Acculturation of Social Engineering

A major Cybersecurity fallout of COVID-19 crisis was the association of the rise in cybercrimes rates to social engineering, especially using email as a tool. Social engineering is the art of tricking humans by taking advantage of

O C G? J C Gz their weaknesses including ignorance, fear, panic, and loyalty to obtain sensitive data that could be used to carry out malicious activities such as identity theft and cyber espionage. Due to ignorance of the gimmicks of social engineering, aggravated by the uncertainty and panic over the pandemic, cyber criminals exploited human weaknesses in many forms to obtain confidential information from unsuspecting victims.

Victims succumbed to social engineering pranks due to a combination of limited knowledge and panic, both of which could be addressed if the requisite capacity to detect and prevent social engineering is fused into our daily activities. One of the strongest defenses is to invest in training to aid personnel in identifying risks and thwarting security incidents.

It is time to make social engineering consciousness a global way of life, a style of living, and a mandatory cyber ethics adjustment through acculturation. Acculturation of social engineering should focus on cultural modification processes in which employees and cyberspace consumers would adopt, adapt, acquire, and adjust to new orientations in cyber ethics within similar or different environments. Instead of merely building strong technical defenses around the facilities where data is stored, forward-looking organizations could go a step further to protect and sensitize the employees who generate, access, and share critical data [13]. Since consumers and employees are the critical link in the Cybersecurity chain, an organization’s information security strategy must be mandatorily focused to identify and mitigate the human factor risks by developing safeguards to protect both data and networks.

Proposed Implementation Model for Social Engineering Acculturation

Achieving social engineering acculturation requires a coordinated global approach in which prime institutions could take up chunks of this technological challenge and foster their propagation using the influence of their institutional mandates across continental, regional, industrial, and professional affiliations. This is achievable by creating ecosystems of universal, non-domineering, time-limited initiatives that can interact seamlessly across schemes, sectors, countries, and borders.

While some institutions are focusing on global advocacy for acculturation of social engineering, others may be pushing for legislative paradigms across global jurisdictions, and yet others could go for diplomatic channels. For example, the United Nations International Telecommunication Union (ITU) can invoke and reinvigorate the fourth pillar (capacity building) and the fifth pillar (international cooperation) of its Global Cybersecurity Agenda (GCA) to raise global Cybersecurity awareness and promote countries’ participation in Cybersecurity collaborations, respectively, across industries and sectors.

If these strategic measures are well-coordinated on a global scale including the UN’s promotion of the norms of responsible state behaviour in the cyberspace [14, 15], the positive outcomes could become evident in the short term, and would result in long-term decline in social engineering. The UN norms of responsible state behaviour in the cyberspace prove helpful in developing national Cybersecurity policies and strategies that are contextually relevant and rooted in international good practice [16-18], including social engineering acculturation. The norms also describe what countries should and should not be doing in the cyberspace. The fourth pillar of the UN norms of responsible state behaviour in the cyberspace is cyber capacity building to ensure that all 193 UN member states can harness the benefits and mitigate the risks of increased connectivity [18].

Beyond achieving Cybersecurity harmony, social engineering acculturation also has the additional advantage of impacting both social and psychological well-being on the cyberspace, in addition to striking a balance between risk aversion and risk appetite on the parts of both vendors and consumers of Cybersecurity products and services.

Better Management of Digital Identity (DID)

Although digital identities are usually held in trust by data management institutions for the provision of data-on-demand services for verification seekers under strict privacy regulations, there is a huge knowledge gap in the handling of digital identities even among data management institutions. This raises serious security concerns over compliance with those Cybersecurity ethics that pertain to the exchange of personally identifiable information (PII).

The current identity system is still flawed with overbearing state surveillance alongside disclosure of unwanted metadata to verification seekers, a practice that has so become commonplace that it is almost generally accepted as the norm, albeit regrettably. If the practice remains unchecked, both elD owners and verifications seekers can become endangered by surveillance by state security forces, law enforcement, terrorists, organized crime gangs, and non-state actors.

There are also doubts over the relevance of introducing commercial intermediaries between citizens and access to their public services with data management institutions under whose custody their Digital Identities (DiDs) are entrusted in confidence. It is hereby recommended that counter- and anti-surveillance capabilities be integrated into the digital identity ecosystems to enable elD owners to both detect surveillance and take the most appropriate actions.

Limiting the minimum volume of information that must be released as a person’s digital identity attributes rather than revealing everything about own past and history could reduce the amount of personal data taken and potentially lost or misused by organizations during interactions, including hostile cyberattacks.

Better strategy and tactics are required to solve these problems, and address the following questions:

  • • Do we necessarily need to prove our identity always?
  • • How best can digital identities authenticate us with minimal information without revealing more than enough private information about us, e.g., using zero knowledge proof?
  • • How best can a compromised digital identity be mitigated and safely reused without fear of identity theft, impersonation, and incessant spoofing?

Tackling these questions will lead the way into fashioning a better management of digital identities.

There is need for a more convenient and effective solution to the management of DiDs, one that allows citizens to manage their own identity-related data and choose where, when, and with whom they share it [19] without overbearing restrictions. Limiting the choice of DiD exchange to identity managers alone creates a loophole that can potentially promote high-profile cyber espionage, surveillance, and credential racketeering. Without user control over own data, incidents of privacy breaches and identity theft may remain on the increase, leaving the cyberspace more porous and unreliable.

Since trusted online relationships are essential to the digital economy, every user reserves the right to see and possibly edit any information about themselves [20] regarding the provision of accurate and up-to-date data, and in line with one of the ten principles of self-sovereignty, “persistence”. This is the purpose for which an audit trail is kept for preserving records of present and past identity data.

It is time to ramp up the decentralized ID foundation by invoking multiple elements of security concepts. There should be a more balanced way to take advantage of different security mechanisms to protect users’ accounts against fraud and hacks, rather than forcing them to prove their identity by answering questions to authenticate their claimed identity. This initiative can benchmark a semblance of Capital One’s Swift ID solution which authenticates users with just a swipe on the smartphone’s screen [21, 22].

From a DiD security viewpoint, a properly secured approach to managing the interdependencies between digital identities and the huge data generated from emerging technology concepts could potentially guarantee non-surveillance, and non-intrusive record of who, where, when, and with whom we have disclosed our data. The resulting citizen-controlled and selfmanaged digital identity would make online transactions safer, and reduce malware attacks that have hitherto remained skewed towards social engineering, repudiation, forgery, and malicious misuse of personal data.

Requirements for Better Digital Identity Management

The emerging digital era will rely on secure identification, and Cybersecurity will play a leading role in identity protection and management given the rapid evolution of many national identity schemes. The identity used by citizens to interact with government, access services, or pay for goods is highly vulnerable, and so requires better management.

While many national identity schemes exist as either foundational or functional, they all have one thing in common - they all require initial data onboarding either by direct capture from citizens or by acquisition from the harmonization of silos of electronic identities existing in multiple repositories. Digital interactions are based on trust [23], and digital identities as fundamental to that trust.

All actors within the digital identity ecosystem, including vendors of identity applications, should promote rather than discourage the inclusion of privacy-enhancing security features in their products, services, and advisories to reflect the following:

  • • Interoperability
  • • Minimal disclosure
  • • Anti-surveillance
  • • Counter-surveillance
  • • Identity reciprocity
  • • Owner-dependent control
  • • Need to know
  • • Zero knowledge proof

These security features will consolidate on privacy and minimize the impact of data breaches anytime they occur. As a result, there should be no monitoring by government or other organizations of where, when, and with whom digital identity is used [19]. Identity should be about precisely proof of something about self, not surveillance by government, companies, or other organizations.

As countries and regions adopt unique identity management protocols that are both suitable to them and interoperable with global standards, all Cybersecurity initiatives on digital identities revolve around the manner in which their confidentiality, integrity, and availability are protected and securely managed across the entire data life cycle. They also relate to the standardization of the digital identity supply chain. Digital identity should therefore focus on precisely providing identity proof through the use of open standards and transparent verification [24], while devoid of state or private sector tracking, surveillance, and control.

In summary, there is need to evolve, in the post-pandemic era, a new generation of digital credentials that offers transformative convenience and security for all stakeholders offering a new public infrastructure for verifying credentials in a manner far more durable, secure, and convenient than relying upon a single authority.

< Prev   CONTENTS   Source   Next >