Blog & News Social Engineering

What persuasion techniques are generally employed in phishing e-mails?

Written by Davide Andreoletti, SUPSI

In this post we discuss what are the most influential persuasion techniques in phishing e-mails.
Social Engineering aims at manipulating users into performing undesirable actions, which likely lead to a data breach. Therefore, social engineering techniques are deeply rooted in psychology and, in particular, in persuasion techniques. Persuasion techniques have been widely studied in the literature, e.g., concerning marketing and politics.

Read more

 

When to perform a Data Protection Impact Assessment?

Written by Yung Shin Van Der Sype and Michiel Sudnik, CITIP - KU LEUVEN

The General Data Protection Regulation (Regulation 2016/679) (GDPR) was adopted on 4 April 2017 and will apply from 25 May 2018. Article 35 of Regulation 2016/679 requires data controllers to perform a Data Protection Impact Assessment (DPIA), when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. 

To clarify this new GDPR requirement, the Article 29 Working Party recently released a document with guidelines on DPIAs.
(The Article 29 WP, WP258, 4 April 2017).

Read more

 

Information Sharing and data breaches

Written by Davide Andreoletti, SUPSI

In this post we discuss the issue of data breaches inside companies, and, based on the analysed literature, we show that a well-orchestrated information sharing system is a possible solution to mitigate the problem.
Information sharing infrastructure: a viable mitigation solution to data breaches. Fredrik Bergstör, consultant at Tieto, declared that “Data is the new gold”, implying their incredible value in an increasingly digitalized world. In fact, according to Ponemon the average lost for a breach of 1000 records of data within a company is estimated to be between $52000 and $87000.
As a consequence, the cyber black market has grown to exploit this appealing source of revenue. The black market is characterized by a clear structure with defined entities and roles.

Read more

 

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART III: The Human Component’s Fundamental Role in AntiPhishing Prevention - Real-World Simulations

Written by Maria Monteiro, Filipe Custódio, VISIONWARE

This article is the third part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become a part of the enterprise security. To better understand this article please read the previous parts "Companies’ role in Antiphishing Prevention”, and "The Human Component’s Fundamental Role in AntiPhishing Prevention — Initial Training".

The best way to prepare employees for real-world attacks is to train them with real-world simulations. Individual learners follow different paths through the instruction based on their responses...

Read more

 

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART II: The Human Component’s Fundamental Role in AntiPhishing Prevention - Initial Training

Written by Maria Monteiro, Filipe Custódio, VISIONWARE

This article is the second part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become a part of the enterprise security. To better understand this article please read the first part "Companies’ role in Antiphishing Prevention”.

Assessment and training may significantly increase employee awareness, reduce click rates, and increase reports of phishing...

Read more

 

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART I: Companies’ role in Antiphishing Prevention

Written by Maria Monteiro, Filipe Custódio, VISIONWARE


This article is the first part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become  a part of the enterprise security.

Bearing in mind that phishing is becoming more and more common among cyber-criminals and has devastating outcomes, enterprises are keen to fight this ever-increasing threat by any and all means...

Read more

 

The real story behind the latest Pawn Storm attack and the Windows zero-day patch release

Written by Enrico Frumento, CEFRIEL

Recently the news reported an interesting new sample of a type of attacks that we know very well. This one is specifically interesting because of the structure of the attack: if you look at the process reported below, the process follows some interesting steps: a social engineering lure (a quite efficient one as usual from Pawn Storm OCG) is followed by a drive-by-infection and an ad-hoc malware, crafted by a malware forgery, after a fingerprinting of the victim's machine...

Read more

 

Multi-layer defence against SE: evolution and evaluation

Written by Carlo Dambra, PROPRS and Enrico Frumento, CEFRIEL

Social Engineering evolution

The idea of a multi-layer defence against cyber-attacks appeared in a SANS whitepaper in 2003 but at the time it was mainly referring to technological defences. Anyhow, the idea was to apply a series of coordinated defences to protect against cyber-attacks: security policy, perimeter router hardening, firewall, antivirus software, network switches, IDS, employees training, physical security and patch management. As explained several times within this Blog, the cyberattacks, initially targeting only the computers, have evolved to include also the Social Engineering (SE) attacks, thus targeting humans: today SE is the main-stream way to start an attack...

Read more

 

The current context of Social Engineering and the role of DOGANA

Written by Enrico Frumento, CEFRIEL

The DOGANA project focuses on the impact and the remediation of the human factor in security, which is one of the most demanding challenges of today’s security and for which no widely accepted and stable solutions currently exist.
As an example of this type of complexity, the 2015 DEFCON conference organised the sixth edition of a social engineering simulated contest, namely the SECTF (Social Engineering Capture The Flag) contest. The report issued on how the contest was organised and analysing its results contains extremely interesting conclusions, relevant on the one hand to focus the problem that DOGANA is addressing and on the other hand to underline the importance of the problem...

Read more

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618