DeepSec 2014 Talk: An innovative and comprehensive Framework for Social Vulnerability Assessment

René Pfeiffer/ September 11, 2014/ Conference

Do you get a lot of email? Do customers and business partners send you documents? Do you talk to people on the phone? Then you might be interested in an assessment of your vulnerability by social interactions. We are proud to host a presentation by Enrico Frumento of CEFRIEL covering this topic.

As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most sophisticated attacks. Even recent JP Morgan Chase’s latest data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail. Into this new scenario it is hence of paramount importance to consider the human factor into companies’ risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?

These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec 2010 conference, we are working on the extension of traditional security assessment, going beyond the technology and including the „Social“ context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.

This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.
Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.

In this talk, we will share our experience, describing how we conduct the Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected.

We highly recommend attending this presentation if you have to face advanced attacks against your organisation.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

3 Comments

Comments are closed.