ICIW2008: Establishing the Human Firewall: Improving Resistance to Social Engineering Attacks

Jamison Scheeres, Air Force Institute of Technology

• what is social engineering
• techniques to manipulate people
• also shoulder surfing
• also dumpster diving
• trick someone into doing something
• huge threat in today's environment
• red teams say SE is 100% effective
• current defensive techniques are not effective
• research
• successful SEs are not caught
• classification issues
• ethical issues in deceiving subjects
• psychological triggers
• authority
• reciprocation
• strong affect (phishing)
• overloading (buffer overflow for humans)
• deceptive relationships
• integrity/consistency
• principles of persuasion
• authority
• consistency
• liking
• reciprocity
• scarcity
• social proof
• resistance to persuasion
• inoculation theory
• self-efficacy
• forewarning
• "dispelling the illusion of invulnerability" (2002, Sagarin)
• methodology
• compared psych triggers to principles of persuasion
• determine relationship between illegitimate persuasion & social engineering
• military vulnerable to authority due to strict hierarchy of authority
• conclusions
• strong relationship between principles and triggers
• illegitimate persuasion = social engineering
• been trying to install resistance in the wrong way
• solution is to demo to the individual they are personally vulnerable
• security people must social engineer their people
• future research
• develope measurement
• compare/validate various means of resistance training