sign in sign up
<<
Home , Anonymous (hacker group), HBGary

Analysis of Human Factors in Cyber Security: A Case Study of Attack on Hbgary

Benjamin Aruwa Gyunka Directorate of Information and Communication Technology National Open University of Nigeria (NOUN) Abuja, Nigeria [email protected] Abikoye Oluwakemi Christiana Department of Computer Science University of Ilorin Ilorin, Nigeria [email protected]

ABSTRACT awareness programmes for workforces and the Purpose: This paper critically analyses the implementations and maintenance of basic human factors or behaviours as major threats to security culture and policies as a panacea for cyber security. Focus is placed on the usual roles social engineering cyber attacks against played by both the attackers and defenders (the individuals and organizations. targets of the attacker) in cyber threats’ Originality: Lots of work has been done and pervasiveness and the potential impacts of such many still on-going in the field of social actions on critical security infrastructures. engineering attacks and human factors, but this Design/Methodology/Approach: To enable an study is the first to adopt an approach of a effective and practical analysis, the Anonymous practical case study to critically analyze the attack against HBGary Federal (A security firm effects of human factors on cyber security. in the United State of America) was taken as a Keywords: The Anonymous; HBGary Federal; case study to reveal the huge damaging impacts Uniform Resource Location (URL); Content of human errors and attitudes against the security Management System (CMS); SQL Injection; of organizations and individuals. Cross-site Scripting (XXS); Social Engineering; Findings: The findings revealed that the Cyber Security; Information Security powerful security firm was compromised and Paper Type: Research Paper overtaken through simple SQL injection techniques and a very crafty social engineering attack which succeeded because of sheer 1 Introduction personnel negligence and unwitting utterances. The damage caused by the attack was enormous Humans have been found to be truly the weakest and it includes the exposure of very sensitive link of security (Mitnick, Simon, & L., 2011) and and personal data, complete shutdown of the (GBC-DELL Survey, 2015). The psychology of website, loss of backup data and personnel human workforce is being viewed as a critical character deformations. The research also found factor that poses serious cyber-attacks risks to all that damaging human factors results from users (Ranjeev & Lawless, 2015). Human cyber ignorance or illiteracy to basic security practices, security behaviours has created serious carelessness and sometimes sabotage by vulnerabilities which attackers exploits using disgruntled employees from within and these social engineering attack techniques and findings vulnerabilities have become prime target for revealed that human factors are responsible for exploitation by attackers through social 95% of all security incidences (IBM, 2015). engineering attacks. Social engineering was also Human threats to critical infrastructures and discovered to be the leading attack technique services come mostly from careless work adopted by attackers within the cyber space in behaviours and ignorance of basic cyber security recent years. practices which include irregular software Practical Implications: The paper concludes by patching to get rid of bugs, installations of advocating assiduous training and cyber security malicious software, careless communication of

