“Social engineering is the most effective way to penetrate the network. And of course the best defense against social engineering is education, but it’s important that not only users are educated about social engineering, but companies and government agencies educate their employees about this threat.” © John McAfee, a computer programmer, businessman, and founder of McAfee company
Experts in information security generally agree that today an attack on a person takes precedence as a method of attack over an attack on a system or infrastructure, because of the high cost and complexity of attacks on systems on the one hand, and the ease of attacking a person on the other. The term social engineering itself is broadly understood to mean forcing or tricking a person into doing what the manipulator wants, and under this definition, social engineering attacks are happening to almost everyone every day. Not only sophisticated cybercriminals, but also most low-level scammers use elements of social engineering to convince the victim to perform the actions they want.
For more than 15 years, the founder and scientific director of the Information Security Institute, academician Oleg Maltsev, has been conducting full-scale applied studies of the system of automatisms of the human body (SAHB) and human behavioral modeling. Thanks to the scientific developments and discoveries of Dr. Maltsev, dozens of applications for human behavioral analysis have been put into operation. The algorithmic function of the system of automatisms discovered by Maltsev allows a researcher to explain and predict human actions, logic, and ways of making decisions, and the consequences of the choices made.
Developing the methodology of protection against social engineering, the Information Security Institute’s experts also relied on international research in the field of social and behavioral sciences, the results of international scientific symposia of experts of the European Academy of Sciences of Ukraine, research of the International Schicksalsanalyse Community Research Institute in the field of the system of automatisms of the human body, and the findings of the Criminalistic Research Institute, which conducted a comparative analysis of the Western approaches to crime and crime prevention with similar components of the post-Soviet space. The methodology incorporates the findings of research and practice in a range of disciplines such as history, criminology, psychology, philosophy, social psychology, and sociology.
As a result of the Institute’s research, a complete classification of the types of social engineering attacks, methods and techniques of hacking people has been developed. This classification formed the basis of the methodology used in practice, which contains an exhaustive list of methods and techniques of psychological influence.
The purpose of the methodology is to improve the competency of the employees of the enterprises. By increasing their knowledge of attack vectors, we significantly reduce the likelihood of a successful social engineering attack. Sudden events are no longer unexpected, and the lack of expected response leads the social engineer to choose another tactic or a new victim. The technique also allows an employer to test how vulnerable their employees are to test hacks, allowing them to run a series of practical tests.
The methodology contains no algorithms. Instead of algorithms, more than 16 applicators are used to classify threat levels, tamper levels, and manipulation tools, which together allow a user to minimize the likelihood of successful hacking.
The classification and methodology in the assembly was first shown to the public at the meeting “Insider Threats2: Social Engineering” in Kyiv, June 10, 2021.