CS 2550 - Foundations of Cybersecurity
Project 3: Social Engineering
Description and DeliverablesIn this assignment, you will take on the role of a cybersecurity consultant that has been hired by a company. Your task is to develop a strategy document to help the company avoid devastating financial fraud attacks that are perpetrated using social engineering. A successful strategy document will clearly explain the problem at hand, discuss the attacker's motivations, goals, and capabilities (i.e. present a threat model), and develop clear recommendations for mitigating these attacks. In other words, this is a writing assignment.
To receive full credit for this project, you will turn in a single document:
- A file named strategy.pdf.asc that includes your strategy document in PDF format. This file must be signed using your private GPG key, and encrypted using the class GPG public key.
Problem StatementIn recent years, cybercriminals have begun to launch sophisticated social engineering attacks against companies that attempt to directly extort money from their bank accounts. One common type of attack in this style is known as CEO fraud: an attacker sends a falsified (possibly spoofed) email to a company employee claiming to be from the CEO that demands that the employee wire money to a specific bank account. Of course, this account is controlled by the attacker. These attacks often succeed because the spoofed emails are carefully crafted:
- The attacker researches the victim company, its CEO, and employees, before launching the attack;
- The falsified email uses company-specific terminology and jargon, and references the names of real employees;
- In some cases, the attacker will compromise employee email accounts (including the CEO's) and use them to send the emails. In other cases, the attacker will spoof the email source, or register a domain name that looks just like the victim company's true domain name.
The FBI reports that CEO fraud and similar scams have increased 270% since 2015, and were responsible for between $360 million to $2.4 billion in losses in 2016. More details about several actual cases of CEO fraud can be found here.
Your GoalYou are a cybersecurity consultant that has recently been hired by Happy Funtime Plastic Co., Inc. (HFPC), a well-known maker of beloved childrens' toys. The executive team at the company is extremely concerned about social engineering attacks like those described above, but HFPC does not have an internal cybersecurity staff or existing policies to address this threat. Your goal is to draft a strategy document that address two high-level needs:
- Educate the executive team at HFPC about social engineering attacks, especially CEO fraud.
- Propose concrete steps (technical and social) that HFPC can adopt to minimize the likelihood that the company will fall prey to one of these social engineering attack.
About Happy Funtime Plastic Co., Inc.To write your strategy document, you must take into account some of the details about how HFPC operates their business. HFPC maintains relationships with suppliers, from whom they buy raw materials, as well as distributors, who purchase completed toys and sell them to the public. HFPC has dozens of people on staff who manage relationships with suppliers and distributors. It is very common for suppliers to use email or telephone to deliver bank account numbers to HFPC staff, who then wire payments for raw materials to the given account. Similarly, HFPC staff often use email or telephone to deliver bank account numbers to distributors, so that the distributors can pay HFPC for merchandise.
Critically, email and telephone are not strongly authenticated means of communication. Attackers can potentially forge or spoof emails to and from distributors, suppliers, and HFPC itself. Similarly, telephone numbers can be hijacked, and caller ID information can be forged.
In terms of security posture, HFPC already uses basic spam filtering software to eliminate obvious, unsolicited bulk messages sent to employees. All HFPC employee machines are equipped with basic anti-virus software that is kept up-to-date. HFPC system administrators regularly apply software patches to all employee machines and internal servers. HFPC requires that all employees present valid, unforgeable ID badges to enter the company headquarters. This requirement is enforced by heavily armed guards that are empowered to shoot intruders on sight. In other words, physical security is not currently a concern, and is considered out-of-scope for your strategy document.
HFPC executives are primarily concerned about an attacker's ability to use social engineering to steal money from HFPC corporate accounts. However, they are also concerned that if an attacker were to steal from a distributor by forging communications from HFPC, this might irreparably harm HFPC's business relationship with that distributor.
Developing the Strategy DocumentYour strategy document must cover several specific areas in detail.
- Describe a complete and comprehensive threat model. What the are goals and capabilities of the attacker? Are there specific vulnerabilities (technical or otherwise) that the attacker is leveraging to implement their attacks? Are there specific threat vectors that your threat model explicitly does not cover (e.g. intruders that physically break-in to HFPC headquarters)? Note that your goal is to address a specific class of social engineering attacks; you do not need to address all potential cybersecurity attacks that could target HFPC.
- Present a variety of potential mitigations to address the social engineering attacks outlined in your threat model. We expect your strategy document to include a mix of technical, policy-based, and social mitigations. Multiple mitigations of each type are welcome, as are other classes of mitigations. Note that any one mitigation does not necessarily need to address all potential attacks; for example, you may present one mitigation for email threats, and a second mitigation for telephone threats. Make sure to explain how the mitigations compliment one another to address the total threat.
- Compare the tradeoffs between different mitigations and their associated costs. What is the potential damage (monetary or otherwise) that HFPC may incur if they were to fall victim to one of the social engineering attacks outlined in your threat model? How does this compare to the costs (in terms of money, employee productivity, etc.) of different mitigations?
- Attacks via email and telephone.
- Attacks against HFPC itself (i.e. the attacker pretends to be a supplier or compromises a supplier) and attacks against distributors (i.e. the attacker pretends to be from HFPC or compromises HFPC).
Note that the above outline is not meant to be strict. You may organize your strategy document as you see fit. You may embellish your document as you see fit with citations, images, diagrams, etc. In the past, the best submissions came from student who really got into the assignment, and fully adopted the persona of cybersecurity professional. Feel free to be creative!
Submitting Your ProjectBefore turning in the project, you must register yourself for our grading system using the following command:
$ /course/cs2550sp19/bin/register-student [NUID]NUID is your Northeastern ID number, including any leading zeroes. This command is available on all of the Khoury College lab machines.
To turn-in your project, you must submit exactly one file:
$ /course/cs2550sp19/bin/turnin project3 <project directory>where <project directory> is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing a strategy.pdf file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.
At any time, you can run the following command to see all of your current grades for projects, essays, quizzes, and tests.
GradingThis project is worth 10% of your final grade, broken down as follows (out of 100):
- 20 points - Threat model that covers all avenues of attack, and clearly explains all capabilities of the attacker.
- 50 points - Proposed mitigations should address all avenues of attack. Each mitigation should be clearly explained, including how it works, what threat(s) it addresses, and any shortcomings.
- 20 point - Concise discussion of costs and tradeoffs between different mitigations, especially in relation to the costs associated with successful attacks.
- 10 points - Quality of writing, including spelling, grammar, and appropriate use of citations.