For continuously evaluating the resilience of end-users to phishing and similar social engineering attacks, researchers from the Ben-Gurion University (BGU) of Israel have developed a framework.
This new approach is based on actual data gathered from end-user smartphones, PCs, network traffic to and from devices, and attack simulation, unlike other security awareness evaluation techniques that relies heavily on questionnaires and the self-reported behavior of users.
During a presentation at a virtual event, a researcher from the BGU’s cybersecurity research center revealed that the framework they designed addresses some of the shortcomings of current approaches to evaluating user security awareness.
Usually, these approaches are largely static in nature and they don’t distinguish between different attack types or platforms. He added that when questionnaires and surveys are based on the self-reported behavior of users, these methods tend to be very subjective and biased.
Similarly, a simulated attack that is constructed and designed to gauge and record a user’s probable response to a social engineering scam tends to be affected by environmental factors, and when users are forced into participating in such programs then the user engagement is low.
While developing this new framework initially the researchers tried to understand all of the criteria required for a user to be truly security-aware, and then evaluated the importance of different criteria in mitigating different types of attacks.
In order to understand the criteria, analysis of various social engineering case studies was made by the researchers along with identifying the human vulnerabilities and technologies that adversaries tend to exploit in social engineering attacks and the countermeasures that can be employed to secure the user against such exploitation.
A list of 30 different criteria for a security-aware user was drawn from this exercise. Some examples of good security awareness include behavior such as – only downloading apps from trusted sources, not installing apps with dangerous permissions, using only HTTPS sites, avoiding sites flagged by the browser as being dangerous, updating passwords regularly, and not connecting unknown media – such as USB drives – to their computers.
Evaluation and Ranking
Once the criteria are identified, a procedure was developed for ranking the effectiveness of each user behavior in mitigating four different types of attacks: password attacks, application-based attacks, phishing, and man-in-the-middle attacks.
For instance, in a phishing attack, sensitive information could be avoided by a user via HTTP and not insert private information on unvalidated websites. While for MITM attacks, not approving unknown digital certificates and deleting unknown certificates from their device made the biggest difference.
The BGU researchers developed two sensors for profiling user behavior once the criteria to measure and how to evaluate it was determined. Multiple sensor data from the device by an endpoint agent that included installed apps, app permissions, app source, ranking, mail activity, security settings, and social network activity.
A less intrusive, network-based monitor was also developed by the researchers that inspected traffic from and to the end-user device using various methods – including deep-packet inspection and assessment of app-level protocols. Detailed profiles of individual users were built in terms of their security awareness with the help of the sensors.
A simulated attack framework was also developed by the researchers that that implemented 20 different types of attacks, including permissions abuse and attacks involving malicious Word macros, PDF documents and phishing emails, and SMS messages.
The framework was tested on 162 users during a seven to eight week period during which individual users were asked to provide a self-evaluation questionnaire to establish a baseline. Each user’s security awareness was categorized either as low, medium, or high based on the score derived from the framework.
Users with low scores were less likely to mitigate risks than users with high scores. However, researchers also said that user classifications based on the security questionnaire had little correlation to how likely, or not, a user was in mitigating attacks.
It is said that the actual behavior of the subject may differ from their self reported behavior. Security-awareness scores derived from objective in contrast measures such as data collected from the endpoint and network-based solutions are highly correlated to user success in mitigating social engineering attacks according to the researchers.
To read more, please check eScan Blog