10 sensitive information and connection to insecure the attackers’ tricks and techniques, and finally, networks or Wi-Fi (Aziz, 2013) and the analysis of the resulting damages. The paper (James, 2015). They also include poor attitudes to concludes with suggestive techniques for web applications usage and database preventing against such exploitations. management which opens door to cross-site scripting (XXS) and SQL Injection 2 Social Engineering vulnerabilities (Stuttard & Marcus, 2011). Social engineering is a non-technical method of Attackers these days find it interestingly easier cyber-attacks which absolutely depends on to begin their attacks by the exploitation of human psychology and mostly involves human ignorance, weakness and selfish interests deceiving people into breaching standard to gain an open entrance for a mega attack. security practices (Nate, 2016). Researches have People are now inadvertently deceived to either shown that social engineering attacks are the top initiate or even carry out the attacks by most threats against information security themselves without the attacker necessarily (Warwick, 2016) and (Nate, 2016). The whole introducing an external event or involving very technique of social engineering attacks is expensive technical exploit kits. Human factor is completely anchored on the principle and art of an insider threat against security either through deception, making people do things that they disgruntled employees seeking to cause pains or would ordinarily not want to do for a complete through social engineering which appeals to stranger (Mitnick et al, 2011). Thus, victims of personnel’s instincts and attackers would rather this attack techniques are usually persuaded to take advantage of these vulnerabilities, where willingly open wide their security door ways to available, than engaging other exploits against unknown persons (Ranjeev & Lawless, 2015) or technical security devices (James, 2015), are tricked to do things like giving out sensitive (Warwick, 2016) and (CeBIT Australia, 2017). information or documents, disabling critical Research has shown that it is not good security systems, transferring money to enough to have all the state-of-the-art security unknown persons’ accounts and many other software and hardware properly installed and devastating things (Warwick, 2016). Sometimes running in an organization if the human factor to they are tricked to believe that the order they are cyber security is neglected (Nate L. , 2016), and obeying is coming from a superior, colleague, or (James, 2015). Firewalls, Intrusion Detection partner sitting somewhere (Mitnick, Simon, & L., Systems, Antimalware and many authentication mechanisms such as time-based tokens or 2011). Often times, what they are persuaded to biometric smart devices, are usually installed to do are highly regrettable, causing irreversible protect against external threats but cannot damages. protect against threats from within, caused by Common approaches or attack vectors ignorant and careless personnel (Mitnick, Simon, adopted in social engineering attacks include & L., 2011) or by disgruntled employees aiding engaging people through fake emails, social external attacker (Blythe, 2013). Cyber attackers media, voice calls, mobile apps, or through would rather now want to exploit the vulnerable direct physical contact with the defendant (target human factors through simple tricks than to of the attacker). Social engineering attacks, or spend much time and resources trying to gain attacks against human psychology and instincts, access by breaking through the different strong may come in the forms of , technical security systems. This paper seeks to attacks, pretexting, baiting, quid pro quo and practically analyze the impacts of human factors tailgating (David, 2015). Phishing scams and to critical security infrastructures. The attack of malware infections have be found to be the most the Anonymous Hacktivist group against adopted forms of social engineering attacks HBGary Federal, a US based security firm, was (GBC-DELL Survey, 2015) as indicated in Figure taken as a case study to analyze the different 1. Anyone that falls victim of social engineering phases of cyber attacks against human cyber attack would normally become the enabler of the security behaviours. The different phases include bigger attack or might even unknowingly be the analysis of defender(s) vulnerabilities (target of attack – the human factors), the analysis of used to directly complete the full-scale attack.

11

Figure 1: Significant Cyber Threats (GBC-DELL Survey, 2015)

This study takes a deep delve into some with McAfee which is a well known security practical applications of social engineering firm too (Peter, 2011). attacks and its requisite consequences and HBGary Federal, being an information prevention. The attack of the Anonymous security firm, specializes in design and Hacking group against HBGary Federal security distributions, through sales, of the state-of-the- firm was adopted as a case study for a critical art tools for computer forensics and malware analysis of this attack technique. The study analysis to the United State and begins by critically looking into the different other private Institutions (Peter, 2011) and (Krebs, services offered by HBGary and where they 2011). Their services also included technical failed. A brief about the Anonymous group was consultancy and supports. The support covers also discussed; the different attack techniques areas such as the implementation and deployed, the resulting damage, ways of deployment of intrusion detection systems, preventing similar attacks on businesses, and the designing secure networks, performing lessons learned form the core of this study. vulnerability assessment and penetration testing of systems and software. The United State 3 The Defender – Hbgary Federal Government and some Strong Private Organizations were some of the strong HBGary was a well-known technology security patronisers and customers of the services of company with offices in Washington D. C., HBGary Federal. California, Sacramento, and Bethesda, Maryland. The Security Firm was founded by 4 The Attacker – Anonymous in the year 2003. The company entered into a Security Innovation Alliance with The Anonymous is a group of hacktivists which McAfee in the year 2008. The Establishment comprises of people from different backgrounds, was an affiliation between HBGary Federal and diverse professional experiences and different HBGary Inc, both being very distinct entities. age groups. This involves professional office HBGary Federal had one mega web server employees, software developers, IT technicians, which could be accessed through a Web link, and even students. The membership of the group www.hbgaryfederal.com, and they also had one are found scattered in different countries of the major Support Linux Machine which could be world, a few amongst them includes the United accessed through the link, support..com. State, The United Kingdom, Germany, The Linux Machine contained most of the Netherlands, Italy, and Australia. The hacktivist employees shell accounts, which they could group mostly adopt cyber attack as their main access using SSH. Greg Hoglund also operated campaign medium to show their displeasures another website called .com which was and grievances against any government policies hosted by another Linux machine. All the email or any Organization that might have crossed services of HBGary Federal were being their ways. The group was allegedly founded in managed by Google Apps. The National the year 2003. Security Agency (NSA) and Interpol had maintained a frequent contact with HBGary companies and HBGary also had been working

12 security vulnerabilities of the software, but they failed to do any of this. HBGary was completely blind to this dangerous flaw, allowing the CMS to become highly vulnerable to SQL injection attacks. The Security Firm, HBGary Federal, was also guilty of poor management. The senior executives of the Firm, CEO Aaron Barr and COO Ted Vera, became too busy about their work that they forgot and neglected simple and standard information security practices especially in the areas of password policies and

Figure 2: The Faceless Group – Anonymous (Peter, 2011). management. They became an extreme bad example to be emulated in this regard. Both top A few amongst many other exploits Officers had extremely weak with perpetrated by the Hacktivist Group includes the each comprising of only six lower case letters bringing down of PayPalblog.com, and two numbers. As though that was not bad MasterCard.com and Visa.com (Nate & Technica, enough, they also maintained the same 2011). The attacks against these Companies were passwords across platforms and applications. done to punish the financial companies for their That is, the same password was used to login involvement in shutting down WikiLeaks from into their accounts, email accounts, the internet. Anonymous attacked these websites using Distributed Denial of Service Linkedln, and SSH. This practice subjected them (DDoS) attacks through a modified version of to a security single point of failure (failure at one the (LOIC) load-testing point implies failure at all points). The most tool. disturbing part of it was that Aaron had the administrative right over the Google App that 5 Human Factors Vulnerabilities Analysis hosted the entire company's emails and while Ted had a user privilege in the Linux SSH HBGary was operating a content driven website account. Password misuse and negligence alone whose data was stored in an SQL database. As it had exposed the Company to serious security is with every thriving business, there was always threats. a constant need for updating the contents of the In managing the SSH access to the Firms website by correcting, adding or removing some Server, the authority also carelessly ignored the information from the database. To make the principles and policies governing safe SSH administration of the website easier, HBGary connections. It did not come into their to Federal deployed a Content Management System remember that password authentication was not (CMS) in the organization. Although this the best security verification practice for any approach was a good idea, but best practice SSH connection, so they continued to use only would have been for them to implement an off- passwords to gain access via SSH to the Support the-shelf Content Management System which Linux Machine. They could have included the would have enabled them the ability to directly hard-to-crack cryptographic encryption methods monitor and control the system, but they rather in the system which would provide each user chose a custom CMS from a third-party with a secret key which must be kept private and developer. Third party’s applications do not with a public key that is associated with the user always have good reputations as they mostly account. If these were put in place, the SSH have issues with malware and wrong coding would have then made use of both keys to (Rahul, Venkiteswaran, Anoop, & Soumya, 2014), so authenticate the different users. The Firm the CMS deployed by HBGary had serious adopted MD5 for their password encryption in a coding flaws which made it highly vulnerable to very weak way. Another serious security cyber attacks. Although the CMS had bugs, loophole entertained by HBGary Federal was HBGary was negligent and careless about the inadequate software patching. Little or no CMS. They could have exercised their own attention was given to regularly patching the expertise as security experts in finding and Linux Support Machine. This also exposed the fixing (debugging) the bugs and also setting up Machine’s Operating System and its system and configuring bug tracking devices to track

