Awareness of Social Engineering Among IIUM Students

8/3/2019 Awareness of Social Engineering Among IIUM Students

http://slidepdf.com/reader/full/awareness-of-social-engineering-among-iium-students 1/5

World of Computer Science and Information Technology Journal (WCSIT)

ISSN: 2221-0741

Vol. 1, No. 9, 409-413, 2011

409

Awareness of Social Engineering Among IIUM

Students

Mutasim Elsadig Adam , Omer Yousif

ICT, collage of information and communication

technology, IIUM

KL, Malaysia

Yusra al-Amodi, Jamaludin Ibrahim

ICT, collage of information and communication

technology, IIUM

KL, Malaysia

Abstract — Although most organizations around the world currently pay more attention to securing information systems by means

of sophisticated security tools, their information systems still remain breachable. The interpretation of this reality is that the

hackers resort to the use of social engineering instead of using their technical skills to acquire information. The concept of social

engineering is essentially to manipulate the users of a system, that are considered to be the weakest links on the chain, in order to

get said information. The objective of this study is to prove that users of information systems are considered to be the real threat

themselves. In this study, we assume that the lack of awareness of social engineering among users makes information systems

susceptible to numerous kinds of breaches. In addition to that, the study aims to examine whether IT students possess moreawareness of social engineering than students from other faculties. To address these problems, the data was collected from 245

students of the International Islamic University Malaysia (IIUM), via an online survey and questionnaire. Moreover, a phishing

phone experiment conducted among a small number of students. The exhibited results showing that a total of 114 students were

exposed to social engineering attacks during the last six months, and almost 38% of these attacks through E-mail.

Keywords- Social Engineering; Phishing; Fraud; Awareness; IIUM.

I. INTRODUCTION

We are living in an era of the internet and it may be

undoubtedly said that the internet has played an important rolein our life. As an example of this, one finds the benefits of internet in education, business, and healthcare which cannotrealistically be denied. However, with growing dependence onthe internet, security has become an ever-important issueamong organizations. For instance, students in IIUM depend onthe internet in their education as well as to manage their bank accounts. This high dependency on the internet exposesstudents to many kinds of cyber-crimes, most especially whiledealing with banks. These crimes do not happen due to theweakness of the University or bank security system, but ratherdue to a dangerous lack of social engineering awareness amongstudents themselves. Fundamentally speaking, the concept of social engineering is to utilize psychological tricks in order to

extract information from people and in effect, use thisinformation to breach a system. Social engineering as definedby Granger, “to gain unauthorized access to systems orinformation in order to commit fraud, network intrusion,industrial espionage, identity theft, or simply to disrupt thesystem or network”, [7]. Social engineering is different fromtechnical attacks, because Social engineering attacks alwayshave specific aim such as to steal money. However, the mostother attacks and threats to security are found in the shape of “script kiddies”, viruses, Trojans and other broad attacks,

therefore, executed without particular aim. “In fact, thesewannabe hackers with downloaded software are mostly just anuisance”, [3].

A number of forms of social engineering attacks exist; themost popular being impersonation, phishing, and dumpsterdiving. In the present day, it has become exceedinglycommonplace to hear from individuals that they were exposedto fraud through email, phone or other forms of fraud used byhackers. This research aims to measure the awareness of socialengineering among students of the International IslamicUniversity Malaysia (IIUM). A survey was conducted among asample of IIUM students including students from the faculty of ICT and students from other faculties. The goal is to examinehow students behave when exposed to this kind of fraud.

According to the security intelligence report regardingMalaysia, released by the Microsoft Corporation on the 12th of

May, 2011: “There are cyber -criminals using more accessibleattack methods including social engineering tactics andleveraging exploits created by the most skilled criminals to takea small amount of money from a large number of people.” [11].In addition to this, during the last four months, an internationalstudent of IIUM was exposed to a social engineering attack andlost RM 3000 from her CIMB account. This incident, alongsideMicrosoft’s dire report clearly illustrates a spread of socialengineering attacks, most obviously due to a lack of awarenessof social engineering; which ultimately exposes people to



WCSIT 1 (9), 409 -413, 2011

410

numerous risks. As such, this research measures the awarenessof social engineering among IIUM students; while alsoattempting to answer an important question in this context,“How do students behave when they expose to any kind of social engineering fraud?”. In addition to that, the researchtends to achieve the following goals:

To measure the awareness of social engineering

among IIUM students. To address the main factors which make students

susceptible to social engineering fraud

To identify the most popular fraud that students areconstantly exposed to.

