Classificação taxonómica dos ataques de Engenharia Social

: caracterização da problemática da segurança de informação em Portugal relativamente à Engenharia Social

Abstract

Nowadays, information is a resource of vital importance. With the need to protect that asset, companies implement mechanisms aimed at ensuring the integrity, confidentiality and information availability. Due to the difficulty of overcoming the technological barriers of security, the attacks have been directed to the human element. The attackers, by applying attack techniques and exploiting human vulnerabilities, among which ingenuity, curiosity and confidence, achieve their objectives. Thus, taking into account the relevance of the problem, this work aims to:  identify the level of knowledge of users and IT managers concerning the problem of social engineering in Portugal,  as well as the security measures,  the mostly used techniques,  the main aim of the attacks,  concern about training,  and finally present a new classification of social engineering attacks. The research involved 393 users who use social networks and 41 information system managers. In order to achieve the objective, the answers to the questionnaires were analysed. Data analysis revealed that:  the level of knowledge about the problem of social engineering is low,  regarding security measures, it appears that antivirus installation and use of a firewall are the most applied,  regarding the attack techniques we found that Phishing and spam-email are the most used,  and that the main motive of the attacks is the theft of information,  the concern with employee training is not a priority among the companies surveyed, with only 23% promoting training workshops. In order to support the security managers in the development of security policies, we propose a new way of approaching social engineering attacks through the classification of attacks based on the type of approach, between the victim and attacker, direct or indirect. In the direct approach there is no need to use any means of communication, the contact is in person. The indirect approach is accomplished through the use of communication media. In this study, the attack techniques were analysed based on the interdependence between the various techniques, and on the identification of the relationship between techniques and threats.

Date of Award	29 May 2013
Original language	Portuguese
Awarding Institution	Universidade Católica Portuguesa
Supervisor	Tito Lívio dos Santos Silva (Supervisor)