13 libraries to privilege escalation exploitation required results. A typical CMS would usually attack vulnerabilities. have a web 'front-end' which allows the editing Finally, there was serious lack of proper of database records through the web by the information dissemination within and outside the respective users. The SQL query injected by the Company. They were very careless at releasing Anonymous made use of the URL, very sensitive information without minding who http://www.hbgaryfederal.com/pages.php?pa is listening. This attitude exposed the geNav=2&page=27. Two parameters included Corporation to the subtle danger of social in the query to manipulate the CMS are engineering attacks. The Anonymous shows up pageNav=2 and page=27. Given that the CMS mostly through cyber attacks, so they have been had bugs already in its code, it became easily associated with majority of in the tricked to misinterpret the query with these world. Because of their activities, this Group parameters, thus providing the with open became a prime suspect to the United State Government and this has set them on the list of access to the database of the web server that the FBI for continuous investigation to uncover hosted the Firm’s very sensitive data. They the identities of its members (Nate & Technica, completely took over the database from the 2011). The CEO, Aaron Barr, was too outright CMS. Some details retrieved from the database and straight, without caution, when he publicly include usernames, email addresses, and announced the Firm’s collaboration with the FBI password hashes of privileged users who had the (Federal Bureau of Investigation) against the administrative right to make any required Anonymous group. He revealed that the Firm changes to the CMS. The vita data found on this had gotten some essential information about the server provided the attackers with more identities and activities of some cardinal information that aided their invasion further. members of the Anonymous group, expressing One good property of the CMS was its ability his readiness to sell this information out to the to store only the hashed password of the users in FBI for further actions against the group. The the database which could be very difficult to method he claimed to have used in getting these break into plain text. Fortunately for the essential details was emails monitoring, and attackers, the hash was only a single one-way using of fake names for and IRC chat. hashing that was done using MD5 hashing His action presented him as having a boast on function without applying salting and iterative the strength of the Firm and their victory over hashing methods. Taking advantage of the weak the Anonymous group (Nate & Technica, 2011). hashing procedure, the attackers deployed This pronouncement was regrettably a dangerous move that invited the wrath of the hacktivist rainbow table cracking technique to crack the group, Anonymous, against HBGary Federal. downloaded hashed passwords. Iterative hashing Without hesitation, the Anonymous reacted involve the process of having the output of a immediately against Aaron's moves by attacking hash function re-hashed again repeatedly for HBGary Federal between the 5th and 6th of several times (Sjoerd, 2016) and (Dunkelman & Eli, February 2011. The attack lasted for a period of 2006), while salting technique involve adding a 24 hours only. small amount of random data to the password before it is hashed (Sjoerd, 2016) and (Patel, Patel, 6. Analysis of Attackers’ Techniques And & Virparia, 2013). If these hashing techniques Tricks were adopted, it would have become either very difficult or nearly impossible for the passwords Anonymous started by exploiting the to be cracked by the attackers. It suffices to say vulnerability found in the Content Management hbgaryfederal.com would have survived the System (CMS). They injected some SQL queries rainbow attacks despite the into the Firm’s web server database. The coding loophole found with the MD5 hashing functions of CMS are meant to enable it identify what if they probably had adopted the best password details it should allow to be retrieved from a protection policy (Daniel, 2015) and (SANS, database system based on the receipt of a 2014). particular query or URL (Uniform Resource Rainbow table attacks commonly succeed Location). The CMS is required to match the against two kinds of password patterns; this received query against the records in the include password of eight character length which database, render the collected content which may compromises a mixture of lower case letters and include an HTML, and then countless web pages numbers only, and a those of one to twelve can be created within seconds to display the character length which are made up of upper

