Social Driven Vulnerability (English Version)

50 %
50 %
Information about Social Driven Vulnerability (English Version)

Published on February 14, 2014





SOCIAL-DRIVEN VULNERABILITY CEFRIEL INNOVISION PAPER February 2014 SOCIAL-DRIVEN VULNERABILITY Facing and managing vulnerabilities driven by Social Media 1


SOCIAL-DRIVEN VULNERABILITY Index 1 Introduction ..................................................................................................................................................... 4 2 Social-Driven Vulnerability today ..................................................................................................................... 5 2.1 The key role of human factor in new cyber attacks ................................................................................... 5 2.2 The main trends increasing the Social-driven Vulnerability ...................................................................... 8 3 Criticalities and threats .................................................................................................................................... 12 3.1 Critical factors.......................................................................................................................................... 12 3.2 Cybercrime’s targets and objectives......................................................................................................... 15 3.3 The new “social” threats .......................................................................................................................... 16 4 Examples of attacks......................................................................................................................................... 19 4.1 Leveraging target’s trust ......................................................................................................................... 19 4.2 Identifying the right lure.......................................................................................................................... 20 4.3 Connecting information........................................................................................................................... 21 5 Defense strategy against Social-driven Vulnerability: a 360° paradigm shift..................................................... 23 5.1 Social monitoring .................................................................................................................................... 26 5.2 Technological monitoring ........................................................................................................................ 27 5.3 Prevention and control ............................................................................................................................ 28 5.4 Organizational implications of the integrated approach to corporate security ......................................... 29 6 Conclusions ..................................................................................................................................................... 30 3

4 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 1. Introduction Today, in the security area of corporate IT systems, companies have to In fact, people’s way of interacting is changing towards a very close “bidirectional” relationship that implies creating, sharing, commenting information, and not only producing and/or receiving it. To this end, people do not use only blogs, but a growing number of other social platforms their speed of circulation and the number of people that can access it. The increasing use of Social Media, especially by the so-called “digital natives”, is strengthened by other factors that risk worsening the vulnesion of mobile devices and the possibility of being steadily connected to the internet all day long, potentially without interruption, both at work and in the free time. lion people aged 13 and older, representing 54.6% of the mobile population1 2 . through their smartphones at least once in the month. In this context, it is clear how the human factor can increasingly represent the weak link in the corporate security’s defense processes and how interventions on the social dimension have now to be integrated with ones are required to continuously evolve to better protect both the perimeter and the company’s internal structure, so to develop, as much as possible, a synergic action for a 360° protection. 2 Netcomm, Market dynamics in the international context, May 2013.

SOCIAL-DRIVEN VULNERABILITY 2. Social-Driven Vulnerability today Cyber attacks are generally becoming more and more numerous and widespread, representing a potential threat for every kind of target, CLUSIT report 2013, it is clear that 2012 was marked by a strong growth of cyber threats at international level, with a global increase of 254%, and that Cyber Crime already overcomes 50% of the total (from 36% in With respect to the objectives, although the Government remains the most frequently attacked target within the considered sample, attacks’ highest growth rates were detected in the “Online Service and Cloud” sector, which includes Social Networks, with a 900% increase. More in detail, some remarkable cases of digital frauds and information systems malfunctions, recently carried out to damage companies and public institutions, highlight how the human factor, placed in an increasingly connected, mobile and social context, represents an element of growing vulnerability in the corporate security’s defense processes. 2.1 The key role of human factor in new cyber attacks Interaction dynamics and personal behaviours are more and more cyber attacks starting from the human factor’s peculiar vulnerabilities. getting private information by breaking reserved access or inducing the target itself to execute given actions. When referring to social engineering, it is necessary to remember that, from the standpoint of the protected information asset, users are one with the systems they use or manage and they often represent the human vulnerabilities, exploited by means of social engineering techniques, is now one of the key commitments of professionals dealing with security. loped so to remain “below the tracement line”, i.e., without activating 5

