Social Engineering As An Approach For Probing Organizations To Improve It Security: A Case Study At A Large International Firm In The Transport Industry

Daniël van Liempd, Arthur Sjouw, Matthijs Smakman, Koen Smit

Research output: Contribution to ConferencePaperAcademic

Abstract

This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject.
Original languageEnglish
Pages119-126
Number of pages8
DOIs
Publication statusPublished - 11 Apr 2019

Fingerprint

Personnel
Industry
Experiments
Electronic mail
Infiltration
Standardization

Keywords

  • Social Engineering
  • Security awareness
  • Security analysis
  • Phishing

Cite this

@conference{00aa5c30644d402badeff20a61931946,
title = "Social Engineering As An Approach For Probing Organizations To Improve It Security: A Case Study At A Large International Firm In The Transport Industry",
abstract = "This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject.",
keywords = "Social Engineering, Security awareness, Security analysis, Phishing",
author = "{van Liempd}, Dani{\"e}l and Arthur Sjouw and Matthijs Smakman and Koen Smit",
year = "2019",
month = "4",
day = "11",
doi = "10.33965/es2019_201904l015",
language = "English",
pages = "119--126",

}

Social Engineering As An Approach For Probing Organizations To Improve It Security : A Case Study At A Large International Firm In The Transport Industry. / van Liempd, Daniël; Sjouw, Arthur; Smakman, Matthijs; Smit, Koen.

2019. 119-126.

Research output: Contribution to ConferencePaperAcademic

TY - CONF

T1 - Social Engineering As An Approach For Probing Organizations To Improve It Security

T2 - A Case Study At A Large International Firm In The Transport Industry

AU - van Liempd, Daniël

AU - Sjouw, Arthur

AU - Smakman, Matthijs

AU - Smit, Koen

PY - 2019/4/11

Y1 - 2019/4/11

N2 - This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject.

AB - This paper describes the external IT security analysis of an international corporate organization, containing a technical and a social perspective, resulting in a proposed repeatable approach and lessons learned for applying this approach. Part of the security analysis was the utilization of a social engineering experiment, as this could be used to discover employee related risks. This approach was based on multiple signals that indicated a low IT security awareness level among employees as well as the results of a preliminary technical analysis. To carry out the social engineering experiment, two techniques were used. The first technique was to send phishing emails to both the system administrators and other employees of the company. The second technique comprised the infiltration of the office itself to test the physical security, after which two probes were left behind. The social engineering experiment proved that general IT security awareness among employees was very low. The results allowed the research team to infiltrate the network and have the possibility to disable or hamper crucial processes. Social engineering experiments can play an important role in conducting security analyses, by showing security vulnerabilities and raising awareness within a company. Therefore, further research should focus on the standardization of social engineering experiments to be used in security analyses and further development of the approach itself. This paper provides a detailed description of the used methods and the reasoning behind them as a stepping stone for future research on this subject.

KW - Social Engineering

KW - Security awareness

KW - Security analysis

KW - Phishing

UR - http://www.mendeley.com/research/social-engineering-approach-probing-organizations-improve-it-security-case-study-large-international

UR - http://www.mendeley.com/research/social-engineering-approach-probing-organizations-improve-it-security-case-study-large-international

U2 - 10.33965/es2019_201904l015

DO - 10.33965/es2019_201904l015

M3 - Paper

SP - 119

EP - 126

ER -