An innovative and comprehensive Framework for Social Vulnerability Assessment presented at DeepSec 2014

by Enrico Frumento,

Summary : As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most attacks. Even recent JP Morgan latest Chase data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail.Into this new scenario it is hence of paramount importance to consider the human factor into companies' risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?
These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec conference (https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf), we are working on the extension of traditional security assessment, going beyond the technology and including the "Social" context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.
This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.
In this talk, we will share our experience, describing of we do Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected. 
His research activity started at CEFRIEL (www.cefriel.com) in the field of e-health service and telemedicine systems where he contributed with most of his scientific production. Since 1998, he moved his research interests towards wearable electronic systems and unconventional security. Thanks to his participation to several European projects and specialized task forces, he gained a strong experience in the area of cyber-crime and unconventional security. He is actually working as a member of the CEFRIEL’s security research team, which is continuing the innovation mission of the centre in the security area (bridge the research to the enterprises to help their innovation needs). He actually contributes with his research on Secure Code Development, hacking/cracking techniques (Reverse Code Engineering and Code Hardening) and social engineering evolutions. Moreover, in collaboration with the CEFRIEL security team, he conducted several on-field Social Vulnerability Assessments with big enterprises. He is also member of the DCC (Microsoft Digital Crime Community) and participates to the EECTF (European Electronic Crime Task Force).