6 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 engineering attack usually enables to point out a “human” target that is vulnerable to given “messages”. By getting in touch with the selected victim, it is thus possible to avoid all technological drawbacks related to the necessity of exploiting particular vulnerabilities in technological systems: the hacker gets into the system’s main door, helped by the victim itself and has not to “break open” any system3. One of the most important frauds recently reported is the attack to 4 , which is a leading company in the information security sector. The and are therefore particularly meaningful to highlight the peculiar characteristics of the new threats. certain role was also played by the creation of a credible pretext5, leveraging the fact of having been introduced to a second user through a third person whose trust had already been gained. It is important to notice the attack started with a long period of observation to understand the victim’s role and the various assets he/she had access to. The hacker could then send a phishing e-mail to the group of selected sed on peculiar aspects able to catch their interest («2011 Recruitment Once opened, the infected attachment started the execution of a tool developed from an open source available source code and transformed into a malevolent tool that ran outgoing connections, through which corporate information contents could be then leaked outside the company. ticular sort of attack, it was not possible to detect how much corporate pany had implemented an absolutely up to date perimetral and logic 4

SOCIAL-DRIVEN VULNERABILITY security level, by means of the best technologies available on the market, it turned out to be vulnerable against partially non-technological threats. The case of the British Armed Forces: an example of involuntary “leak” tion in the system happened to Prince William in November 2012 during Prince William’s photos legally taken by a journalist and widespread as a part of a common photo shooting. The interesting element is given by the fact that, in the photos, there are some British military systems’ security details, and, in particular, some passwords appearing on the wall in the background. unattended by completely “human” behaviours. Secondly, this episode reveals how, starting from a shared photo, hackers can already get multiple and crucial information: Details on the workplace (for example, from industrial plants, Details related to the fact the company is operating in a speciPersonal details and preferences, passions, hobbies. In general, these elements can be likely used by hackers to create Geo-location. Photos are often automatically geo-located by modern cameras or by smartphones, enabling to recognize Information about colleagues. Photos could include also other colleagues that do not want to be photographed and help unVarious and equally critical information, like work details or even passwords, like in the present case, appearing on the walls in the background. 7

8 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 2.2 The main trends increasing the Social-driven Vulnerability The scenario of exposition to cyber attacks previously outlined is greatly determined by some general trends, which contribute to increase the ple’s behaviour and their approach towards technology. In particular, these trends are represented by: the possibility of being always connected, also in mobility, thanks to devices like smartphones and immediacy of new generations in the use of technology. CONTINUOUS ACCESS TO ONLINE CONTENTS AND SERVICES always and everywhere, thus accessing on-line contents and services all day long thanks to the chance of easily passing from one device to another according to use contexts. This evolution in the approach to technology enables to read a newspaper on the tablet while having breakfast, access web contents and e-mails on tablet or smartphone while getting to work and then go on appointments by using the tablet, access web and e-mail by mobile also during breaks, be able to be on-line thanks to the innovative functionalities of the connected TV, and, in the end, before going to bed, comfortably read a book and access web and multimedia contents through one’s own tablet. This continuously evolving technological scenario determines an improvement of the user experience, which is more and more 6 . standpoint, increasing the overall vulnerability of devices and their information assets. In fact, the opportunity of being always online and active increases, on the one side, the global time information is exposed to the threat of fraudulent attacks, and, on the other one, causes an inevitable reduction of the overall control level users can have on their data and ments of the day and according to the device use context. Consequently, to the occasions (for example, giving an “OK” in a means of transport is and , on, May 2013.

SOCIAL-DRIVEN VULNERABILITY ment of the customer experience. Users tend, in fact, to increasingly ask for an easy and intuitive use of technology, in favor of a user experience that is as direct and quick as possible. That concept implies a “simple” apvery articulated passwords or authentication following steps to access personal data can reduce data vulnerability and thus bring users advantages, it is also true that they will hardly be accepted and used, since they delay social and business processes and relationships and are therefore perceived as a disadvantage. GROWING MOBILE DIFFUSION Due to connection continuity, the mobile experience is replacing the desktop PC one, as already highlighted by Gartner studies at the end of 2012: in 2013, in fact, mobile devices were estimated to substitute the according to ICD forecasts 2013 and 2014, more than 1 billion smartpho217,1 million tablets were sold in 2013, which, respect to 2012, represents a growth rate of 50.6%. element to be considered by those who deal with information securismartphones, used as an alternative to company’s PC and/or tablet. sumer Trends Report”, the current trend is characterized by new attack Consequently, it is now necessary to plan and extend security systems ver, a global protection must include both the company mobile (that is not only a potential attack target itself, but that could also be a means rate goals (that could be anyway a device subject to company-oriented be downloaded. MORE AND MORE SOCIAL USERS AND CONTENTS and interaction core, Social Networks have then moved users’ focus are uploaded on YouTube. Considering also other platforms (Pinterest, 9