II. RESEARCH BACKGROUND

A number of studies have been conducted to measure theawareness of social engineering among different sectors of computer users. For example, [5], used the physical approach, by posing as an individual from an organization’s computer support department and asking employees for a wide range of information; namely user names and passwords etc. The

findings of the study were alarming, and showed that around80% of participants provided their user name, while almost60% provided their password. Two other similar studies wereconducted by [4], [9]. For the purposes of the two surveys, theresearchers made a mix of legitimate and illegitimate emails;upon which the participants were asked to distinguish betweenthe legitimate and illegitimate emails. The findings of [9]revealed that 43% of participants succeeded in identifyinglegitimate emails correctly. In contrast, the findings of the [4]survey showed a lower percentage; one in which only 36% of respondents proved successful in identifying legitimate emails,out of a total of 179 participants. Moreover, [4] noted that, insome cases, participants who identified legitimate emailscorrectly were not able to provide convincing reasons for their

selection. On a general level, the findings reflect the lack of awareness of social engineering among users. [8] Conducted asurvey among 152 staff members from the University Of Plymouth (UK). The purpose of the study was to investigatelevels of susceptibility to social engineering among the staff.An experiment was carried out by sending a message toparticipants, and asking them to follow a link and install aclaimed software update. The result of this experiment revealedthat 23% recipients were successfully snared by the attack.Another modern study in this field was conducted by [2] in2010 at the American University of Sharjah (AUS). Theobjective of the study was to measure the awareness of socialengineering among staff and students of the AUS. Theresearcher did a number of experiments in order to achieve the

goal of the study. Firstly, the researcher made use of a phishingmethod by sending fake emails to all staff and students.According to the findings, the number of victims was 485 maleand 469 female from a total of 5166 students and 351 staff. Inthe second experiment, the researcher duped the targetedpersons by sending them a fake email, and asking them to sendtheir personal information to participate in a research surveyconducted by AUS, with the promise that any participantwould receive a USB Flash Drive. The number of victims inthis experiment is much lower than the previous one. There

were only 220 responses to the fake email. Interestinglyenough, the analysis of the results revealed a high number of victims among senior students; as compared to freshman and junior students. This study is different from [4],[9] studies byclassifying the victims based on gender. Lastly, but not least, astudy worthy of note was conducted by [1] among 40 staff from the Federal Polytechnic, Ilaro, Ogun State, Nigeria. Theobjective of the survey was to measure levels of awarenessregarding safeguarding against social engineering.Unfortunately, the findings of the survey illustrated that that theimplementation of safeguarding against social engineering inFederal Polytechnic, Ilaro, Ogun State Nigeria was still in itsawareness stage. Therefore, the researchers suggestedincreasing efforts towards amplifying awareness among staff.Moreover, a commitment is also required from higher levelstaff.

Despite fluctuations found in the numbers of previousstudies, the fact remains that there are still a large amount of individuals susceptible to this specific form of attack. The lack of social engineering awareness among people is the mainreason behind this problem.

III. RESEARCH METHODOLOGY

Correlative and experimental researches were used tomeasure social engineering awareness. A questionnaire andonline survey were conducted targeting IIUM students. Theresearch requires that the questionnaire and online survey bedistributed and sent to 245 participants from IIUM students, 68from the faculty of ICT and 177 from other faculties.

The questionnaire and online survey consist of 20 questionsgrouped into three respective sections. First, the demographicssection of participants which includes basic informationregarding respondents such as the gender of participants and

whether the respondent is an IT student or not. Moreover, thelevel of study of respective IT participants is also identified inthis section. The second section covers computer usage andtypes of operating system used by participants. Additionally,this section defines the type of computer user; namely as towhether they are novices, power users, or experts, or hackers.The last section – which also forms the majority of thequestionnaire – consist of many questions that aims atexamining how students behave when exposed to any kind of fraud.