14 case letters only and anything outside these From: Greg lengths, it becomes extremely difficult for the To: Jussi rainbow tables to generate (Avi, 2016) and Subject: need to ssh into rootkit (Coding Horror, 2007). Although CEO Aaron Barr im in europe and need to ssh into the server. can and COO Ted Vera were expected to know you drop open up better, given that they administrative firewall and allow ssh through port 59022 or rights to different systems, they both were still something vague? very careless to use password combinations of and is our root password still 88j4bb3rw0cky88 only six lower case letters and two numbers. or did we change to Another huge mistake made by these executives 88Scr3am3r88 ? was the reuse of same password on different thanks platforms and applications including even the Support Linux Machine, support.hbgary.com. ------The attackers took advantage of this weakness and were able to easily attack the Linux Machine From: Jussi using Ted Vera’s password. Unfortunately, the To: Greg Linux Machine had some software Subject: Re: need to ssh into rootkit vulnerabilities due to inadequate patching, so the hi, do you have public ip? or should i just drop attackers deployed privilege escalation exploits fw? to gain root privilege and had total control over and it is w0cky - tho no remote root access the machine from where they extracted allowed gigabytes of backups and research data. The password for Aaron Barr was used by ------the attackers to gain administrative access into the Google App that controls the entire From: Greg Company's emails. Greg Hoglund, the founder To: Jussi and owner of rootkit.com, had his e-mail account also listed there, so the attackers accessed his Subject: Re: need to ssh into rootkit email and were able to retrieve two additional no i dont have the public ip with me at the passwords from there which were moment because im ready '88j4bb3rw0cky88' and '88Scr3am3r88' which for a small meeting and im in a rush. could give them the root access to the server if anything just reset my password to hosting rootkit.com, but they also found out that changeme123 and give me public Jussi Jaakonaho (Chief Security Specialist) of ip and ill ssh in and reset my pw. Nokia had a root access to the machine too. Despite the details retrieved, it was still ------impossible for them to break into Greg's machine by direct SSH using root account From: Jussi (username & password), they would need to first To: Greg login with a non-root privilege user account. The Subject: Re: need to ssh into rootkit root account details could not be used to access ok, the server from outside of the firewall and so it should now accept from anywhere to 47152 as they sought for ways to retrieve Greg’s common ssh. i am doing user account details (username and password) testing so that it works for sure. (Keir, 2011). They resorted to social engineering your password is changeme123 attack using email (Peter, 2011) against Jussi Jaakonaho from whom they were able to get all i am online so just shoot me if you need the details they needed to complete their task. To something. implement the social engineering attack, the attackers disguised as Greg Hoglund by using in europe, but not in finland? :-) his email account to send mails to Jussi Jaakonaho. The email conversations between _jussi the attackers and Jussi are as follows (Peter, 2011): ------

15 From: Greg 6.1 The Impact of Human Factor on Critical To: Jussi Infrastructure Subject: Re: need to ssh into rootkit if i can squeeze out time maybe we can catch The HBGary website was completely up.. ill be in germany compromised, over sixty thousand (60,000) for a little bit. Company emails were downloaded and exposed on site (Chester, 2011). The anyway I can't ssh into rootkit. you sure the ips Company’s backup files were completely still deleted by the Anonymous. The Group also 65.74.181.141? retrieved and publicly displayed the documents HBGary Federal boasted about earlier to sell to FBI for everyone to see. They also retrieved and thanks exposed users’ database from Rootkit.com and ------all the email addresses and passwords hashes for everyone who had ever registered on the From: Jussi website. Aaron Barr’s private and confidential To: Greg credentials which include his private mails, home address, social security number and cell Subject: Re: need to ssh into rootkit phone number were all exposed to the public. does it work now? The greatest damage was on the Integrity, Reliability, Confidentiality and finally the ------Availability of the Company. The mistakes were completely irreversible resulting to a total From: Greg shutdown of the security Firm, HBGary Federal, To: Jussi putting them out of business. Subject: Re: need to ssh into rootkit yes jussi thanks 7. How To Prevent Similar Attacks On did you reset the user greg or? Businesses Staff trainings on standard security principles ------and policies must be taken very seriously in every Organization in order to combat social From: Jussi engineering attacks (GBC-DELL Survey, 2015). To: Greg This will be an essential tireless and continuous Subject: Re: need to ssh into rootkit cybersecurity literacy and awareness training for nope. your account is named as hoglund the workforce. It is worth spending resources on keeping the security and risks management ------knowledge of workers updated all the time as this can reduce an organization’s cyber security From: Greg breaches by 70% (Pittsburgh, 2015). Proper policy To: Jussi must be put in place with the right password Subject: Re: need to ssh into rootkit hashing techniques especially the use of iterative yup im logged in thanks ill email you in a few, hashing and salting. A regular vulnerability im backed up testing of website must be carried out to look for security holes in order to cover them up. Public thanks and private key encryptions and authentication techniques should be deployed for protecting the With the information gathered and access server when it comes to authentications. Systems gained, the attacker succeeded in bringing down and software patching should be done on regular Rookit.com too so easily because the Server basis. Vulnerability assessment must be done on hosting it also had similar vulnerability as that of all the information infrastructures deployed in HBGary Federal; it did not use key the network. The practice of password reuse on authentications. different platforms should never be encouraged. Social engineering is a very subtle attack, thus personnel should always verify any requested