10 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 information and contents produced and shared by users. In particular, active users. Picture 1 Source: their visiting rates, and the number of used platforms, is increasing con- anymore, but also in the corporate business one. increases information exposition and vulnerability of corporate assets. criticality and privacy for the company context. THE APPROACH OF DIGITAL NATIVES TOWARDS TECHNOLOGY AND SOCIAL MEDIA vulnerability, it is also necessary to deal with the issue of the so-called cases, this generation is referred to by using the term “Millenials” or “Y Generation” and digital natives are often commonly thought to represent the majority of the Social Network’s population.

SOCIAL-DRIVEN VULNERABILITY In the Italian context, for example, it is interesting that the generation gistered to a social network, 55% to a forum, 34% is a blog follower and 17% is a blogger7 . The so-called “digital natives”, in fact, deal with new technological devices and services in a more “natural” way, integrating them more spontathey are “free” from the necessity to learn the digital use. This generation tends therefore to be particularly “multitasking” and rapid in using technology, is naturally oriented to the touch, to interactivity and simplicity of use, since what is unidirectional and complex is not generally part of this user experience and is hardly comprehensible. tiality and privacy, a 2012 Research 8 only 31% considered security as one of the most important elements to pay attention on when taking a decision in the information technology origin and have had to adapt to it, digital natives tend, for example, not to give importance to passwords: only one to three young people, in fact, pays attention to the solidity of his/her own password and many of them 9 . In many cases, it is an awareness issue, as underlined also in the CLUSIT report 2013: «the notorious “digital natives” on average do not know anything on ICT Security, although they are almost all rigorously provided with a smartphone, always connected on Social Networks and thus exposed to every sort of threat». more information is shared in a naive way: in some cases, it is shared by digital natives themselves, but, in other cases, information is shared by characteristic of digital information “permanence” and on the fact, in the future, information can be analyzed both by potential employers and by fraudulent people. 8 Dimensional Research, 2012. - 11

12 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 3. Criticalities and threats The growing vulnerability of corporate information systems is determined by some peculiar criticalities related to the raising amount of shared information and to the rapidity it is exchanged and widespread. Moreover, these criticalities are also increased by the more and more rapid and continuous use of technology, with an overlapping of the private and In this context, companies are exposed to a new series of threats exploiting social dynamics and multiple platforms to “know” employees and enterprises, detect their vulnerabilities and breach at a new level that goes beyond the perimetral technological coverage traditionally protected. 3.1 Critical factors phenomena able to increase systems’ vulnerability: on the one side, an augmented exposition of personal information and, on the other one, the reduction of the chances to keep it under control, together with the numerous ways to access Social Media both in the private and in the working sphere. Information exposition Personal information is more and more easily and quickly shared on the internet and, therefore, “at disposal” for possible attacks, too. groups of people and, thus, information production and exchange. More precisely, these tools show peculiar characteristics that foster informa- published online, the author loses control on it and cannot grant its elimispeed rates10 In general, it is more and more evident that, during the day, people tell can detect two precise trends. If, on the one hand, there is a progressive multi-device fruition, i.e., users move from one device to another going on accessing the same kind of contents, on the other hand, there is a contemporary multi-device fruition, during which users exploit more devices at the same time. 10 Bennato, Sociology of Digital Media, Roma-Bari, Laterza, 2011.