Furthermore, we conducted a phishing phone experimentsamong 12 students from IIUM.

IV.

TYPES OF SPCOICAL ENGINEERINGImpersonation: Social engineering usually requires some

form of impersonation in order to win the trust of the target. Atactic that is used quite often consists of impersonating an ITsupport person who happens to be “checking the network” andasks for a password, or asks for the installation of a piece of software [7].

Phishing: An act of fraud that can be legally prosecuted.Phishing is a process that is used to acquire an individual’s



WCSIT 1 (9), 409 -413, 2011

411

private information or details of by posing as a trusted entity inany exchange of information [5].

Dumpster Diving: This occurs when people are not awareof the value of information they possess and are careless withregards to safeguarding it. This involves the careless throwingaway of vital documents such as company policy manuals aswell as a company’s phone book [4].

V. FINDINGS AND ANALYSIS

A total of 245 students have participated in this study. 70%percent of data was collected by means of a directquestionnaire, whereas the rest of the data was collectedthrough online surveys. The participants are classified into twogroups: 177 non-IT students and 68 IT students.

On an overall scale, the findings showed that a high numberof students were exposed to fraud. Of the participants, 114students were exposed to social engineering attacks during thepast six months. The most popular form of attack came throughE-mail, there were 95 students were exposed to attack via E-mail.( Figure 1,2).

By asking students whether they held knowledge regardingthe social engineering term; findings showed that only 84students knew the terms. Furthermore, results revealed that thepercentage of IT students who were aware of the term of socialengineering was higher; a total of 50%, as compared to a mere28% from non-IT students. Moreover, the results showed thatthere were 37 students who answered that they were aware of the meaning of social engineering; yet did not give the rightanswer when asked about its meaning. This is illustrated in thefollowing (graph 3).

Interestingly enough, when postgraduate IT students werecompared with undergraduate IT students in terms of knowledge of social engineering, the percentages were 61%and 45.5% respectively (Figure 4).

Exploiting people in order to acquire their bank accounts aswell as other related information is considered one of the mostpopular social engineering attacks. In this study, reflectedresults showed that there was a higher awareness amongstudents when exposed to this kind of fraud. It should be notedhowever, that there were 16 students classified as victims asthey answered with the affirmative with respect to providinginformation in the eventuality that they received an e-mail froma bank requesting them to do so. However, it is worthy of notehere the percentage of victims was lower among IT students, ascompared to non-IT students; 4.4% and 7.3% respectively.

Additionally, respondents also exhibited a certain level of awareness upon receiving an e-mail from ‘friends’. There wasnonetheless, a lack of awareness among some of students;which were estimated at approximately 23% and 16% amongnon IT students and IT students, respectively.

In order to examine how students dealt with sensitiveinformation; such as the information located in bills and ATMreceipts as an example. Respondents were asked to identifywhether they binned, kept or shredded documents that containsensitive information. Irrespective of the awareness level

shown by students, there were considerable numbers of students who showed indifference towards handling sensitiveinformation. A total of 69 students answered that they wouldthrow away the letter containing sensitive information insteadof keeping it or shredding it. Surprisingly enough, 15 of themanswered that they knew of social engineering, and alsoselected the right meaning of the term. This carelessness fromstudents will most definitely cause them to be vulnerablyexposed to numerous forms of hacking see the( graph 5).

In the experiment of phishing phone, we claimed that weare from the information technology department (ITD). Whenwe called a student asked him first whether he installed aprogram yesterday or not. If his answer was yes, then we saidto him the program that you have installed caused a problem inthe system of university so please give us your password tosolve this problem. The finding of this experiment showed thatonly one student out of 12 revealed his password.

Finally, the result of this study showed a remarkableawareness among students; and especially IT students.However, on the other hand findings also revealed that thereare significant numbers of students susceptible to attack by

hackers; namely due to spontaneous behavior of students insome cases, or carelessness in others, see (figure 6).

VI. CONCLUSION

In summary, through this paper we have measured theawareness of social engineering among IIUM students andexamined whether IT students possess more awareness thanstudents from other faculties. Overall, the findings showed thatsocial engineering has become the preferable method forattackers to acquire information according to a high number of students who have been exposed to a fraud during the past sixmonths. Many organizations or institutions have begun torealize that social engineering is the largest threat to theirinformation system, as it exploits the vey users of the system.

