What the Enterprises can do to measure and mitigate the latest evolutions of Social Engineering.
Social Engineering (SE) is an age-old concept closely related to the intelligence disciplines of human intelligence (HUMINT) and elicitation, referring to the ability to obtain information from human sources. Social Engineering can be defined as “the art of getting someone to do something they would not otherwise do, using psychological manipulation”. In the context of information security, it refers to a complex fraud scheme that an attacker uses to gain unauthorized access to information or systems via an unknowingly human target that is tricked into facilitating such access. This implies that human interaction is a necessity for conducting social engineering attacks, and as such, a social engineer seeks to exploit the human element of security.
Social Engineering 2.0
The modus operandi of a modern social engineer vary, and only creativity sets the limit to the methods employed. Common for all methods, however, is the element of deception. The aim of the social engineer is to deceive the target into conducting an action they think is legitimate. Phishing emails are spoofed to seem as if they originate from a valid and reliable source, e.g. from an employer or spouse. They either include a file that the attacker wants the user to open, a link for the user to click on that might lead to a website where the user is encouraged to login using a rouge web form, often with sensitive details such as a password, credit card details.
How to mitigate the problem of the Social Engineering enabled threats. SDVAs as one potential solution
“Only amateurs attack machines; professionals target people” (Schneier, 2000).
It is evident, from the above dissertation, that SE is probably the most efficient cyber-weapon in the arsenal of cybercriminals. The art and science of SE evolved to a level of unforeseen sophistication, which builds upon the modern lifestyles (pervasiveness of the social networks, liquid society and blended lifestyles). This sophistication not only comes from the complexity of our cyber-lives but also from the abundant use of all the modern techniques for data collection and analysis, glocalization of the attacks and interaction with other human sciences (mainly cognitive sciences).
Enterprises are largely un-prepared to face this challenge. The defence solutions has largely evolved along the technical strand (antivirus, firewall, intrusion prevention system, etc.) and largely ignored what was happening from the human side of security. This is perfectly understandable: by the ICT security point of view, modelling the human behaviour is extremely difficult and it is difficult to modify it, in order to prevent dangerous actions. Moreover, it is quite difficult to modify the human behaviour permanently, for example through awareness.
The big challenge in ICT security today is how to assess, mitigate and accept the risk of breaches in the Enterprise’s information space, due to the human element weaknesses. As it happens for the technological penetration tests, the most efficient way to do an assessment of the SE-risk is to emulate the tactics used by cybercriminals. A specific method to do a penetration testing or assessment of the weaknesses of human side of security is the so-called Social Driven Vulnerability Assessment (SDVA). A concept that has been initially developed by Cefriel, which later led to the preparation of the DOGANA Project.
Involving employees in an assessment is a relatively innovative approach. First, IT and security departments are not the sole actors to define the assessment, because people are the target. Therefore, it is necessary to involve all the relevant stakeholders, such as Human Resources (HR), legal and communications departments, to explain the threats, share the objectives, define the scope of the assessment and obtain commitment.
The DOGANA Project
The DOGANA project focuses on the impact and the remediation of the human factor in security.
The DOGANA framework aim to build a commonly recognized instrument for the verification of cyber-risks and apply them at all enterprise levels, thus creating a unified and complete awareness and risk mitigation process.
The unique propositions of DOGANA includes:
- partners have on-field experience with customers of direct relevance
- different companies will be directly involved in extensive field tests
- development of a proper legislations framework to safely perform this type of assessment across Europe
- development of an integrated tool-chain to gather support data collection phases and simulate SE types of attacks
- study, development and testing of innovative education/awareness tracks and tools to mitigate the threat.
 HUMINT is the collection of intelligence via interpersonal contact, and elicitation is the act of extracting information from the sources.
 Christopher Hadnagy and Paul Wilson, Social Engineering: The Art of Human Hacking (Indiana: Wiley Publishing, 2010), 10
 Kevin D. Mitnick, The Art of Deception — Controlling the Human Element of Security (Indiana: Wiley Publishing, 2002)
 Z. Bauman, “Liquid modernity”, Social Theory Rewired, 2018. [Online]. Available: http://routledgesoc.com/category/profile-tags/liquid-modernity.
 “Blended lifestyles shape tomorrows office”, Ravie, 2015. [Online]. Available: http://www.ravie.eu/blended-lifestyles-shape-tomorrows-office/
 Glocalization is the practice of conducting business according to both local and global considerations.
 S. L. Pfleeger and D. D. Caputo, “Leveraging behavioral science to mitigate Cyber security risk,” 2012. [Online]. Available: https://www.mitre.org/sites/default/files/pdf/12_0499.pdf.