SOCIAL-DRIVEN VULNERABILITY for promotional and commercial activities, and to establish relationships porate accounts on Twitter and to create placeholders on various platforms. In the context of augmented connection to multifold services, sites, applications, Social Media, communities, the increase and concatenation of one’s own accounts make the amount of personal information vulnerable and attackable through weak points: the use of e-mail as “universal” easily resettable and can be consequently reached in a fraudulent manner. In particular, authentication modalities on the Social Media are extremely weak. Because of the growing numbers of platforms, users tend to repeat the same combinations name/mail and password, and, in many cases, it is possible that, due to reasons of simplicity, they use their work e-mail. Besides, the only validation during the registration pertains the email that is required to be active: there are no further processes and this In some cases, users pay attention to information they share and to security settings of their own accounts on the Social Media, but they have no mation about them. In addition to this, when a third person shares the contents, duplication makes it impossible both to cancel and to eliminate it. information on the victim’s habits and represents a great means to exploit some vulnerabilities while the victim is far from the computer. Due to a growing information exposition, people tend to reduce their attention to the potential use people can make of it on the net. The information amount, the increased possibilities to access it, and the exchange rapidity, together with the habit to share contents (in general, the more the chance to have everything precisely under control and also the user’s predisposition to actuate control mechanisms, since they are too much expensive in terms of user experience’s time and quality. Moreover, since people tend to give little value to the information they own, they also tend to share it more easily: in fact, as a password could be more easily shared than a token or a smart card, similarly, sharing information with one’s own contacts can be perceived not as a risky or potentially damaging activity, thus increasing the corporate vulnerability to fraudulent attacks. In many cases, in fact, users, being convinced that Information control and access modalities to Social Media 13

14 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 the Social Media environment is secure (because populated by contents risk to follow low secure links and put various type of malware into company computers, damaging the corporate network itself at various levels. In addition to this, when a third person shares contents, duplication makes it impossible both to cancel and to eliminate it. It is also necessary to consider that Social Media users are not simply “citizens”, but they can be also employees, managers and executives, i.e., in general, members of a private company or a public institution, thus owning information that cannot be always widespread outside. In addi- usually tend to create a unique “hybrid” ensemble to be used without any that do not necessarily correspond to the corporate vision can be read guished, any message conveyed by employees would contribute to the creation of the corporate image anyway. Social Networks and Social Media all day long, and that, also during the working time, they tend to use these means to interact with their own friends and share information. These activities are not necessarily done through the work PC, on which, in case, it is possible to employ some type of control and protection, but often through personal smartphones that may be later connected to management is more complex, since the presence of employers’ persoown material and immaterial assets. by employees: On the one side, contents publishing on external platforms, without time distinction, can lead to image damages or the escaping of reserved information, or it can be leveraged for On the other side, the use of external platforms during working hours can expose the corporate computers and network to risks brought by various types of external attacks.

SOCIAL-DRIVEN VULNERABILITY 3.2 Cybercrime’s targets and objectives In this scenario, the most vulnerable companies have been characterized banks and companies constituting the Country’s infrastructural network, but also companies becoming a “bridge” to access other information (big same attack model also to SMEs. elements also into production contexts that are traditionally “autono- ple, plants for energy production, such as generating and nuclear power ad, are more and more distributed and interconnected on the network. and structures represented their protection prerequisite, today’s most serious problem is the fact that each device connected on the net is on its own potentially vulnerable and subject to possible attacks by hackers. security side, too, given that they can be not only manually broken, but also more vulnerable against viruses, anomalies, etc., up to the crash of some applications. Due to the peculiarities of these systems, it is clear the potential negative impact from the production and social standpoint and the consequent necessity to rethink the overall protection mechanisms against the multiple fraudulent actions. report what is highlighted in the CLUSIT Report 2013: Everyone has already become a potential target, simply because of being connected to the Internet. Statistically, there are still distinctions betweprivate citizens and VIPs, between men and women, adults and children, ferences with respect to the victim type, but this depends above all on the fact they are more and more specializing; yet, on the other side, they have become so numerous and impudent, and their action is already so perva- 15

16 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 ce”, there are no “secure” categories anymore. Attacks to data or services Information attacks have multiple goals. In general, we can distinguish between gathering information that can become monetary value for the hacker and breaking into systems for sabotage purposes: mation asset, in order, for example, to be able to break into its or to take possession of business information or industrial seIn the second case, instead, the attack aims at directly causing malfunctions or disruptions, or blackmailing the company by threatening to create malfunctions and disruptions, through the manipulation of internal systems. Moreover, apart from the main objective, during the necessary time period to complete the attack, all information stolen along the path and potentially interesting (information on the credit card, bank account exploited on the black market where they are sold at the list price according to the information type11 . 3.3 The new “social” threats Gli Information attacks can be only social, only technological, or be characterized by a combination of various aspects. In general, since attacks can be highlighted: : the user downloads (intentionally or by of websites that exploit vulnerabilities in web browsers. They are being increasingly used by attackers to target web browser In both cases, the user intentionally follows a malevolent link either received through mail or private communication, or shared on a Social Media. Depending on the practical execution of the attack, it can be also necessary to run a programme, plugin or attachment by means of the user itself.

SOCIAL-DRIVEN VULNERABILITY 17 between PC and Social Media, the risk is not canceled, but only, in some cases, partially reduced. The Social fruition through mobile devices even more exposed, the workspaces to which they are connected (users’ personal devices are often not equipped with protection systems and therefore more subject to attacks that are potentially transferable to It is interesting to notice how the perception of the risk and, therefore, Picture 2 Risk perception depending on social platforms Source:, 2012 - The list “ ” - - One the most important aspects to be considered is the fact these risks for the company are connected one to the other, but, on the contrary, the potential threat is very often represented by a combination of them. called malware 1.0, since they are built from the beginning to be integrated into these new socially twisted threats.

18 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 THE MOST IMPORTANT SOCIAL THREATS AGAINST THE VARIOUS COMPANY’S ASSETS Financial assets: Productivity loss due to the time spent by employees on Social Media. Industrial secrets and intellectual property: Information on procedures and working modalities published by Loss of control by the company on what is published on Social Media. Physical security: ten employees. Information assets and company’s network: Corporate image and reputation: -

SOCIAL-DRIVEN VULNERABILITY 4. Examples of attacks Social Media are therefore tools the company can use to improve its per- let’s analyze three examples of attacks that exploit Social Media and that can be combined into following steps making a complex attack. 4.1 Leveraging target’s trust One of the most important aspects for successful social engineering attacks is to obtain the target’s trust, in order to persuade people to execute the target action. ronment to do these activities: the connections developed within these platforms are born, in fact, from the idea to link and gather people one element in Social Engineering attacks. To develop these attacks, it is possible for example to proceed either in a direct manner on other platforms, or in an indirect manner. In the second case, before starting directly with the friendship request, the hacker develops some relationships with the target’s friends, so to be then more credible and reliable: people tend, in fact, to trust more and to positively reply to requests from someone that is, apparently, already in their own contact group. Once obtained the target’s trust, the hacker can: Gather further information (for a spear phishing attack on a Interact with the target by sending malevolent links in the updates or private messages, leveraging the trust gained on the platform (this is therefore a spear phishing’s variation, which, This kind of attack12 is increasing thanks to the available information number and the low attention many people pay when accepting friendship requests. In addition to this, also not being present on the Social reserved information ( 19

20 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 Networks represents a threat, since it become easier to hackers creating 4.2 Identifying the right lure Spear phishing is a particular kind of phishing. This last one is carried out, for example, through e-mails that require to unlock one’s own bank account or to send money to needy people. These e-mails are usually characterized by a poor-cared graphics, grammar mistakes, references to banks one has no relations with. They are therefore generic e-mails exploiting the law of big numbers and leveraging the fact that, by sending this type of mail to million people, sooner or later, it will be possible to get in touch with someone. Spear phishing doesn’t leverage quantity, but quality, instead. Objective of this phishing type is to compromise workplaces and users through more targeted attacks addressed to subjects of particular interest, as a direct or indirect way to access relevant and strategic data. In this case, a customized lure is created by exploiting the targeted user’s “digital dossier”, which gathers all personal and work information in possession of the hacker. Spear phishing mails are actually carefully prepared and focused for seem to be from a friend or a company mail account (internal or from a Networks represent a very rich information source. cessary step would be to take possession of some access credentials and compromise some workplaces. To do this, spear phishing represents the ideal and most often used technique. tical Social Network, for work environment, all users insert their current to get visibility. Through the platform’s native functions, it is possible to start analyzing, for example, current employees, latest employed people users generally tend to be rather cautious and to set privacy levels in a more or less strict way. Nevertheless, it is often possible to get a photo information, anyway. Moreover, users sometimes create a link between their blog, twitter account and other applications, providing additional about that user.

