Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Social engineering attack examples, templates and scenarios

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process.The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.http://www.elsevier.com/locate/cose2017-06-30hb2016Computer Scienc

“Security begins at home”: Determinants of home computer and mobile device security behavior

© 2017 Elsevier Ltd Personal computing users are vulnerable to information security threats, as they must independently make decisions about how to protect themselves, often with little understanding of technology or its implications. However, personal computing users are under-represented in security research studies, especially for mobile device use. The study described in this paper addresses this research gap by evaluating data from 629 home computer and mobile device users to improve understanding of security behavior in both contexts. The research model extends protection motivation theory by including the roles of social influences and psychological ownership, and by including actual behavior. The model was separately tested with home computer users and mobile device users and data reveals that some of the determinants of security behavior differ between home computer and mobile device use. The results show that perceived vulnerability, self-efficacy, response cost, descriptive norm and psychological ownership all influenced personal computing security intentions and behavior for both home computer users and mobile device users. However, perceived severity was only found to play a role in mobile device security behavior and neither response efficacy nor subjective norm influenced security intentions for either type of user. These findings are discussed in terms of their practical and research implications as well as generating new research opportunities into personal computing sec urity