16 task before agreeing to release very important References details. Avi, K. (2016). The Dictionary Attack and the Rainbow-Table Attack on Password Protected Systems. Purdue: Purdue University. Aziz, A. (2013). The evolution of cyber attacks and next generation threat protection. RSA Conference. Blythe, J. (2013). Cyber security in the workplace: Understanding and promoting behaviour change. Proceedings of CHItaly 2013 Doctoral Consortium 1065, (pp. 92- 101). Brian, D. (2010). Determining the Role of the Figure 3: Cyber Defense Elements in Need of Significant IA/Security Engineer. SAN Institute. Improvement (GBC-DELL Survey, 2015) CeBIT Australia. (2017, January 17). The human 8. Conclusion factor in cyber security. Retrieved January 26, 2017, from CelBit: The case study analysed in this paper suggest http://blog.cebit.com.au/the-human-factor- that attackers will not usually attack from areas in-cyber-security that are considered to be of great security Chester, W. (2011, February 7). HBGary strength, but would rather focus their attention Federal hacked and exposed by on the very weak and neglected points of security, especially the human factor. Human Anonymous. (naked security) Retrieved factor was the greatest weakness that brought January 23, 2017, from down HBGary Federal. They were too busy https://nakedsecurity.sophos.com/2011/02/0 rendering security services to their clients that 7/hbgary-federal-hacked-and-exposed-by- they failed to maintain positive attitudes in anonymous/ securing their own IT infrastructures. Coding Horror. (2007, September 8). Rainbow Challenging and going after the Anonymous Hash Cracking. (Coding Horror: group was the only little step needed to expose programming and human factors) Retrieved their massive negligence and vulnerable January 25, 2017, from infrastructures. The little things they neglected https://blog.codinghorror.com/rainbow- became their biggest problems; no one would hash-cracking/ have expected such from an established security Daniel, H. (2015, January 20). Best Practices for Firm like HBGary. The fall of HBGary is a clear Workplace Passwords. (Software Advice) indication that the bad guys are always a step Retrieved January 25, 2017, from ahead in their calculations, and they see tiny http://www.softwareadvice.com/security/in security lapses that are usually oblivious to dustryview/password-workplace-report- security experts. Hence, this is a huge lesson to 2015/ be learned by every individual, corporation and Danish, J., & Hassan, Z. (2011). Cloud security professional, to stay equipped and well Computing Security. International Journal informed about standard security practices, maintaining positive security behaviour always. of Engineering Science and Technology, It is therefore very imperative that great security 3(4), 3478 - 3483. culture demands that nothing, however simple or David, B. (2015, March 23). 5 Social irrelevant in appearance, should be treated Engineering Attacks to Watch Out For. casually when it pertains to security. Finally, it is (Tripwire) Retrieved January 25, 2017, now expedient that keeping a healthy from Tripwire: cybersecurity work behaviour, cyber hygiene, https://www.tripwire.com/state-of- and organizational planning is as core to security/security-awareness/5-social- information security as firewalls and anti- engineering-attacks-to-watch-out-for/ malware. Dunkelman, O., & Eli, B. (2006). A framework for iterative hash functions: Haifa. 2nd NIST Cryptographich Hash Workshop, 22.

17 GBC-DELL Survey. (2015). The Human Factor policy/2011/02/anonymous-speaks-the- at the Core of Federal Cybersecurity. inside-story-of-the-hbgary-hack/3/ Government Business Council. Pittsburgh, P. A. (2015, January 13). Security IBM. (2015). IBM Security Services 2014 Cyber Awareness and Training Measurably Security Intelligence Index. IBM Global Reduces Cyber Security Risk. Retrieved Technology Services. January 28, 2017, from Wombat Security James, M. S. (2015). 10 Things Security Experts Technologies: Wish End Users Knew. Global Knowledge. https://www.wombatsecurity.com/press- Keir, T. (2011, March 7). 8 Security Tips from releases/research-confirms-security- the HBGary Hack. Retrieved January 25, awareness-and-training-reduces-cyber- 2017, from PCWorld: security-risk http://www.pcworld.com/article/221504/8_ Rahul, R., Venkiteswaran, R., Anoop, J. B., & security_tips_to_learn_from_the_hbgary_h Soumya, K. D. (2014). Android Malware ack.html Attacks and Countermeasures: Current and Krebs, B. (2011, February 7). HBGary Federal Future Directions. Control, Hacked by Anonymous. (krebsonsecurity) Instrumentation, Communication and Retrieved January 23, 2017, from Computational Technologies (ICCICCT), https://krebsonsecurity.com/2011/02/hbgary 2014 International Conference on IEEE, -federal-hacked-by-anonymous/ (pp. 137-143). Mitnick, K. D., Simon, & L., W. (2011). The art Ranjeev, M., & Lawless, W. F. (2015). The of deception: controlling the human element human factor in cybersecurity and the Role of security. Indiana: John Wiley & Sons. for AI. 2015 AAAI Spring Symposium (pp. Nate, A., & Technica, a. (2011, February 10). 39-43). Springer. How One Man Tracked Down Anonymous Saeed, S., Saman, A., & Norafida, I. (2013). — And Paid a Heavy Price. Retrieved Main human factors affecting information January 25, 2017, from WIRED: system security. Interdisciplinary Journal https://www.wired.com/2011/02/anonymou of Contemporary Research In Business, s/ 5(7), 329-354. Nate, L. (2016, October 11). What is Social SANS. (2014). Password Protection Policy. Engineering? Defining and Avoiding London: SANS Institute. Common Social Engineering Threats. Sjoerd, L. (2016, May 25). Requirements for (Digital Guardian) Retrieved January 24, iterative password hashing. Retrieved 2017, from January 25, 2017, from https://digitalguardian.com/blog/what- https://www.sjoerdlangkemper.nl/2016/05/2 social-engineering-defining-and-avoiding- 5/iterative-password-hashing/ common-social-engineering-threats Stuttard, D., & Marcus, P. (2011). The Web Patel, P. N., Patel, J. K., & Virparia, P. V. Application 's Handbook: Finding (2013). A Cryptography Application using and Exploiting Security Flaws. John Wiley Salt Hash Technique. International Journal & Sons. of Application or Innovation in Engineering Warwick, A. (2016, February 26). Social & Management (IJAIEM), 2(6), 1-4. engineering confirmed as top information Peter, B. (2011, February 16). Anonymous security threat. (Computer Weekly) speaks: the inside story of the HBGary Retrieved January 23, 2017, from hack. Retrieved January 25, 2017, from http://www.computerweekly.com/news/450 arsTechnica: http://arstechnica.com/tech- 0273577/Social-engineering-confirmed-as- top-information-security-threat

18 Copyright of Computing & Information Systems is the property of University of the West of Scotland, School of Computing and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.