Non-Technical Cyber-Attacks and International Cybersecurity: The Case of Social Engineering

Abstract

This paper aims to provide an overview of social engineering attacks, and their impacts on cybersecurity, including national and international security, and figures out detection techniques, and major methods for countermeasure. How do social engineering attacks affect national and international security? And why is it so hard to cope with them? Seeking for answers to these questions, this paper applies qualitative research methods particularly literature review and case analysis. While qualitative research methods are predominantly employed, quantitative methods will also be utilized when deemed essential. Social engineering attacks, also referred to as online fraud, are a type of attack that typically necessitates minimal or no technical knowledge. Social engineering attacks, instead benefit from the weaknesses and mistakes of individuals, since the user is accepted as the weakest link in cybersecurity. Many studies have shown that the vast majority of successful cyber-attacks in the digital world are social engineering (SE) because countering them is more difficult than countering technical cyber-attacks. Based on the analysis of some major cyber-attacks such as the intervention in the 2016 US Presidential elections, the hacking of CIA director, John Brennan in 2015, and Stuxnet in 2010, the paper figures out that social engineering attacks have a tremendous impact on cybersecurity on the individual, institutional, societal, national, and international levels. Penetration tests and training for raising awareness are the prolific ways to mitigate social engineering attacks.

Keywords

• Social Engineering
• Cybersecurity
• Human Error
• International Security
• Phishing

Non-Technical Cyber-Attacks and International Cybersecurity: The Case of Social Engineering

Abstract

Bu makale, sosyal mühendislik saldırılarına ve bunların ulusal ve uluslararası güvenlik de dahil olmak üzere siber güvenlik üzerindeki etkilerine genel bir bakış sunmayı amaçlamakta, tespit tekniklerini ve karşı önlem için başlıca yöntemleri ortaya koymaktadır. Sosyal mühendislik saldırıları ulusal ve uluslararası güvenliği nasıl etkiler? Peki onlarla baş etmek neden bu kadar zor? Bu soruların yanıtlarını arayan bu makalede, özellikle literatür taraması ve vaka analizi olmak üzere nitel araştırma yöntemleri kullanılmaktadır. Araştırmada ağırlıklı olarak nitel araştırma yöntemleri kullanılmakla birlikte, gerekli görüldüğünde nicel araştırma yöntemlerinden de yararlanılacaktır. Online dolandırıcılık olarak da bilinen sosyal mühendislik saldırıları çoğu zaman az teknik bilgi ya da teknik bilgi gerektirmeyen nitelikte saldırılardır. Kullanıcı siber güvenlikte en zayıf halka olarak kabul edildiğinden, sosyal mühendislik saldırıları bireylerin zaaflarından ve hatalarından faydalanır. Birçok çalışma, dijital dünyadaki başarılı siber saldırıların büyük çoğunluğunun sosyal mühendislik (SE) saldırıları olduğunu, çünkü bunlara karşı koymanın teknik siber saldırılara karşı koymaktan daha zor olduğunu göstermiştir. 2016 ABD Başkanlık seçimlerine müdahale, 2015'te CIA direktörü John Brennan'in hacklenmesi ve 2010'da Stuxnet gibi bazı büyük siber saldırıların analizine dayanan makale, sosyal mühendislik saldırılarının bireysel, kurumsal, toplumsal, ulusal ve uluslararası düzeyde siber güvenlik üzerinde çok büyük etkiye sahip olduğunu ortaya koymaktadır. Sızma testleri ve farkındalığı artırmaya yönelik eğitimler, sosyal mühendislik saldırılarını azaltmanın etkili yöntemlerindendir.

Keywords

• Sosyal mühendislik
• Siber Güvenlik
• İnsan hatası
• Uluslararası güvenlik
• Oltalama.

