Version 3: 24 th November 2015
This scenario is based on a real attack that is provided by Ian Mann (2013, pp73-86 by agreement). I strongly recommend his (very readable) books, they provide an excellent insight into social engineering in a commercial setting.
You are the understaffed security team for EdgeCoin PLC, a web based financial organisation located in the North West England.
EdgeCoin PLC offers an “EdgeWallet” account based in its own proprietary Crypto Currency.
Services include UK based account transfer, exchange with other crypto currencies and acceptance of international wires from the established banking industry.
The board of directors for EdgeCoin PLC have stated that they aim to offer maximum security for their customers and aim to minimise and disrupt the facilitation of fraudulent payments or currency trading through their systems.
EdgeCoin provides a system to enable their customers to manage financial investments online.
There is a telephone help desk.
The board of EdgeCoin have become increasingly aware of social engineering attacks, including phishing and attempts to gain customer information via the helpdesk. The board has contracted you to help them.
On completion of the scenario, students will be able to:
1.
Define the term Social Engineering
2.
Explain current Social Engineering threat vectors, how they exploit human vulnerabilities and their extent and impact.
3.
Explain and Justify appropriate controls.
The Board has contracted you to provide a concise report which identifies the scale and current landscape of social engineering threats, particularly in the area of financial services. You should also provide information about how social engineers plan their attacks.
You need to explore the current state of Social engineering attacks, identifying threats, the human vulnerabilities that they exploit and their relative frequency. Given that this report is for the board of directors, how would you structure it? You will also need to deliver it to the board as a PowerPoint presentation.
The Board has also asked you to test their resilience to Social engineering and have asked you to conduct a social engineering penetration test to evaluate the effectiveness of their current controls.
1

The brief for the Social Engineer is to obtain a password reset for a sample of users. The users are the executives of selected customers of the EdgeCoin. The only information provided is the names of the customer organisation and the senior executives to be impersonated.
There are primarily two strategies: either target the customers or target the helpdesk. a) How might you target the customers? b) How might you target the helpdesk?
This is where you have to be creative: Think about where the information is kept, how confidential it would be regarded and then how to go about obtaining it. What other locations might provide some of this information? How could you use status to attempt to get the help desk to release information? a) Date of Birth – remember the customers are executives of UK companies. b) Account number c) Mother’s maiden name
Finally, after the successful attack, you need to identify actions that the company should take to address the vulnerabilities that have been identified.
It is also important that at the end of the scenario you should reflect on your learning and team working and identify what worked well, what didn’t and actions for future improvement.
One of the benefits of Problem-based Learning is that you learn professional skills as well as technical knowledge. The process we ask you to follow to explore and provide solutions to the problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would expect you to complete in your PBL team. You should read this carefully and make sure you are familiar with both the generic activities (in column 2) and the specific ones in column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3 c) takes place as a sharing and teaching session at the next tutorial. This process of sharing and teaching others is extremely beneficial to your own learning.
Step 4, 5, 6 consist of team work and whilst they are logically distinct, they may take place at the same meeting as stage 3c) depending on the schedule of meetings.
Step 7: In this Scenario you will not be implementing a solution, so step 7 is not undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to identify what you’ve learned and how you can improve your learning and team performance in future.
Your tutor/ facilitator will discuss it with you.
2

3
Problem-solving model What PBL normally includes’
1
2
3
4
5
6
7
8
What you will be doing at each stage
Understanding organizational history and context
 Scenario analysis
 Socio-technical organizational analysis.

Clarification of ambiguities a) Individual and team review of scenario text and video resources. b) Team discussion. c) Clarification of ambiguities with tutor/facilitator.
Determining the problem to be resolved
Identifying/ learning necessary knowledge
Identifying alternative solutions
Choosing optimal solution
Planning the implementation
Implementation
Final evaluation
 Requirements Analysis: identify key issues

Simulated consultation with stakeholders (e.g. through role-play and/or online interaction).

Reviewing technology/ processes in use.
 Identifying learning goals.
 Facilitator Guidance.
 Individual research & learning to resolve knowledge gaps.
 Summarising & reflection.
 Teams share learning.
 Determining and agreeing evaluation criteria and process.
 Identifying technical possibilities, considering acceptance issues and organizational fit.
 Facilitator Guidance.
 Deciding on best technical, organizational and social outcomes.

Proposing solution with justification

Applying planning and scheduling techniques.
 Proposing plan and deadlines.


Building the solution (if appropriate).
Deploying the solution (if appropriate).
 Formal evaluation methods re project success.

Personal reflection and evaluation. a) Team review of scenario: identifying key issues. b) Identifying learning goals. c) Team publish action list & summary in forum. a) Individual research & learning to resolve knowledge gaps. b) Individually creating summary of learning c) a) b) c) a) a) and how it applies to the scenario.
Team sharing learning/ teach each other.
Determining evaluation criteria through team discussion.
Team identification of options for the pentest.
Facilitator Guidance.
Team decision and justification. The
PenTest techniques.
Review Scenario text and resources. b) Produce Report. c) Presentation to tutor in role of main stakeholders. a) Team evaluation of performance and project success. b) Individual reflection on personal learning
& development.