SOCIAL-DRIVEN VULNERABILITY latively simple to correctly identify one’s own target and start gathering necessary information for the spear phishing attack. In fact, many users and in case also the events the user has participated to. Once closed the analysis phase, hackers can send a very customized mail prepared for the most vulnerable target to start the attack’s following success rate for spear phishing mails created like this is extremely high13 and can reach 70%14. 4.3 Connecting information information that employees share on the net: the so-called OSINT activisources and connect the various information. In addition to exploiting this information to increase a possible digital dossier and prepare spear phishing attacks, it is possible, in some cases, to use this information to analyze competitors’ activities and prepare some feedbacks in advance (for example, by submitting new customers In this context, we can highlight, for example, how geolocation through - geolocate most frequently often possible to discover meeting rooms’ names (to be used for Networks (in many cases, people most frequently sharing tend to scribed. 2010. 21

22 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 . Together with geolocation, in many cases, people insert some images in the updates. Photos sometimes show buildings’ external sides, but in various cases, photos of interior areas are published, too, thus providing hackers with important information, for example about the comIdentifying clients cautiously, in many cases, it is possible to analyze transfers and identify company’s clients and partners: this activity is often easy to do, since people, in addition to geolocation, frequently add Locating plants yees may geolocate and publish images of places that should be reserved or the existance/presence of which should not be widespread. hackers can already get a big number of interesting information. forms, in fact, it is possible to write in the update the place one is writing from and, very often, to “tag” also other people. So, it is also possible to indirectly gather information on users, by means of contents shared by third people and that owners cannot even keep under control.

SOCIAL-DRIVEN VULNERABILITY 5. Defense strategy against Social-driven Vulnerability: a 360° paradigm shift New information security threats greatly leverage various key factors. Some of them have been widely discussed and are mainly related to peand leverage on the exploitation of this attitude. On the one hand, considering the increasing complexity of technological infrastructures, there are numerous initiatives aimed at really strengthening information systems. Modern operating systems keep on adopting new techniques15 to prevent a malevolent software, should it be brought by a user into its own PC or spread by browser or other software vulnerabilities, from compromising the core of the system and being able to fully access all data and inputs. In this sense, the social approach is the one that best manages to overcome the security barriers set by the company and to drive the user to adopt behaviours against which no countermeasures have been implemented yet. On the other hand, while the issue about the massive analysis of activity trackings through technological devices is currently widely managed by IT solution vendors (however complex it is to deal with this issued in the much less for matters like the Information Security oriented monitoring of company’s social exposition. In that respect, information and material to do “social-driven” attacks are more and more available to hackers, without an adequate information counterpart for people in charge of the company perimeter’s protection. tents accessed by users: it will be surely possible, with an accurate tu- to attack a restricted number of people or malevolent code that is built ad-hoc to be transmitted through those lures. In addition to this, there is a business evolution related to cybercrime that is increasingly pushing towards an organized approach strongly aimed at a rapid return on investments. The creation and engineerization of sophisticated malware, even though through the contributions of people still working “by passion” today, actually require the costs of a 15 Like for example “sandboxing” techniques, “address space randomization”, or “trusted computing”. 23

24 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 software factory’s activity. The trade of customized malware has reached much higher prices if compared to the “general purpose” malware. Therefore, this pushes organizations towards a strongly target-focused approach, making the tool choice almost only a matter of advantage and convenience. Today, one of the means enabling to maximize the costs/ exploitation. On the basis of the numerous current tendencies highlighted so far, it is clear that it is necessary to protect a company in a new way (whatever a real paradigm shift in the study and predisposition of the company’s defense system. To sum up, it is necessary to envisage a parallel evolution both of human factor involvement and of the technological approach used in the planning of corporate protection’s operations. Today, although with the unavoidable unlimited variations characterizing each organizational asset, information security’s countermeasures are usually in charge of a dedicated IT area. This typically operates with a with the development of core business solutions and involving the prelogy is therefore often the core of any information security plan, since the adopted approach sounds “let’s identify the adequate technology”. tions that take into consideration the growing importance played by processes, too. Therefore, the technologies adopted to develop the overall be also easy to be monitored and integrated in corporate systems for information gathering and processing. The growing change in that sense less also this step is not enough, yet, and requires a further evolution. Strong choices are necessary to enable the shift from the current situation where the human factor is “separated” from technology and “endures” security to a situation where people are actively involved in the security processes. Such a paradigm shift is extremely challenging for the tion towards this model, in fact, it is required to share objectives, more or less intensely, with functions that are not directly connected with the corporate “technological” dimension, but related to the management

