Social engineering report for bank's cyber awareness.

Report on Social Engineering Penetration Testing and Cyber Awareness Strategy for a Bank

Social Engineering Attacks

Context:

You need to write an academic report to present the viewpoint of a cyber security professional or ethical hacker for identifying the employees’ security awareness and vulnerability to social engineering attacks in the context of a bank. This will help the bank to plan effective security training and awareness materials and procedures.

You need to first identify what kind of social engineering attack would be appropriate for testing the vulnerability of the employees in the bank.

You then need to choose one of the attacks which you will use for the social engineering penetration testing in the hypothetical organisation. You will explore details for each of the steps of:

i) Information gathering

ii) Planning

iii) Execution

iv) Result analysis.

You also need to design and justify cyber awareness strategies for the organisation and propose a policy for best cyber hygiene practice for that particular organisation. Finally, you need to show how to measure the effectiveness of your proposed awareness strategy.

In the above context you will write an academic report aiming to show you have considered application of your academic knowledge and understating of the subject area. Your thoughtful report will show that you did a good research in the area.

Report:

The report you submit for this assignment will contain the following sections

1. Introduction: You should provide the aims and objectives of social engineering penetration testing.

2. Social engineering attacks: You will need to present and critically analyse various social engineering attacks and judge what kind of social engineering attack would be appropriate for testing the vulnerability of the employees in a financial organisation like bank and why. You should consider the typical business functions and psychological behaviour of the people involved in the organisation.

3. Penetration testing steps: This should demonstrate your understanding of the social engineering process. You should include all four steps,

i) information gathering

ii) Planning

iii) Execution

iv) result analysis.

For ‘information gathering’ you need to consider what will be the most effective strategy for gathering information for that particular organisation and why do you consider so.

For ‘planning’, you need to consider what kind of social engineering attack will be more appropriate for testing the vulnerability of the people within that organisation. You will also consider what psychological twist would make a tempting and effective social engineering attack for the particular type of organisation and why.

For ‘execution’, you will consider the technical details of how to execute the attack. For example, details of tools or technology to use.

For ‘result analysis’ you will consider how will you analyse the outcome of the penetration test, how do you say if the employees’ are vulnerable or not.

4. Design and justification of cyber awareness strategy: You need to describe how you would design the cyber awareness strategy and the rationale of your justification. It should be tailored to the need of the particular category of organisation.

5. Proposed policy for best cyber hygiene practice: You may discuss on whether to propose a general policy or department specific policy. The policy should mention what to do for ensuring the best cyber hygiene practice. The policy should also include recommendation for the users on

i) how to detect a possible cyber-attack
ii) how to reduce the impact of social engineering attacks.

6. Measuring effectiveness of the proposed strategy: This section needs to discuss on how you would measure the effectiveness of the proposed awareness and training strategy. You need to do your research on how to measure effectiveness of a strategy in general and logically tailor that according to your context.

Marking Rubric:

The report contributes to 100% of the total mark.

Criteria	0	< 40 (fail)	40 – 49 (pass)	50 – 59	60 – 69	70 - 79	80-89	90 +
1. Introduction and social engineering attacks 30 %	Academic offence or no submission	Superficial. Little insight shown in selection of material. Has failed to get to grips with the subject. Inadequate discussion. Does not show full understanding of what is required.	Reasonable evidence of some insight into the subject area. Has reasonable coverage of the requirements but does not have elements of critical thinking.	All of the material is appropriate. The student has covered most subject areas. There is good coverage of subject area but not much critical thinking is evident.	Demonstrates a good understanding of the subject area covering all key issues. Contains very few errors. Report includes a bit of critical thinking.	Demonstrates a thorough insight understanding of the subject area covering all key issues. All the requirements are fulfilled. Contains very few errors. Good level of critical thinking is evident.	Demonstrates an excellent level of understanding of the subject area covering all key issues. All the requirements are fulfilled. Contains almost no errors. Excellent critical thinking is evident.	In addition to an exceptional level of understanding of the subject area, the quality of output shows creative and innovative flair. Really advanced levels of critical thinking are evident.
2. Penetration testing steps 20%	Academic offence or no submission	Little originality. Has failed to get to grips with the subject. Inadequate discussion. Does not show full understanding of what is required.	The student has presented a very basic understanding of penetration testing steps, few of the details of steps are presented wrongly or not clearly.	Covers very basic but clear level of understanding of all the penetration testing steps. Has some gaps and it may have some errors.	Clear and concise arguments and presentation. Has good coverage of the subject area but there may be a few gaps in coverage. Contains very few errors. Includes a bit of critical thinking.	Logical organisation of thoughts and arguments. Excellent level of coverage of the subject area is evident. Includes a good level of critical thinking.	Demonstrates an excellent level of logical organisation of thoughts and arguments. Excellent critical thinking is evident. Has shown a level of innovation in providing the analysis.	Advanced understanding and exposition of relevant issues that shows insight and draws together the chosen subject key features into a theme. No errors. Advanced level of innovation is evident.
3. Design and justification of cyber awareness strategy 10%	Academic offence or no submission	Little originality. Has failed to get to grips with the subject. Inadequate discussion. Does not show full understanding of what is required.	Arguments reasonably clear but underdeveloped. Student has demonstrated an adequate understanding. May contain some errors. Does not contain either the wider context or the specific context.	The student has demonstrated a clear understanding of the problem area. A theme is present, but underdeveloped. Lacking critical analysis. Provides a bit of wider context along with the specific context.	A clear and useful theme is developed. Clear and concise arguments. Contains very few errors. Bit of critical analysis is evident. Good focus is evident on both wider context and specific one.	Logical organisation of thoughts and arguments. Good level critical thinking is evident. Clear connection is made with the contexts i.e. the wider strategies are critically analysed and then tailored to the specific context.	Demonstrates an exception level of logical organisation of thoughts and arguments. Excellent level of critical thinking is evident. Clear and logical connection is made with the contexts, i.e., the wider strategies are critically analysed at excellent depth and nicely tailored to the specific context.	Innovative and well-formed recommendations made. Excellently structured and logically developed arguments. Beyond excellent level of critical thinking is evident. The wider strategies are critically analysed at exceptional depth and excellently tailored to the specific context.
4. Proposed policy for best cyber hygiene practice (10%)	Academic offence or no submission	Little originality. Has failed to get to grips with the subject. Inadequate discussion. Does not show full understanding of what is required.	Student has demonstrated an adequate understanding. May contain some errors. The policies are of simple nature. No evidence of any research is present.	The student has demonstrated a clear understanding of the problem area. The policies are presented with the evidence of bit of research. May contain some errors, there are some gaps existing.	A clear and useful theme is developed. Clear and concise arguments. Contains very few errors. The policies are presented with the evidence of good level of research and there are a bit of gap existing.	Logical organisation of thoughts and arguments; brevity, clarity, and understanding is evident. Good level critical thinking is evident. The policies are presented with the evidence of good level of research and there is almost no gap existing.	Demonstrates an exception level of logical organisation of thoughts and arguments; brevity, clarity, and understanding. Excellent critical thinking is evident. The policies are presented with the evidence of excellent level of research and demonstrates an element of innovation.	Innovative and well-formed recommendations made. Excellently structured and logically developed arguments. Beyond excellent level of critical thinking is evident. The policies are presented with the evidence of beyond excellent level of research and demonstrates a good level of innovation.
5. Measuring effectiveness of the proposed strategy (10%)	Academic offence or no submission	Little originality. Has failed to get to grips with the subject. Inadequate discussion. Does not show full understanding of what is required.	Arguments reasonably clear but underdeveloped. Student has demonstrated an adequate understanding. May contain some errors. Does not contain either the wider context or the specific context.	The student has demonstrated a clear understanding of the problem area. A theme is present, but underdeveloped. Lacking critical analysis. Provides a bit of wider context along with the specific context.	A clear and useful theme is developed. Clear and concise arguments. Contains very few errors. Bit of critical analysis is evident. Good focus is evident on both wider context and specific one.	Logical organisation of thoughts and arguments. Good level critical thinking is evident. Clear connection is made with the contexts i.e. the wider strategies are critically analysed and then tailored to the specific context.	Demonstrates an exception level of logical organisation of thoughts and arguments. Excellent level of critical thinking is evident. Clear and logical connection is made with the contexts, i.e., the wider strategies are critically analysed at excellent depth and nicely tailored to the specific context.	Innovative and well-formed recommendations made. Excellently structured and logically developed arguments. Beyond excellent level of critical thinking is evident. The wider strategies are critically analysed at exceptional depth and excellently tailored to the specific context.
6. Presentation, style, punctuation, spelling and grammar 10%	Academic offence or no submission	Unclear structure to report. Many spelling mistakes in each paragraph. Writing style unclear.	Some structure to report. Most text has a clear message. Numerous spelling mistakes. Basic sentence construction rules followed. Some text may be verbose.	Clear structure to report. Few spelling mistakes. Sentences of appropriate length and punctuation used correctly.	Well-written report, showing good skills in creativity and good design. Sentences of appropriate length. Brief but informative writing style.	Satisfies all the requirements of the previous band and contains very smooth flow of writing.	On top of all the requirements of the previous band, consistent, coherent and smooth flow style of writing is evident.	On top of all the requirements of the previous band, no spelling mistakes. Very clear sentences that make good use of punctuation. Writing style is clear and informative without being verbose.
7. References list and Citation. Originality. 10%	Academic offence or no submission	No evidence of additional reading. Copyright restrictions infringed. Few or no sources cited.	Evidence of some additional reading. Sources mainly web sites and class notes. Main sources cited.	Evidence of reading of relevant books and quality web sites. Some quotations used. Most sources cited.	Evidence of reading of relevant journals, books, quality web sites. Quotations used appropriately. All sources cited but minor inconsistency is evident.	Evidence of reading of relevant journals, books, quality web sites. Quotations used appropriately. All sources cited appropriately and no inconsistency is evident.	Evidence of reading of relevant high-quality journals, books, quality web sites. Quotations used appropriately. All sources cited appropriately. Demonstrates excellent level of use of references and citation and no error or inconsistency is evident.	Evidence of reading of high quality relevant academic journals and books. Quotations used appropriately and sparingly. All sources cited. All sources cited appropriately. Demonstrates beyond exceptional level of use of references and citation and no error or inconsistency is evident.