed using the Literature Review methodology, following the eight

    steps proposed by Okoli. During the execution of the study the author examines the

    principles of Influence, Social Engineering models and additional psychological

    principles used in Social Engineering. The author, based on the findings in the

    literature, creates Social Engineering attack models and interprets the findings.

    The importance of the study is that it explains how the well-known principles of

    Influence are used in Social Engineering attacks. The psychological findings and the

    models created lead the author to believe that there is a possibility for them to be

    used as a framework for solving Social Engineering attacks.

    Keywords: Social Engineering, Influence, Persuasion, Reciprocation, Liking, Social

    Proof, Authority, Scarcity, Commitment and Consistency

  • ii

    Acknowledgments

    First of all I would like to thank my supervisor, Prof. Helena Karasti, for all the help,

    support and guidance that she gave me during the thesis writing period. In addition,

    I would like to thank Prof. Tero Pivrinta for his advice and comments, and Prof.

    Devinder Thapa for providing an exceptional introductory course in thesis writing.

    Secondly, I would to thank Mr. Ross Tsagalidis and the Swedish Armed Forces

    (SWAF). Although the nature of this study did not allow for close cooperation, Mr.

    Tsagalidis provided valuable input, guided me when needed and was an excellent

    non-academic supervisor.

    Last but not least, I would like to thank my family, especially my wife who has been

    extremely understanding during the study period and my son for allowing me to

    spend time reading papers instead of playing football with him. Since he now claims

    that he wants to be a Security Manager when he grows up I can only hope that

    someday he will reference this paper in his studies.

    Credits also go to:

    Mrs. Vasia Kalavri, and Mrs. Konstantinia Charitoudi, for providing me with

    information on how to do academic work when I was confused.

    Mr. Lars Andersson, for assisting me in the digitization of my books.

    Mr. Thobias Sjkvist, for giving me his valuable time in reviewing the final

    version of the thesis and finding a number of grammatical / spelling errors.

  • iii

    Table of Contents

    Abstract ........................................................................................................................... i

    Acknowledgments.......................................................................................................... ii

    Table of Contents .......................................................................................................... iii

    Table of Figures ........................................................................................................... viii

    Abbreviations ................................................................................................................. x

    1. Introduction ........................................................................................................... 1

    1.1. Background .................................................................................................... 1

    1.2. Research problem definition ......................................................................... 2

    1.3. Research objective ......................................................................................... 2

    1.4. Research question .......................................................................................... 3

    1.5. Assumptions ................................................................................................... 5

    1.6. Limitations...................................................................................................... 5

    1.7. Thesis structure .............................................................................................. 5

    2. Literature Review ................................................................................................... 7

    2.1. Social Engineering definitions ........................................................................ 7

    2.2. Social Engineering attack lifecycle ................................................................. 9

    Information Gathering (Reconnaissance) ............................................ 11 2.2.1.

    Google Hacking ................................................................................................ 11

    Information Gathering Tools ........................................................................... 12

    Social Media ..................................................................................................... 15

    Dumpster diving ............................................................................................... 16

  • iv

    Development of relationship (Rapport)............................................... 16 2.2.2.

    Pretexting ......................................................................................................... 16

    Micro expressions ............................................................................................ 17

    Body language .................................................................................................. 18

    Neuro-Linguistic Programming (NLP) .............................................................. 19

    Exploitation and Execution (Attack methods) ..................................... 21 2.2.3.

    Technical Social Engineering attacks ............................................................... 21

    Non-Technical (Psychological) Social Engineering attacks .............................. 24

    2.3. Social Engineering models ........................................................................... 28

    Social Engineering Attack models ........................................................ 28 2.3.1.

    Social Engineering Taxonomy models ................................................. 31 2.3.2.

    Social Engineering Detection models .................................................. 33 2.3.3.

    3. Theoretical Framework ........................................................................................ 37

    3.1. Influence, Persuasion and Compliance ........................................................ 37

    3.2. Principles of Influence .................................................................................. 38

    Reciprocation ....................................................................................... 39 3.2.1.

    Human interaction ........................................................................................... 39

    Electronic interaction ....................................................................................... 39

    Commitment and Consistency ............................................................. 40 3.2.2.

    Human interaction ........................................................................................... 40

    Electronic interaction ....................................................................................... 41

    Social Proof .......................................................................................... 42 3.2.3.

  • v

    Human interaction ........................................................................................... 42

    Electronic interaction ....................................................................................... 43

    Liking .................................................................................................... 44 3.2.4.

    Human interaction ........................................................................................... 44

    Electronic interaction ....................................................................................... 46

    Authority .............................................................................................. 47 3.2.5.

    Human interaction ........................................................................................... 47

    Electronic interaction .........................................................