SOCIAL-DRIVEN VULNERABILITY 25 Moreover, executing the “patching of human factor’s vulnerabilities16” is not such a deterministic process, with given results, as the patching comprehensible how it can be complex to set new “attitudes” within the most commonly used social attack approaches, and reduce those behaviours that can enable the attacks themselves. In this context, it seems that the winning strategy is to generally rethink the monitoring of the security level reached by the company both by creating new areas focused on the “social” dimension and by rethinking the technological monitoring in the perspective of a more detailed and integrated for a 360° defense that should be as complete as possible, and Considered in the technological context, these probes are the traditional detection points of not authorized IT accesses and actions, while, applied stop, attack attempts. Picture 3 Distributed and multilayer protection scheme,integrating various compleSource: CEFRIEL, 2013 The scheme represented in Picture 3 highlights such a change of approach: no more only a solid perimetral security independently from the contents to be protected, but a set of actions that aim at protecting machines, information, users both as single aspects and as part of a whole. rity interventions must include at least three action macro areas, while, today, not all of them are always adequately considered and monitored:

26 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 The technological monitoring extended to all of the company’s IT The “monitoring on the monitoring”, conceived as strong stronghold of the processes that allow, from the results and alerts barriers. action lines with respect to the possible intervention needs. 5.1 Social monitoring - larly delicate, since it implies two operating aspects that are potentially elements of attention and organizational involvements as regards their execution. tion on the Social Media (synergic, but not equivalent to activities that are more and more often developed to monitor brand reputation17 and sentiment18 formation people that are variously linked to the company expose on the Social and more in general on the Internet. The issue is complex and toring activities on media contents with a more “personal” nature and cannot be simply on demand, but it must take place in a continuous and should not only cover known areas (the company’s digital properties, i.e., also focus on all contents that can be reached on the Internet although not known by the company. In fact, this sort of contents is often extremely similar to the original company’s contents, so that, in many cases, they are confused with them. Consequently, they can be fully manipulated at their liking by people managing them and thus used to target 18 People opinion towards a given brand, product or service. The sentiment analysis is used to try to understand people predisposition towards the analyzed element.

SOCIAL-DRIVEN VULNERABILITY 27 to do opportune activities towards internal users that are in the position, as previously described, to represent a bridge to overcome the perimethrough focused assessments and attack simulations, the real intervention need, also considering possible awareness activities already executed. In this case, the detected numerical data is not important in absolute terms, but as representative of an overall percentage of exposition towards a possible social attack of the reference company sample used to highlight what areas of the target users are more subject to what types Picture 4 subject category and attack typology In particular, the emerging analysis dimensions cover from the demographic characterization of the sample, or of the potential access level to corporate information, to the combination of social and technological factors characterizing the attacks that have turned out to be the most that manages and direct them, guaranteeing adequate follow-ups on the envisioning the necessary involvement of various company’s subjects” 5.2 Technological monitoring at the same time, it cannot obviously exclude technological operations. It is necessary to highlight, in fact, that, although the intervention on the social dimension has been unavoidable by now, it is anyway not enough to protect the company, since the technological dimension keeps on defense will be the one that is able to leverage both dimensions at best.

