CY 2550 - Foundations of Cybersecurity

Project: Social Engineering

This project is due at 11:59pm on Friday, March 19, 2021.

Description and Deliverables

In this assignment, you will take on the role of a cybersecurity consultant that has been hired by a company. Your task is to develop a strategy document to help the company avoid devastating financial fraud attacks that are perpetrated using social engineering. A successful strategy document will clearly explain the problem at hand, discuss the attacker's motivations, goals, and capabilities (i.e. present a threat model), and develop clear recommendations for mitigating these attacks. In other words, this is a writing assignment.

To receive full credit for this project, you will turn in a single document:

  1. A file named strategy.pdf.asc that includes your strategy document in PDF format. This file must be signed using your private GPG key, and encrypted using the class GPG public key.

Problem Statement

In recent years, cybercriminals have begun to launch sophisticated social engineering attacks against companies that attempt to directly extort money from their bank accounts. One common type of attack in this style is known as CEO fraud: an attacker sends a falsified (possibly spoofed) email to a company employee claiming to be from the CEO that demands that the employee wire money to a specific bank account. Of course, this account is controlled by the attacker. These attacks often succeed because the spoofed emails are carefully crafted:
  1. The attacker researches the victim company, its CEO, and employees, before launching the attack;
  2. The falsified email uses company-specific terminology and jargon, and references the names of real employees;
  3. In some cases, the attacker will compromise employee email accounts (including the CEO's) and use them to send the emails. In other cases, the attacker will spoof the email source, or register a domain name that looks just like the victim company's true domain name.
Additionally, these fraud scams sometimes involve phone calls that further social engineer the victimized employee.

The FBI reports that CEO fraud and similar scams have increased 270% since 2015, and were responsible for between $360 million to $2.4 billion in losses in 2016. More details about several actual cases of CEO fraud can be found here.

Your Goal

You are a cybersecurity consultant that has recently been hired by Happy Funtime Plastic Co., Inc. (HFPC), a well-known maker of beloved childrens' toys. The executive team at the company is extremely concerned about social engineering attacks like those described above, but HFPC does not have an internal cybersecurity staff or existing policies to address this threat. Your goal is to draft a strategy document that address two high-level needs:
  1. Educate the executive team at HFPC about social engineering attacks, especially CEO fraud.
  2. Propose concrete steps (technical and social) that HFPC can adopt to minimize the likelihood that the company will fall prey to one of these social engineering attack.
Your strategy document should be targeted towards a sophisticated lay audience, i.e., people who are technically savvy, but not necessarily computer scientists. The document should be at most 1,800 words, which is roughly 3 pages of single-spaced, size 10 font text. Shorter documents are acceptable, so long as they are complete and thorough. You are encouraged to cite evidence to support your claims, although there are no minimum or maximum required citations. Citations do not count towards the wordcount. Citations to sources of questionable quality, like Wikipedia, are considered unprofessional.

About Happy Funtime Plastic Co., Inc.

To write your strategy document, you must take into account some of the details about how HFPC operates their business. HFPC maintains relationships with suppliers, from whom they buy raw materials, as well as distributors, who purchase completed toys and sell them to the public. HFPC has dozens of people on staff who manage relationships with suppliers and distributors. It is very common for suppliers to use email or telephone to deliver bank account numbers to HFPC staff, who then wire payments for raw materials to the given account. Similarly, HFPC staff often use email or telephone to deliver bank account numbers to distributors, so that the distributors can pay HFPC for merchandise.

Critically, email and telephone are not strongly authenticated means of communication. Attackers can potentially forge or spoof emails to and from distributors, suppliers, and HFPC itself, i.e., a breach at HFPC could be used a stepping-stone to attack HFPC's distributors and suppliers. Similarly, telephone numbers can be hijacked, and caller ID information can be forged.

In terms of security posture, HFPC already uses basic spam filtering software to eliminate obvious, unsolicited bulk messages sent to employees. All HFPC employee machines are equipped with basic anti-virus software that is kept up-to-date. HFPC system administrators regularly apply software patches to all employee machines and internal servers. HFPC requires that all employees present valid, unforgeable ID badges to enter the company headquarters. This requirement is enforced by heavily armed guards that are empowered to shoot intruders on sight. In other words, physical security is not currently a concern, and is considered out-of-scope for your strategy document.

HFPC executives are primarily concerned about an attacker's ability to use social engineering to steal money from HFPC corporate accounts. However, they are also concerned that if an attacker were to steal from a distributor by forging communications from HFPC, this might irreparably harm HFPC's business relationship with that distributor.

Developing the Strategy Document

Your strategy document must cover several specific areas in detail. When developing your strategy document, keep in mind that it must cover different threat vectors and styles of attack, including: There are additional topics you may want to cover as well to strengthen your strategy document. For example, including brief case studies of social engineering-based breaches at other companies and publicly available statistics may help convince the HFPC executives to adopt your recommendations. It may also be beneficial to define key terms and technical jargon.

Note that the above outline is not meant to be strict. You may organize your strategy document as you see fit. You may embellish your document as you see fit with citations, images, diagrams, etc. In the past, the best submissions came from student who really got into the assignment, and fully adopted the persona of cybersecurity professional. Feel free to be creative!

Submitting Your Project

Before turning in the project, you must register yourself for our grading system using the following command:
$ /course/cy2550sp21/bin/register-student [NUID]
NUID is your Northeastern ID number, including any leading zeroes. This command is available on all of the Khoury College lab machines.

To turn-in your project, you must submit exactly one file:

which is an encrypted and signed PDF formatted document. To produce this file, use GPG to sign and encrypt your document (named strategy.pdf); by default, encrypted files produced by GPG are given the .asc file extension. Make sure to sign the document using your private key, and encrypt using the class GPG public key. This file should be placed in a directory. You submit your project by running the turn-in script as follows:
$ /course/cy2550sp21/bin/turnin project5 <project directory>
where <project directory> is the name of the directory with your submission. The script will print out every file that you are submitting, so make sure that it prints out all of the files you wish to submit! The turn-in script will not accept submissions that are missing a strategy.pdf file. You may submit as many times as you wish; only the last submission will be graded, and the time of the last submission will determine whether your assignment is late.

At any time, you can run the following command to see all of your current grades for projects, essays, quizzes, and tests.

$ /course/cy2550sp21/bin/gradesheet

Grading

This project is worth 15% of your final grade, broken down as follows (out of 100): Points can be lost for turning in files in incorrect formats (e.g., not PDF), failing to follow specified formatting or length conventions, or encrypting/signing your file using the wrong keys.