The advent of Social Networks has made both companies and public bodies tremendously exposed to the so-called Social Engineering 2.0, and thus prone to targeted cyber-attacks.
Unfortunately, there is currently no solution available on the market that allows neither the comprehensive assessment of Social Vulnerabilities nor the management and reduction of the associated risk.
DOGANA aims to fill this gap by developing a framework that delivers "aDvanced sOcial enGineering And vulNerability Assessment" . The underlying concept of DOGANA is that Social Driven Vulnerabilities Assessments (SDVAs), when regularly performed with the help of an efficient framework, help deploy effective mitigation strategies and lead to reducing the risk created by modern Social Engineering 2.0 attack techniques. Two relevant features of the proposed framework are:

- The presence of the "awareness" component within the framework as the cornerstone of the mitigation activities;
- The legal compliance by design of the whole framework, that will be ensured by a partner and a work package explicitly devoted to this task.

Moreover, the outcomes of the project are also expected to provide a solid basis to revise the insurance models for cyber-attacks related risks, thanks to the involvement of 2 strong DOGANA partners in this area of activity.

 

Latest from our Social Engineering Blog

 

How many people accept being subjected to a social driven vulnerability assessment?

Details
Category: Social Engineering
Published: Thursday, 04 October 2018 13:35

Written by Enrico Frumento - CEFRIEL


At a certain point, during the social engineering vulnerability assessment, the penetration tester and the company have to debrief the deceived persons, to share the results of the tests and transforms the whole experience in a positive one, also somehow delivering an awareness experience to the persons. Since the beginning of the field-tests we have had the wish to understand how many people would have accepted of being “victimized” by an SDVA test, even if it was for good.

The negative experiences in this direction exist, the most famous of which is what happened to ABN Amro.

In December 2017, a phishing simulation was sent to the bank’s employees. It was supposedly about a Christmas present, rewarding their excellent performance. It was a well targeted and believable attack, typical of a sophisticated “spear phishing” campaign. Many employees “clicked the link” and were surprised to find out that it was a training simulation. However, Amro did not anticipate the tsunami of adverse reactions and emotions they received from their employees. It created an internal trust issue crisis which rolled out to the press. Margot van Kempen, the chairman of the council of employees, said bluntly, “This is very annoying for people who feel offended by it.” The result was not the outcome that the security managers of ABN Amro wished for. However, insult is not the only emotion that poorly implemented phishing simulation practices can lead to. Some employees can also actively sabotage training efforts by publishing the phishing email on the company’s internal communication channels or on Facebook to forewarn colleagues, who then do not “click the link.” This may be a positive collegial reaction, but it is also one that will hurt the training efforts and therefore put the company at risk.

Situations like Amro may lead to a worsening of the cybersecurity posture of the company, which is the opposite of the original wish.

In DOGANA, we tested four critical end-users, belonging to different categories:

  • HMOD, military
  • GNS, public sector
  • DBI, critical infrastructure
  • RATB, public services

During the field tests, we debriefed the involved end-users asking them the level of anxiety, rage, and satisfaction right after discovering that they were subjected to a social engineering vulnerability assessment. We did the same with the legal department of those companies.

Actually, the great effort spent building an ethically and legally compliant framework rewarded us, because 100% of the interviewed di not complain at all. This is an excellent result in our opinion and a proof that the European ethical and legal dimensions of an SDVA are relevant.

 

by Enrico Frumento (CEFRIEL)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

      

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels