¶ … goals of this study are to reveal some of the common and prevailing cyber security threats. Here we plan to explore the risk that is most difficult to defend: social engineering. We seek answers to the human elements and characteristics that contribute to the frauds and how they themselves unwittingly give out information that eventually leads to difficult situations. There are many ways in which the attackers 'phish' their targets. We will look into the origin of such techniques and proceed to develop a methodology to avert such attacks. In the highly computerized environment that we are living, a new method of multitenant services has been evolved to substitute for the demands on memory space and time- the Cloud. The impact of these vast and complex systems has raised newer kinds of concerns that will then be assessed and hence a strategy to safeguard the interests of the user because of threats arising hence will be attempted. The main aim is to create a data and internet environment that is safe and secure in the social perspective. Table of Contents

Chapter 1

Introduction

Background of the Study

Problem Statement

Purpose of the Study

Significance of this study

Social Engineering

Travel Threats

WEB Threats

The Cloudy Threat

Chapter 2: Literature Review

Prevalent Security Methods

Digital Signature

Firewalls

Redundancy

Freshness

Configuring a Viable Security Structure

ISO at work

CFO at work

Get only Certified persons

Building up Security Model

Access Control

Personal authentication

LDAP: Lightweight Direct Access Protocol.

Conclusion

Chapter 3: Methodology

Research Philosophy

Research Approach

Research type and Time line

Data Collection Methods

Quantitative Validity

Sampling Strategy

Data Analysis

Conclusion

Chapter 4: Results

Chapter 5: Discussion and Conclusion

Introduction

Statement of the Problem

Review of Methodology

Summary of Results

Relationship of Research Questions to the Field study

Discussions of Results

Conclusion

Chapter 1

Introduction

It is said that an engineer should have a secured computer at his disposal. Consequently, many non-engineers assume that they can enjoy computer without security. Even if you are not a person who is working on critical information, you have an identity and information that you should protect; hence you should be informed user of computer. Your information is almost always on risk, if you are on computer network. Statistically speaking, interrogating more than 7000 business companies majority dealing on critical infrastructure, 67% reported at least one cyber attack (Rantala, 2008). Nearly 60% reported a cyber attack to their computer system; 11% reported cyber theft, which includes embezzlement, fraud, and intellectual property theft; and 24% reported other cyber incidents such as port scanning, spyware, spoofing, or some type of breach that resulted in damage or a loss. On an average, in the year 2011 around 26,000 complaints were registered at the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). The situation hence suggests that one should be properly secured as sooner than later our computer system will be attacked! The most intriguing aspect of this is that you don't have to be PhD or an experienced user to attack computer system. Most of the time, it is just a work by an expert in his teens .

Background of the Study

In a report written by Mandiant (2013), a spear phishing attack was described targeting the company's CEO, Kevin Mandia. The goal was to attack the organization with an advanced persistent threat (APT) . The spear phishing e-mail was sent to all Mandiant employees. The e-mail was spoofed to appear as if it came from the company's CEO, Mr. Mandia. In such cases, what likely happens is that the personnel may give out information about the company that helps the social engineer gain access to gain further information by impersonation. Here we find the two causes that contribute to the attack on the system, namely the gullibility of the employees of which the attacker has taken advantage and secondly the initial breach into the system by way of breaking into the security net. In further proof of this personal centered phenomenon that we are trying to address in this proposal, consider the observation of Kevin Mitnick. It was Kevin Mitnick, who actually popularized social engineering, had accepted the use of technique he termed as "spear phishing." In this an e-mail targets a specific person or organization coming from a trusted source. The person is targeted using information found on a social networking site like LinkedIn. For example, the social engineer goes to LinkedIn...

Then, he or she sends those network-engineers an e-mail (since he or she knows where they work) or calls them to obtain the needed information. Even a company specializing in cyber attack recovery is a spear phishing target.
The social engineering attack is implicit in its nature. It is again the human nature that comes into play here.. That is the reason such attacks are termed as non-tech hack. High-Tech hacking involves explicit penetration in the user system by adding external programs as such as malware programs. These are some of the tricks or methods that are used by the hackers to gain unauthorized access. On the other hand, these non-tech hackers prefer to initiate a telephone dialogue with the general user of the organization. It is a simple 2 telephone call mechanism in which first call is made to general user to gather general technological information. Once this is gathered, social engineer utilizes this information in second call to get the critical information. In essence, social engineers take advantage of our human nature of kindness, which makes it easy for the social engineer to pretend to be someone else. Thus, when he or she is armed with a few pieces of information, more information to break into secure networks can easily be acquired.

The other kind of vulnerability is the exposure that travelling people expose themselves to when they use 'open' and unsafe network access while activities like updating software, operating system updates and the like.

These officials experience some or all of the following attacks while they are on foreign unofficial tours.

Exploitation of electronic media and devices

Secretly entering hotel rooms to search

Aggressive surveillance

Attempts to set up romantic entanglements

The exploitation could simply occur through software updates while using a hotel Internet connection ("New E-Scams & Warnings," n.d.). A pop-up window will appear to update software while the user is establishing an Internet connection in the hotel room. If the pop-up is clicked, the malicious software is installed on the laptop. The FBI recommends either performing the upgrade prior to traveling or going directly to the software vendor's website to download the upgrade. All of these threats can be mitigated by training. It is intended in this proposal to suggest some of the procedures to avoid these eventualities.

One example of the technical hacking is the damage infused by altering the IP addresses.

Domain name fraud converts the domain name (e.g., www.danamkaroti.org) to an incorrect IP address, thus sending the user to a website where fraudulent activity will probably occur. Internet protocol hijacking is where the Internet traffic is redirected through untrustworthy networks. In such cases use of proper technological security systems and practices will be of help to a great extent. Mitigation tactics to these threats will be discussed later in this proposal.

The cloud is exploited by the hackers in several fashions. The complex nature of the Cloud makes vulnerable to creating unexpected scenarios to an uninitiated user. This tricks widely adopted by social engineers to gather critical information. Secondly, the Cloud data is separated logically, not physically. This shared multitenant environment creates another opportunity for someone to gain unauthorized access. A good example is a security breach that occurred with Google Docs that allowed users to see files that were not "owned" or "shared" by them (Kaplan, 2008). Finally, it is equally true that somebody else takes the management rights of your data that is put on the Cloud. That adds up the questions like has your security team audited the practices of your Cloud managers? Are the practices consistent with yours? Are you really confident of their executions?

Apart from other issues regarding data security, sometimes your own employees engage themselves in real theft activity. It is important that proper watch on suspected employee or untimely retiring employee can control this problem. In the Hewlett-Packard 2012 "Cyber Risk Report," researchers determined the risk trends for cyber security. For example, the number of new disclosed vulnerabilities had increased 19% from 2011. These come from every angle, such as web applications, legacy technology, and mobile devices. For example, the skyrocketing mobile device sales in 2012 brought with it a similar number of mobile application vulnerabilities. Mobile device applications alone have seen a 787% increase in vulnerability disclosures. Understanding a company's technical security risk begins with knowing how and where the vulnerabilities occur within the organization ("White paper | HP 2012 Cyber Risk Report," 2013).

Problem Statement

Why is it that human helping nature is responsible in passing the critical information to a stranger? How is it that in spite of being highly educated and adequately warned, social engineer succeeds in fetching information from computer user? What tricks are adopted by these hackers to get the critical information without…