There are a number of resources available to you:
CERT-UK. 2015. An Introduction to Social Engineering. Available online at: https://www.cert.gov.uk/resources/best-practices/an-introduction-to-social-engineering/
[Accessed 24-Nov-15]

This brief (10-page) paper provides readers with an “overview of the techniques used and the steps that can be taken to help you protect your organisation’s information”. A good starting point.
Dimensional Research. 2011 The Risk Of Social Engineering On Information Security. Available online at: http://www.greycastlesecurity.com/resources/documents/The_Risk_of_Social_Engineering_on
_Information_Security_09-11.pdf
[Accessed 24-Nov-15]

This report provides some useful background. It is based on a global survey of 853 IT professionals conducted in the United States, United Kingdom, Canada, Australia, New
Zealand, and Germany during July and August 2011. The goal of the survey was to gather data about the perceptions of social engineering attacks and their impact on businesses.
MANN,I., 2008. Hacking the Human, Social Engineering Techniques and Countermeasures.
Farnham, Gower.

An excellent, readable book. It discusses the risks, approaches to take for successful attacks, and a section on countermeasures. It is not academic and does not provide academic references to justify its statements, but it is written by a very successful practitioner.
MANN, I., 2013. Hacking the Human II, Adventures of a Social Engineer. London, ECSC.

Ian Mann’s second book of case studies.
PROOFPOINT 2015 The Human Factor 2015, Available online at: https://www.proofpoint.com/sites/default/files/documents/bnt_download/pp-human-factor-
2015_0.pdf
[Accessed 24-Nov-15]

A research report that explores phishing and what type of links users click.
SAMANI, R., MCFARLAND, C. 2015. Hacking the Human Operating System: The role of social
engineering within cybersecurity, McAfee, Available online at: http://www.mcafee.com/us/resources/reports/rp-hacking-human-os.pdf
[Accessed 24-Nov-
15]

A report from McAfee which defines Social Engineering, attacks, the attack lifecycle , channels of attack, who the attackers are and how to defend against them.
SCHNEIER, B. 2015, The Doxing Trend. https://www.schneier.com/cryptogram/archives/2015/1115.html. [Accessed 24-Nov-2015]

A bit of a sideline, but an interesting short essay by Bruce Schneier about what he sees as a key weakness in ISP email management, and their susceptibility to Social
Engineering techniques.
Xin, R. , Brody, R., Seazzu, A. & Burd, S. 2011. Social Engineering: The Neglected Human Factor for Information Security Management. Information Resources Management Journal, 24(3), 1-8.
Available at: http://www.unm.edu/~xinluo/papers/IRMJ2011.pdf
[

This article unveils various social engineering attacks and their leading human factors, and discusses several ways to defend against social engineering: education, training, procedure, and policy. The authors further introduce possible countermeasures for social engineering attacks.
4

Learning Outcome
Evidence
(graded on)
Pass (40-49%) Sound Pass (50-59%) Very Good Pass (60-69%) Excellent (70-100%) Weight
LO1.
Define the term Social
Engineering
LO2.
Explain current Social
Engineering threat vectors, how they exploit human vulnerabilities and their extent and impact.
LO3.
Explain and Justify appropriate controls.
Working With Others:
Participate constructively in team by Taking responsibility, Showing sensitivity and provide supportive feedback to others, Meeting deadlines
Team Report
Appropriate definition of social
Engineering provided.
Major trends and threat methods are explained, with reference to vulnerabilities that are exploited.
Some appropriate controls are explained.
Reports are structured with appropriate headings.
Acceptable spelling and grammar.
Mostly relevant content.
Some good quality references provided
Comprehensive definition of Social
Engineering provided.
All Major trends and threat methods are explained, with clear link made to
vulnerabilities that are exploited.
Some risks particularly relevant to
scenario identified.
Appropriate controls are explained for
all stated risks.
Alternatives are discussed, but may be briefly.
Report structured with appropriate headings.
Generally appropriate level of detail, but inconsistent.
Good quality references provided with correct syntax. Range may be limited.
As sound pass and presentation clearly links features/ benefits of solution with client needs and problems.
Comprehensive definition of Social
Engineering provided with discussion of how
it is relevant to the scenario.
As ‘very good pass’ and
Systematic and thorough analysis of social engineering trends.
Critical evaluation of alternate solutions
provided.
Systematic and thorough evaluation of
relevant current threats, clearly explaining the vulnerabilities that are exploited.
Shows good ingenuity in
devising attacks.
Appropriate controls are explained for all
stated risks.
Alternatives are discussed
critically highlighting key issues
70%
Alternatives are discussed highlighting key
issues.
Written in clear consistent and appropriate
(business) style of English.
Technical detail explained appropriately.
An appropriate range of good quality references provided with correct syntax.
Complete & consistent
solution.
Clear, concise and
complete with appropriate level of detail throughout almost all
report.
Presentation is persuasive, balanced, thorough and clearly links features/benefits
of solution to client needs/problems
Presentation is consistent with, and relates to report.
20%
Presentation is consistent with, report.
As pass and presentation
emphasises key points and has
balanced content.
Timekeeping, oral contributions,
VLE postings, timeliness of work produced.
Usually communicates quickly with others if problems attending or meeting commitments, On time for most meetings, Completes most work allocated. NB Students can be excluded from teams for not meeting these requirements.
Considered reliable by team mates.
Almost always communicates quickly with others & renegotiates if problems attending or meeting commitments,
Shares work with others in timely way.
As Sound pass and on time for almost all meetings, Completes all work as agreed.
As Very good pass and shows initiative / leadership in some areas of work.
10%
5

Reference documents which underpin the knowledge/tasks for incident management are summarised below:
This scenario relates principally to Control categories in Clause A7.2 and A.9.2.4 of ISO27002.
A.7 Human resource security
A.7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
A.7.2.1 Management responsibilities
Control
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.
A.7.2.2 Information security awareness, education and training
Control
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
A.7.2.3 Disciplinary process
Control
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
A.9.2.4
Management of secret authentication information of users
Control
The allocation of secret authentication information shall be controlled through a formal management process.
6