For example, through the CyberSAFE in its Web Site, IIUMalways sends warning messages to staff and students in order towarn them from responding to any unknown e-mails ormessage. However, there are still a number of students whorespond to unknown e-mails without authenticating the identityof the senders according to executed study. Furthermore,although IT students have a higher awareness regarding socialengineering than students from other faculties results show thata number of them are still susceptible to exploitation byhackers. In order to bring about a reduction in the number of students who are susceptible to fraud and increase theawareness of social engineering among students, werecommend the following: IIUM University should conductawareness security campaigns in collaboration with banks that

have branches inside the campus. Social engineering should betaught alongside information security syllabus, especially toundergraduate students. It is necessary to provide students withmethods of validation or authentication of emails received andpeople with claims. With regards to banks, it should be notedthat the bins located by an ATM are a security flaw, and maypotentially be a great source of information for intruders.Therefore, we recommend they be designed in a manner thatprevents intruders from collecting the receipt



WCSIT 1 (9), 409 -413, 2011

412

Figure 1: shows the number of students who were exposed to social

engineering attacks during the last six months.

Figure 2: shows the different methods of fraud used by hackers

Figure 3: shows the number of students who know the meaning of socialengineering

Figure 4: knowing social engineering compared postgraduate and

undergraduates IT students

020

406080

100

8 414

43

12 921

98

5 3 717

Figure 5:. The correlation between knowing social engineering

Figure 6: Students at risk of hacking

REFERENCES

[1]. Fagoyinbo, I.S, Akinbo, R.Y, Ajibode, I. A and Dosunmu, A. O. P,“Statistical analysis on the awareness and safeguarding against social

engineering”, Journal of Educational and Social Research, Vol. 1, No. 2,September 2011, pp 115-120.

[2]. Jamshaid Mohebzada, Ahmed El Zarka, Arsalan Bhojani, “AnAwareness Study on Account Phishing, Spam Emails & SocialEngineering Attacks”, 2010, COE444 Spring 2010, Research ProjectReport. Available:http://www.mohebzada.com/projects/s10_coe444.pdf. accessed 10/11

[3]. Kevin D. Mitnick and William L. Simon. “The Art of Deception: Controllingthe Human Element of Security”. New York: Wiley, 2002. pp 15.[online] available:http://fr.thehackademy.net/madchat/esprit/textes/The_Art_of_Deception.pdf, accessed 10/11.



WCSIT 1 (9), 409 -413, 2011

413

[4]. Karakasiliotis A, Furnell MS, Papadaki M. “Assessing end-userawareness of social engineering and phishing”, Proceedings of 7thAustralian Information Warfare and Security Conference; 2006. pp. 60-72.

[5]. Orgill, G., Romney, G., Bailey, M., Orgill, P. “The Urgency forEffective User Privacy-education to Counter Social Engineering Attackson Secure”, (2004) Computer Systems, Proceedings of SIGITE'04, SaltLake City, UT 2004.

[6]. S. Heikkinen, “Social engineering in the world of emergingcommunication technologies”, in the Proceedings of Wireless World

Research Forum meeting #17, Nov 2006.

[7]. S. Granger, "Social Engineering Fundamentals, Part I: Hacker Tactics,"vol. 2006: SecurityFocus, 2001.

[8]. T.Bakhshi, M. Papadaki, and S. M. furnell, “A practical Assessment of social engineering Vulnerability”, Proceeding of the second International

Symposium on Human Aspects of Information Security & Assurance. (HAISA).2008.

[9]. Ugiomo S. Odaro & Benjamin G. Sanders, “Social Engineering:Phishing for a Solution”, available:http://www.kaspersky.com/images/odaro,_ugiomo_susan_sanders,_benjamin__social_engineering_phishing_for_a_solution-10-98480.pdf.Accessed 10/11

[10]. http://whitepapers.hackerjournals.com/?p=23074.

[11]. http://www.cybersecurity.my/en/knowledge_bank/news/2011/main/detail/2032/index.html.

.

http://whitepapers.hackerjournals.com/?p=23074



Documents

Awareness of Social Engineering Among IIUM Students