28 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 In this sense, continuous monitoring must be linked to a “divide et impera” attitude, which is certainly not new in the best practices to protect IT. Keywords like “defence in depth”, segmentation, intrusion detection and prevention with lures on the internal networks are not new, in fact, to those who manage and plan the company’s IT also paying attention to security problems, and such an attitude must be actually considered the company’s external perimeter is not enough, but it is necessary to segment also the internal structure and defend the various sections’ perimeters19 . Only by doing this, it is possible to prevent a single perimeter’s violation, obtained through social means and therefore below the technological detection radars within the company, from becoming a complete access to the company’s information assets. ced Persistent Threats today: hackers’ investment on the information searching activity that enables the social phase of their attacks is often widely rewarded, once passed through the external perimeter, by the evidence there is a low level of internal protection. Nevertheless, this is not enough. There must be also a regular analysis to promptly react to possible attacks and to isolate the compromised IT portions avoiding worst consequences. cial monitoring previously described is required to complete the “lateral” defending structure of a “castle”. The purpose is to protect both from the new intrusions “from above” that can directly hit people “overcoming” the walls and from the new techniques that persuade them to directly open the castle’s “main gate”. 5.3 Prevention and control gies and the social monitoring do not prove to be enough, since it is also necessary to insist on control processes so not to make those intervenfore, the monitoring will not be done only on ICT equipment consoles but, since the human factor must be more and more integrated in the technological chain, it will be necessary also a monitoring on “human” grating Security and Systems Engineering, Wiley, 2006

SOCIAL-DRIVEN VULNERABILITY of the inputs coming from people, which should themselves become control “lures” in addition to the technological ones installed on the PC and within the networks20 . To this extent, it is essential, for example, a tion procedures, i.e., concatenated actions done by multiple subjects at multiple levels to stop and neutralize ongoing attacks. 5.3 Organizational implications of the integrated approach to corporate security company’s organization. The more the starting condition (also of a “cul- tures, if present, should be also involved, like those in charge of Innovation or Risk Management (the social risk, like all other risks, must be ting contexts. In particular, the value of involving the Innovation structure is related to the fact the new security approach outlined so far is not only innovative on the whole, but it also requires a series of single interventions fully disruptive in respect to the company’s traditional activities, both in terms of development and implications. strengthens security, on, May 2013. 29

30 | CEFRIEL INNOVISION PAPER FEBRUARY 2014 6. Conclusions Security technological interventions are required to contextually evolve horizontal, integrating external perimetral protection with the internal one, and the vertical, raising interventions from the level of technology to the level of people. In particular, it is necessary an integrated approach represented by a set functions and in synergy also with the allocated budgets for structures - driven Vulnerability’s dynamics. Moreover, it promotes the reduction of dangerous behaviours for a 360° protection programme of company’s information assets. Authors © CEFRIEL - Milan, February 2014 - Some rights reserved This work is released with a Creative Commons License ( were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. -

SOCIAL-DRIVEN VULNERABILITY CEFRIEL experience tion and management of modern company information systems. rience acquired in supporting the innovation process of companies and and information availability are critical factors. The operating model is enhanced by the capability to aggregate, manage and transfer the competences acquired in project development and by the steady relationship with information security managers and professionals. ve characteristics: not only the support to outline and implement the company’s social strategy, but also the user sentiment analysis about contents the company shares on Social Networks. The Security and Social Media competences acquired and continuously developed have been applied for years so far to innovation projects developed in collaboration with primary Italian organizations to assess social and technological vulnerability. 31



Add a comment

Related presentations

Related pages

The Underestimated Social Engineering Threat in IT ...

CEFRIEL, “Social Driven Vulnerability,” Technology, February 2014,
Read more

CEFRIEL InnoVision Papers - CEFRIEL

Social-Driven Vulnerability (English Version) 2013. Social-Driven Vulnerability (Italian Version) 2011. 3+1 Challenges for the Future of Universities.
Read more

Vulnerability - Wikipedia, the free encyclopedia

In its sense, social vulnerability is one dimension of vulnerability to multiple stressors (agent responsible for stress) and shocks, including abuse ...
Read more

Vulnerability - ScienceDirect

Evolving insights into the vulnerability of social-ecological systems show ... Vulnerability is driven by inadvertent or ... English gardeners ...
Read more

Shield: Vulnerability Driven Network Filters for ...

Social Sciences ... Vulnerability Driven Network Filters for Preventing Known Vulnerability Exploits ... The definitive version of this paper can be found ...
Read more

Social capital and survival : prospects for community ...

Social capital and survival : prospects ... prospects for community-driven development in post-conflict Sierra Leone (English) Abstract. This social ...
Read more

Effective Approaches to Risk Assessment in Social Work: an ...

Read more

Kenya - Western Kenya Community Driven Development and ...

... Western Kenya Community Driven Development and Flood Mitigation Project (English) ... Version Type Buff cover
Read more