APT and Social Engineering: With New Threats Come New Assessment Methodologies

During the last few years, companies have evolved exponentially through the adoption of new technologies, devices and habits that allow them to improve the business from one side, but also to be more vulnerable to cyberattacks from the other. As the attack surface expands and cyberattacks evolve using different techniques and vectors, companies need to adapt their assessment methodologies, going beyond the traditional vulnerability and malware identification or data loss prevention.

For example, consider advanced persistent threats (APT). They are probably the most dangerous threats. They target specific companies and rely on social engineering as the main vector to gain access to inner information and communications technology (ICT) systems. In order to face these threats, companies should start considering possible tools or methodologies to evaluate their risk and the real extent of their exposure. What makes a corporation an attractive target? Could the employees effectively face an advanced social engineering attack? How simple is it to perform a technological attack against workstations? What kind of information is reachable and which assets are exploitable from hidden backdoors?

In my recent Journal article, I talk about the social engineering threat and human factor vulnerabilities, describing a management approach that involves employees as the target of the assessment. It is aimed at measuring the actual related risk, ensuring compliance with laws and regulation.
This approach, called social-driven vulnerability assessment, attempts to go beyond the traditional security assessment, including both the social engineering factor and the related technological consequences as seen through a cyberattack simulation.

Results based on my work experience in the last 5 years show that social engineering attacks are often an underestimated risk. Employees can be deceived into performing dangerous behaviors, such as visiting a web site that could put the company at risk. Moreover, as found through a technological follow-up aimed at simulating a cyberattack enabled from these kinds of behaviors, it is usually possible to bypass the defense layers and obtain access to sensitive information.

The obtained results (i.e., the percentage of employees who fall for a phishing attack or evidence of critical projects or customer data accessed through an attack simulation) are quite impressive and have the advantage of being understandable to nontechnical people. Sharing these results with management could help IT officials obtain the necessary permission to implement countermeasures to social engineering threats, such as awareness initiatives.

Read Roberto Puricelli’s recent ISACA Journal article:
“The Underestimated Social Engineering Threat in IT Security Governance and Management,” ISACA Journal, volume 3, 2015.

[ISACA]