References

1. Akyeşilmen, N. (2018). Siber politika ve siber güvenlik, Ankara: Orion Kitapevi.
2. Aldawood, H. And Skinner, D. (2019). Contemporary cyber security social engineering solutions, measures, policies, tools and applications: A critical appraisal, International Journal of Security (IJS), 10(1), 1-15. https://f.hubspotusercontent30.net/hubfs/8156085/WhitePaper%20-%20IJS%20-%20Contemporary%20Cyber%20Security%20Social%20Engineering%20Solutions%5B1%5D.pdf Access date: October 30, 2022.
3. Allen, J. (2022). Social engineering penetration testing: Attacks, methods, & steps. https://purplesec.us/social-engineering-penetration-testing/ Access date: November 13, 2022.
4. Baezner, M and Robin, P. (2017). Hotspot analysis: Stuxnet, Zürich:Center for Security Studies (CSS). https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2017-04.pdf Access date: November 10, 2022.
5. Breda, F., Barbosa, H. and Morais, T. (2017). Social engineering and cybersecurity, conference: International technology, education and development conference. https://www.researchgate.net/publication/315351300_SOCIAL_ENGINEERING_AND_CYBER_SECURITY Access date: October 30, 2022.
6. Brown, R. (2012). South Carolina offers details of data theft and warns it could happen elsewhere. https://www.nytimes.com/2012/11/21/us/more-details-of-south-carolina-hacking-episode.html Access date: November 10, 2022.
7. CERT-UK. (2015). An introduction to social engineering, Cert-UK publicaiton, https://info.publicintelligence.net/UK-CERT-SocialEngineering.pdf Access date: October 29, 2022.
8. Chinta, M., Alaparthi, J. And Kodali, E. (2016). A study on social engineering attacks and defense mechanisms. International Journal of Computer Science and Information Security (IJCSIS), 14 Special issues,225-231. https://archive.org/stream/IJCSISVol14SpecialIssueICETCSE2016Final/IJCSIS%20Vol%2014%20Special%20Issue%20ICETCSE%202016%20Final_djvu.txt Access date: October 30, 2022.

9. Dolly, J. (2017). The cyber cold war: The silent, but persistent threat to nation-states. https://www.itproportal.com/features/the-cyber-cold-war-the-silent-but-persistent-threat-to-nation-states/ Access date: November 08, 2022.
10. Duarte, N., Coelho, N., Guarda, T. (2021). Social engineering: The art of attacks, In Guarda, T., Portela, F., Santos, M.F. (eds) Advanced Research in Technologies, Information, Innovation, and Sustainability. ARTIIS 2021. Communications in Computer and Information Science, vol.1485. Springer, Cham. https://doi.org/10.1007/978-3-030-90241-4_36 Access date: November 04, 2022.
11. ESET. (2021). Social engineering handbook: How to take the right action. https://www.eset.com/fileadmin/ESET/INT/Landing/2021/Project_progress/ESET-Social_engineering_handbook.pdf Access date: November 04, 2022.
12. Fleming, R. (2010). Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams. https://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/ Access date: November 10, 2022.
13. Fruhlinger, J. (2017). What is Stuxnet, who created it and how does it work? https://www.csoonline.com/article/3218104/malware/what-is-stuxnet-who-created-it-and-how-does-it-work.html Access date: November 12, 2022.
14. Gatefy. (2021). 10 real and famous cases of social engineering attacks. https://gatefy.com/blog/real-and-famous-cases-social-engineering-attacks/ Access date: November 08, 2022.
15. Ghauri, F. A. (2021). Social engineering and its importance. https://www.researchgate.net/publication/354849736 Access date: November 04, 2022.
16. Greenwald, G. (2013). NSA collects phone records of millions of Verizon customers Daily. https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order Access date: November 10, 2022.
17. Hadnagy, C. (2018). Social engineering: The science of human hacking, Indianapolis: John Wiley & Sons, Inc.
18. Hiik.(2017). Conflict Barometer-2017. https://hiik.de/conflict-barometer/current-version/?lang=en Access date: November 08, 2022.
19. Hill, G. (2018). Lessons learned from Snowden. https://www.scmagazine.com/lessons-learned-from-snowden/article/541919/ Access date: November 08, 2022.
20. Ignatius, D. (2017). Russia’s assault on America’s elections is just one example of a global threat https://www.washingtonpost.com/opinions/global-opinions/russias-assault-on-americas-elections-is-just-one-example-of-a-global-threat/2017/02/23/3a3dca7e-fa16-11e6-9845-576c69081518_story.html? noredirect=on&utm_term=.179c499b359b Access date: November 12, 2022.
21. Indzhov, O. et. al. (2022). Social Engineering Threats Towards Non-IT Students: A Case Study on Mitigation Strategies. https://www.diva-portal.org/smash/get/diva2:1671049/FULLTEXT01.pdf Access date: November 04, 2022.
22. Israel, R. (2018). Lessons Being Learned From Edward Snowden. http://www.theglobalcitizensinitiative.org/lessons-being-learned-from-edward-snowden/ Accessed date: July 28, 2018.
23. Internetlivestats. (2022). Internet live stats. https://www.internetlivestats.com/ Access date: November 12, 2022.
24. Jimoh, A. (2022). Social Engineering Attacks. https://www.researchgate.net/publication/358647625_Social_Engineering_Attacks Access date: October 30, 2022.
25. Kontio, M. (2016). Social Engineering 101, Bachelor’s Thesis, Turku University of Applied Sciences, Business Information Technology | Business Data Communications and Information Security. https://core.ac.uk/download/pdf/38134896.pdf Access date: November 08, 2022.
26. Krombholz, K, et. al. (2014). Advanced Social Engineering Attacks, Journal of Information Security and Applications. https://www.researchgate.net/publication/267340031_Advanced_social_engineering_attacks Access date: October 30, 2022.
27. McLellan, C. (2016). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/ Access date: November 10, 2022.
28. Michael, T. And Cambridge, E. (2018). 'Cyber Terrorist' Caged Brit teen hacker Kane Gamble posed as CIA boss to access secret military files locked up for two years. https://www.thesun.co.uk/news/6105694/british-teen-hacker-kane-gamble-cia-boss-jailed-two-years/ Access date: November 08, 2022.
29. Mitnicksecurity. (2020). The Top 5 Most Famous Social Engineering Attacks of the Last Decade. https://www.mitnicksecurity.com/blog/the-top-5-most-famous-social-engineering-attacks-of-the-last-decade Access date: November 08, 2022.
30. Mitnicksecurity. (2022). The History of Social Engineering (And How To Stay Safe Today). https://f.hubspotusercontent20.net/hubfs/3875471/Ebooks/Social-Engineering-History-MitnickSecurity.pdf?hsCtaTracking=b5736792-f5c6-4635-9ab4-072f9edae08f%7C803e6a65-4e3a-46b4-a63c-e799856aa820 Access date: November4, 2022.
31. Oosterloo, B. (2008). Managing Social Engineering Risk: Making Social Engineering Transparent, Master Thesis submitted to University of Twente. https://essay.utwente.nl/59233/1/scriptie_B_Oosterloo.pdf Access date: November 1, 2022.
32. Pagliery, J. (2017). The emergence of the 'cyber cold war'. https://money.cnn.com/2017/01/19/technology/cyber-cold-war/index.html Access date: November 09, 2022.
33. Reed, C. (2022).21 Social Engineering Statistics – 2022, Firewall Times, May 16, 2022. https://firewalltimes.com/social-engineering-statistics/#:~:text=The%20Average%20Organization%20Is%20Targeted,against%20about%202.7%20per%20day Access date: November 12, 2022.
34. Salahdine, F., and Kaabouch, N. (2019). Social Engineering Attacks: A Survey, Futur Internet, 11(89). https://www.researchgate.net/publication/332151597_Social_Engineering _Attacks _A_Survey Access date: November 04, 2022.
35. Scanlan, Q. (2018). Russians still trying to interfere in US elections every 'way they can': Republican senatör. https://abcnews.go.com/Politics/russians-interfere-us-elections-republican-senator/story?id=56889554 Access date: November 12, 2022.
36. Singer, P.W. (2017). How America Can Beat Russia in Cyberwar Despite Trump. https://www.wired.com/2017/01/america-can-beat-russia-cyber-war-despite-trump/ Access date: November 09, 2022.
37. Sjouwerman, S. (2022). Crelan Bank Loses 75.8 Million Dollars In CEO Fraud. https://blog.knowbe4.com/crelan-bank-loses-75.8-million-dollars-in-ceo-fraud Access date: November 10, 2022.
38. Sjouwerman, S. (2022). Edward Snowden Used Social Engineering To Hack NSA. https://blog.knowbe4.com/bid/351948/edward-snowden-used-social-engineering-to-hack-nsa Access date: November 10, 2022.
39. Sysgroup. (2022). Statistics You Need to Know About Social Engineering. https://www.sysgroup.com/resources/blog/statistics-need-to-know-social-engineering Access date: November 12, 2022.
40. Şöhret, M. (2022). Methods of cyber intelligence gathering, Yılmaz, C. İ. (Ed.). İstihbarat araştırmaları, Konya: Necmettin Erbakan Üniversitesi Yayınları.
41. Tabbaa, B. (2020). Zer0 Days: How Stuxnet Disrupted the Iran Nuclear Program and Transformed Computer Security. https://medium.com/dataseries/zer0-days-how-stuxnet-disrupted-the-iran-nuclear-program-and-transformed-computer-security-9b9587199f06 Access date: November 10, 2022.
42. Trendmicro. (2016). Austrian Aeronautics Company Loses Over €42 Million to BEC Scam. https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/austrian-aeronautics-company-loses-42m-to-bec-scam Access date: November 10, 2022.
43. Wang, Z. (2018). Sun, L. And Zhu, H., Defining Social Engineering in Cybersecurity, Vol.8. https://www.semanticscholar.org/paper/Defining-Social-Engineering-in-Cybersecurity-Wang-Sun/4f460417fc13a59326c525a9eefc77798947885a Access date: October 30, 2022.
44. Zorz, Z. (2016). Belgian bank Crelan loses €70 million to BEC scammers. https://www.helpnetsecurity.com/2016/01/26/belgian-bank-crelan-loses-e70-million-to-bec-scammers/ Access date: November 10, 2022.