Protect the weakest link in a cyber-security chain – protect the human

Written by Erik Kamenjasevic, KU LEUVEN

This blogpost airs the DOGANA project which deals with the development of a novel, legally and ethically compliant solution to prevent harm to a company because of the Social Engineering 2.0 attacks. Thus, delicate but efficient Socially Driven Vulnerability Assessments are currently under design. Their goal is to help measure the inclination of employees to fall victim to a phishing attack and to estimate the level of exposure of the company to technological follow-up attacks from the simulated phishing campaign.

Article originally written for www.law.kuleuven.be.

 

Social Engineering

In the context of information security, Social Engineering (SE) is a very old concept referring to the ability to obtain information from human sources. It may be defined as a “psychological manipulation of people into performing actions or divulging confidential information”. The SE is used to violate the information security of a company by violating the confidentiality, integrity or availability of its assets. Such violation is exploited through techniques and methods that leverage on the natural human tendency to trust other humans, systems or ICT devices. Traditionally, it has been conducted in a real-life scenario or over the telephone communication. However, this definition may not be relevant anymore nowadays due to the recent developments of the social network and the appearance of some new technologies which allowed to greatly automate most of the SE steps against a large number of targets at the same time.

 

Social engineering 2.0

The evolution of social engineering 2.0 happened greatly due to a development of Internet-of-Things (IOT), increased usage of the cyberspace for social interactions and outsourcing company’s data to public cloud service providers. The SE 2.0 attacks still involve human interaction but the playfield has changed from a real-life to a cyber-space. There is an indefinite number of forms in which the SE 2.0 may occur which depend only on the imagination of a social engineer. Nonetheless, what they all have in common is a deception of the target. Social engineer uses deception in order to deceive the target to conduct an action that at first looks legitimate. One of the most popular SE 2.0 methods is sending the so-called spear phishing emails. They are mainly characterized by the use of context-specific messages based on the specific knowledge of individuals and their organizations. Such messages appear to be sent from the source (such as the employer or HR department) which looks legitimate to the target.

 

DOGANA project

DOGANA project aims to develop a framework that delivers an advanced social engineering and vulnerability assessment. The underlying idea of the project is that Socially Driven Vulnerability Assessments (SDVAs) help deploy effective mitigation strategies and lead to reducing the risk created by modern SE 2.0 attack techniques. Current Social Vulnerability Assessments only supply companies with an analysis of several identified weaknesses, by providing a list of assets, susceptible to cause potential vulnerabilities. This method has been proven insufficient in practice since patching security holes is not (only) a technological matter but mostly a matter of changing the employees’ behaviour.

What novelty will DOGANA method bring? The project aims to bring social engineering attacks in the assessment process. This will provide companies with a risk management framework, which should enable them to assess their exposure and weaknesses and to adopt secure countermeasures. The goal will be achieved by the creation of a tool chain to perform assessments, alongside with a framework to perform trainings for employees. The DOGANA tool is designed to address information trustworthy topics and ethical questions in a holistic approach and based on the EU legal framework. Furthermore, it will be built on three pillars, namely (a) risk assessment, through an integrated framework for Social Vulnerability Assessments (identification/analysis/evaluation of risks), (b) risk mitigation, through innovative awareness methods, and (c) risk acceptance, through an extensive set of field trials with end-users.

 

Legal and ethical challenges of a Socially Driven Vulnerability Assessment

Traditional ways of ensuring IT security and risk management within the company usually do not give enough attention to the human factor in the assessment models, tools, processes and legal structure. That is due to the fact that the focus is still on technological part of the IT security. This approach, however, is no longer enough since cyber-attacks are increasingly relying on human vulnerabilities. Therefore, the role of DOGANA SDVAs in preventing future cyber-attacks is twofold: 1) they aim at better understanding of the current threats to the company by measuring the actual risk, and 2) they attempt to find potentially effective and tailored countermeasures to mitigate the risk.

Due to their nature, performing an SDVA is a very delicate process. On the one hand, it has to be as close as possible to a real cyber-attack in order to achieve realistic results. On the other hand, it has to be performed in a manner that is compliant with legal and ethical norms. Since social engineering attacks mean that an employee is deceived into violating company’s security policies, employees need to be involved in the assessment to achieve the high-level efficiency. For example, the main part of an SDVA could be aimed at measuring how personnel react during a phishing simulation attack, thus exposed to drive-by-infection and/or drive-by-download attack schemas. The result is the actual measure of the inclination of employees to fall victim to such an attack. It helps to estimate, moreover, the level of exposure of the enterprise to technological follow-up attacks from the simulated phishing campaign. The results of SDVAs may be useful both to raise awareness within the employees and to obtain commitment from senior management in order to implement mitigation actions.

Performing SDVAs within an organization requires attention on several points, such as guaranteeing the respect of the trust relationship between employer and employee, avoiding invasion of an employee’s personal sphere and taking into account differing national legal frameworks. Hence, during the whole organizational security management process it is of the utmost importance for a company to create an information security climate, to be transparent regarding managerial decisions and to involve employees in the decision-making process. To successfully implement DOGANA solution, employees must be appropriately informed and involved, in order to achieve higher level of a cyber-security.

 

DOGANA's official video

Please vote for this video with a “like” on YouTube. Help DOGANA to get more visibility and to win this EU contest.    

This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618.

 

by Erik Kamenjasevic (KU LEUVEN)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618