The Unprecedented Rise in Cybercrime and the Role of the Human Vulnerability Factor

The Unprecedented Rise in Cybercrime and the Role of the Human Vulnerability Factor

Nabie Y. Conteh, Malcolm D. Royer
DOI: 10.4018/978-1-7998-6504-9.ch003
(Individual Chapters)
No Current Special Offers


This chapter is primarily intended to firstly define and review the literature in cybersecurity and vividly shed light on the mechanisms involved in the social engineering phenomenon. It will discuss the various attempts at network intrusion and the steps typically taken in the implementation of cyber-thefts. The chapter will provide the rationale behind the justification of why humans are considered to be the weakest link in these attacks. The study will also explain the reasons for the rise in cybercrimes and their impact on organizations. In closing, the chapter will put forward some recommendations to serve as preventative measures and solutions to the threats and vulnerabilities posed by cyber-attacks. Finally, measures, such as conducting regular, thorough, and relevant awareness training, frequent drills, and realistic tests, will be addressed with a view to maintaining a steady focus on the overall discipline of the organization, thereby hardening the component of the network that is the softest by nature—the human vulnerability factor.
Chapter Preview

2. Social Engineering

2.1 Definition

The term “social engineering” as it pertains to computer and network security is not new—it has been around since at least 1995 when Al Berg used it in his article “Cracking a Social Engineer” in LAN Times—but it has not yet made its way into all standard dictionaries. The 2015 editions of the Merriam-Webster, Random House, and Cambridge Free English dictionaries only define social engineering in terms of the social or political sciences, not security. Among the information security community, however, social engineering refers to “the practice of fooling someone into giving up something they wouldn’t otherwise surrender through the use of psychological tricks” (Vacca & Curry, 2013). Curry goes on to state that social engineers “rely on the normal behavior of people presented with data or a social situation to respond in a predictable, human way” and explains that this kind of attack relies on “presenting trusted logos and a context that seems normal but is in fact designed to create a vulnerability that the social engineer can exploit” (Vacca & Curry, 2013).

In his book Ghost in the Wires about his exploits as a hacker, Kevin Mitnick defines social engineering as “the casual or calculated manipulation of people to influence them to do things they would not ordinarily do” (Mitnick & Simon, 2011). He gives a clear example of a typical method of obtaining unauthorized information as a part of his breaking into U.S. Leasing’s computer network:

I would call the company I’d targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, “This is [whatever fictitious name popped into my head at that moment], from DEC support. We’ve discovered a catastrophic bug in your version of RSTS/E. You could lose data.” This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won’t hesitate to cooperate. (Mitnick & Simon, 2011)

Accurate as this example is, it only depicts one aspect of social engineering: pretexting—setting the conditions (a story, subtle or explicit clues, name-dropping, internal buzz-words and terminology, etc.) for a victim to believe that the attacker comes from a legitimate background. The other forms of attack that fall under the classification of social engineering, including the definitions pit forward in this article are:

  • Baiting—leaving Trojan horse style equipment or software lying in the open with an enticing title or appearance as bait.

  • Phishing—using a scam email to deceive a victim.

  • Piggybacking (or tailgating)—following someone into a secure environment, with or without them detection.

  • Quid Pro Quo—giving someone something in return; exploiting a person’s goodwill.

  • Shoulder Surfing—watching someone enter knowledge-based credentials and remembering them for future unauthorized use.

  • Vishing—using an interactive voice response system to trick a victim into inputting personal information over the phone.

According to (Granger, 2010), regardless of the specific attack method, the basic methods of persuasion used are “impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness….the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust” (Granger, 2010). An additional supplement to the information-gathering process and development of a plausible background prior to pretexting is dumpster diving—sifting through discarded files for sensitive information.

Complete Chapter List

Search this Book: