Facing Social Media Vulnerabilities

SOCIAL-DRIVEN VULNERABILITY 1
CEFRIEL
INNOVISION
PAPERFebruary 2014
SOCIAL-DRIVEN VULNERABILITY
Facing and managing vulnerabilities driven by Social Media

CEFRIEL INNOVISION PAPER FEBRUARY 20142 |

Index
1 Introduction..................................................................................................................................................... 4
2 Social-DrivenVulnerability today..................................................................................................................... 5
2.1The key role of human factor in new cyber attacks................................................................................... 5
2.2The main trends increasing the Social-drivenVulnerability ...................................................................... 8
3 Criticalities and threats .................................................................................................................................... 12
3.1 Critical factors.......................................................................................................................................... 12
3.2 Cybercrime’s targets and objectives......................................................................................................... 15
3.3The new “social” threats .......................................................................................................................... 16
4 Examples of attacks......................................................................................................................................... 19
4.1 Leveraging target’s trust ......................................................................................................................... 19
4.2 Identifying the right lure.......................................................................................................................... 20
4.3 Connecting information........................................................................................................................... 21
5 Defense strategy against Social-drivenVulnerability: a 360° paradigm shift..................................................... 23
5.1 Social monitoring .................................................................................................................................... 26
5.2Technological monitoring........................................................................................................................ 27
5.3 Prevention and control ............................................................................................................................ 28
5.4 Organizational implications of the integrated approach to corporate security......................................... 29
6 Conclusions ..................................................................................................................................................... 30

1. Introduction
Today, in the security area of corporate IT systems, companies have to
In fact, people’s way of interacting is changing towards a very close
“bidirectional” relationship that implies creating, sharing, commenting
information, and not only producing and/or receiving it.To this end, peo-
ple do not use only blogs, but a growing number of other social platforms
their speed of circulation and the number of people that can access it.
The increasing use of Social Media, especially by the so-called “digital
natives”, is strengthened by other factors that risk worsening the vulne-
-
sion of mobile devices and the possibility of being steadily connected to
the internet all day long, potentially without interruption, both at work
and in the free time.
-
lion people aged 13 and older, representing 54.6% of the mobile popula-
tion1
2
.
through their smartphones at least once in the month.
In this context, it is clear how the human factor can increasingly repre-
sent the weak link in the corporate security’s defense processes and how
interventions on the social dimension have now to be integrated with
ones are required to continuously evolve to better protect both the pe-
rimeter and the company’s internal structure, so to develop, as much as
possible, a synergic action for a 360° protection.
2 Netcomm, Market dynamics in the international context, May 2013.

2. Social-Driven Vulnerability
today
Cyber attacks are generally becoming more and more numerous and
widespread, representing a potential threat for every kind of target,
CLUSIT report 2013, it is clear that 2012 was marked by a strong growth
of cyber threats at international level, with a global increase of 254%,
and that Cyber Crime already overcomes 50% of the total (from 36% in
With respect to the objectives, although the Government remains the
most frequently attacked target within the considered sample, attacks’
highest growth rates were detected in the “Online Service and Cloud”
sector, which includes Social Networks, with a 900% increase.
More in detail, some remarkable cases of digital frauds and information
systems malfunctions, recently carried out to damage companies and
public institutions, highlight how the human factor, placed in an incre-
asingly connected, mobile and social context, represents an element of
growing vulnerability in the corporate security’s defense processes.
2.1 The key role of human factor in new cyber attacks
Interaction dynamics and personal behaviours are more and more
cyber attacks starting from the human factor’s peculiar vulnerabilities.
getting private information by breaking reserved access or inducing the
target itself to execute given actions.
When referring to social engineering, it is necessary to remember that,
from the standpoint of the protected information asset, users are one
with the systems they use or manage and they often represent the
human vulnerabilities, exploited by means of social engineering techni-
ques, is now one of the key commitments of professionals dealing with
security.
-
loped so to remain “below the tracement line”, i.e., without activating

engineering attack usually enables to point out a “human” target that
is vulnerable to given “messages”. By getting in touch with the selected
victim, it is thus possible to avoid all technological drawbacks related to
the necessity of exploiting particular vulnerabilities in technological sy-
stems: the hacker gets into the system’s main door, helped by the victim
itself and has not to “break open” any system3
.
One of the most important frauds recently reported is the attack to
4
, which is a leading company in the information security sector.The
and are therefore particularly meaningful to highlight the peculiar cha-
racteristics of the new threats.
certain role was also played by the creation of a credible pretext5
, levera-
ging the fact of having been introduced to a second user through a third
person whose trust had already been gained.
It is important to notice the attack started with a long period of obser-
vation to understand the victim’s role and the various assets he/she had
access to.
The hacker could then send a phishing e-mail to the group of selected
-
sed on peculiar aspects able to catch their interest («2011 Recruitment
Once opened, the infected attachment started the execution of a tool
developed from an open source available source code and transformed
into a malevolent tool that ran outgoing connections, through which cor-
porate information contents could be then leaked outside the company.
-
ticular sort of attack, it was not possible to detect how much corporate
-
pany had implemented an absolutely up to date perimetral and logic
4 http://blogs.rsa.com/anatomy-of-an-attack/

security level, by means of the best technologies available on the mar-
ket, it turned out to be vulnerable against partially non-technological
threats.
The case of the British Armed Forces: an example of involuntary
“leak”
-
tion in the system happened to PrinceWilliam in November 2012 during
PrinceWilliam’s photos legally taken by a journalist and widespread as
a part of a common photo shooting.The interesting element is given by
the fact that, in the photos, there are some British military systems’ se-
curity details, and, in particular, some passwords appearing on the wall
in the background.
unattended by completely “human” behaviours.
Secondly, this episode reveals how, starting from a shared photo, ha-
ckers can already get multiple and crucial information:
Details on the workplace (for example, from industrial plants,
Details related to the fact the company is operating in a speci-
Personal details and preferences, passions, hobbies. In ge-
neral, these elements can be likely used by hackers to create
Geo-location. Photos are often automatically geo-located by
modern cameras or by smartphones, enabling to recognize
Information about colleagues. Photos could include also other
colleagues that do not want to be photographed and help un-
Various and equally critical information, like work details or
even passwords, like in the present case, appearing on the
walls in the background.

2.2 The main trends increasing the Social-driven Vulner-
ability
The scenario of exposition to cyber attacks previously outlined is greatly
determined by some general trends, which contribute to increase the
-
ple’s behaviour and their approach towards technology.
In particular, these trends are represented by: the possibility of being
always connected, also in mobility, thanks to devices like smartphones
and immediacy of new generations in the use of technology.
CONTINUOUS ACCESSTO ONLINE CONTENTS AND SERVICES
always and everywhere, thus accessing on-line contents and services all
day long thanks to the chance of easily passing from one device to ano-
ther according to use contexts.
This evolution in the approach to technology enables to read a new-
spaper on the tablet while having breakfast, access web contents and
e-mails on tablet or smartphone while getting to work and then go on
appointments by using the tablet, access web and e-mail by mobile also
during breaks, be able to be on-line thanks to the innovative functionali-
ties of the connectedTV, and, in the end, before going to bed, comforta-
bly read a book and access web and multimedia contents through one’s
own tablet.This continuously evolving technological scenario determi-
nes an improvement of the user experience, which is more and more
6
.
standpoint, increasing the overall vulnerability of devices and their infor-
mation assets. In fact, the opportunity of being always online and active
increases, on the one side, the global time information is exposed to the
threat of fraudulent attacks, and, on the other one, causes an inevitable
reduction of the overall control level users can have on their data and
-
ments of the day and according to the device use context. Consequently,
to the occasions (for example, giving an “OK” in a means of transport is
and , on www.identity-tower.com, May 2013.

-
ment of the customer experience. Users tend, in fact, to increasingly ask
for an easy and intuitive use of technology, in favor of a user experience
that is as direct and quick as possible.That concept implies a “simple” ap-
very articulated passwords or authentication following steps to access
personal data can reduce data vulnerability and thus bring users advan-
tages, it is also true that they will hardly be accepted and used, since they
delay social and business processes and relationships and are therefore
perceived as a disadvantage.
GROWING MOBILE DIFFUSION
Due to connection continuity, the mobile experience is replacing the
desktop PC one, as already highlighted by Gartner studies at the end of
2012: in 2013, in fact, mobile devices were estimated to substitute the
according to ICD forecasts 2013 and 2014, more than 1 billion smartpho-
217,1 million tablets were sold in 2013, which, respect to 2012, represents
a growth rate of 50.6%.
element to be considered by those who deal with information securi-
smartphones, used as an alternative to company’s PC and/or tablet.
-
sumerTrends Report”, the current trend is characterized by new attack
-
Consequently, it is now necessary to plan and extend security systems
-
ver, a global protection must include both the company mobile (that is
not only a potential attack target itself, but that could also be a means
-
rate goals (that could be anyway a device subject to company-oriented
be downloaded.
MORE AND MORE SOCIAL USERS AND CONTENTS
-
and interaction core, Social Networks have then moved users’ focus
are uploaded onYouTube. Considering also other platforms (Pinterest,

information and contents produced and shared by users. In particular,
active users.
their visiting rates, and the number of used platforms, is increasing con-
anymore, but also in the corporate business one.
increases information exposition and vulnerability of corporate assets.
criticality and privacy for the company context.
THE APPROACH OF DIGITAL NATIVESTOWARDSTECHNOLOGY
AND SOCIAL MEDIA
vulnerability, it is also necessary to deal with the issue of the so-called
cases, this generation is referred to by using the term “Millenials” or “Y
Generation” and digital natives are often commonly thought to repre-
sent the majority of the Social Network’s population.
Picture 1
Source:

In the Italian context, for example, it is interesting that the generation
-
gistered to a social network, 55% to a forum, 34% is a blog follower and
17% is a blogger7
.
The so-called “digital natives”, in fact, deal with new technological devi-
ces and services in a more “natural” way, integrating them more sponta-
they are “free” from the necessity to learn the digital use.
This generation tends therefore to be particularly “multitasking” and
rapid in using technology, is naturally oriented to the touch, to interacti-
vity and simplicity of use, since what is unidirectional and complex is not
generally part of this user experience and is hardly comprehensible.
-
tiality and privacy, a 2012 Research8
only 31% considered security as one of the most important elements to
pay attention on when taking a decision in the information technology
origin and have had to adapt to it, digital natives tend, for example, not
to give importance to passwords: only one to three young people, in fact,
pays attention to the solidity of his/her own password and many of them
9
.
In many cases, it is an awareness issue, as underlined also in the CLUSIT
report 2013: «the notorious “digital natives” on average do not know
anything on ICT Security, although they are almost all rigorously provi-
ded with a smartphone, always connected on Social Networks and thus
exposed to every sort of threat».
more information is shared in a naive way: in some cases, it is shared by
digital natives themselves, but, in other cases, information is shared by
characteristic of digital information “permanence” and on the fact, in the
future, information can be analyzed both by potential employers and by
fraudulent people.
8 Dimensional Research, 2012.
-

3. Criticalities and threats
The growing vulnerability of corporate information systems is determi-
ned by some peculiar criticalities related to the raising amount of shared
information and to the rapidity it is exchanged and widespread. Moreo-
ver, these criticalities are also increased by the more and more rapid and
continuous use of technology, with an overlapping of the private and
-
In this context, companies are exposed to a new series of threats exploi-
ting social dynamics and multiple platforms to “know” employees and
enterprises, detect their vulnerabilities and breach at a new level that
goes beyond the perimetral technological coverage traditionally pro-
tected.
3.1 Critical factors
phenomena able to increase systems’ vulnerability: on the one side, an
augmented exposition of personal information and, on the other one,
the reduction of the chances to keep it under control, together with the
numerous ways to access Social Media both in the private and in the
working sphere.
Personal information is more and more easily and quickly shared on the
internet and, therefore, “at disposal” for possible attacks, too.
groups of people and, thus, information production and exchange. More
precisely, these tools show peculiar characteristics that foster informa-
published online, the author loses control on it and cannot grant its elimi-
speed rates10
In general, it is more and more evident that, during the day, people tell
can detect two precise trends. If, on the one hand, there is a progressive
multi-device fruition, i.e., users move from one device to another going
on accessing the same kind of contents, on the other hand, there is a
contemporary multi-device fruition, during which users exploit more
devices at the same time.
10 Bennato, Sociology of Digital Media, Roma-Bari, Laterza, 2011.
Information exposition

for promotional and commercial activities, and to establish relationships
-
porate accounts onTwitter and to create placeholders on various plat-
forms.
In the context of augmented connection to multifold services, sites, ap-
plications, Social Media, communities, the increase and concatenation of
one’s own accounts make the amount of personal information vulnera-
ble and attackable through weak points: the use of e-mail as “universal”
easily resettable and can be consequently reached in a fraudulent man-
ner.
In particular, authentication modalities on the Social Media are extre-
mely weak. Because of the growing numbers of platforms, users tend to
repeat the same combinations name/mail and password, and, in many
cases, it is possible that, due to reasons of simplicity, they use their work
e-mail. Besides, the only validation during the registration pertains the e-
mail that is required to be active: there are no further processes and this
In some cases, users pay attention to information they share and to secu-
rity settings of their own accounts on the Social Media, but they have no
-
mation about them. In addition to this, when a third person shares the
contents, duplication makes it impossible both to cancel and to eliminate
it.
information on the victim’s habits and represents a great means to ex-
ploit some vulnerabilities while the victim is far from the computer.
Due to a growing information exposition, people tend to reduce their
attention to the potential use people can make of it on the net.The infor-
mation amount, the increased possibilities to access it, and the exchange
rapidity, together with the habit to share contents (in general, the more
the chance to have everything precisely under control and also the user’s
predisposition to actuate control mechanisms, since they are too much
expensive in terms of user experience’s time and quality.
Moreover, since people tend to give little value to the information they
own, they also tend to share it more easily: in fact, as a password could
be more easily shared than a token or a smart card, similarly, sharing
information with one’s own contacts can be perceived not as a risky or
potentially damaging activity, thus increasing the corporate vulnerability
to fraudulent attacks. In many cases, in fact, users, being convinced that
Information control and access
modalities to Social Media

the Social Media environment is secure (because populated by contents
risk to follow low secure links and put various type of malware into com-
pany computers, damaging the corporate network itself at various levels.
In addition to this, when a third person shares contents, duplication
makes it impossible both to cancel and to eliminate it.
It is also necessary to consider that Social Media users are not simply “ci-
tizens”, but they can be also employees, managers and executives, i.e.,
in general, members of a private company or a public institution, thus
owning information that cannot be always widespread outside. In addi-
usually tend to create a unique “hybrid” ensemble to be used without any
that do not necessarily correspond to the corporate vision can be read
-
guished, any message conveyed by employees would contribute to the
creation of the corporate image anyway.
Social Networks and Social Media all day long, and that, also during the
working time, they tend to use these means to interact with their own
friends and share information.
These activities are not necessarily done through the work PC, on which,
in case, it is possible to employ some type of control and protection, but
often through personal smartphones that may be later connected to
management is more complex, since the presence of employers’ perso-
own material and immaterial assets.
by employees:
On the one side, contents publishing on external platforms,
without time distinction, can lead to image damages or the
escaping of reserved information, or it can be leveraged for
On the other side, the use of external platforms during working
hours can expose the corporate computers and network to risks
brought by various types of external attacks.

3.2 Cybercrime’s targets and objectives
In this scenario, the most vulnerable companies have been characterized
banks and companies constituting the Country’s infrastructural network,
but also companies becoming a “bridge” to access other information (big
same attack model also to SMEs.
elements also into production contexts that are traditionally “autono-
-
ple, plants for energy production, such as generating and nuclear power
-
-
ad, are more and more distributed and interconnected on the network.
and structures represented their protection prerequisite, today’s most
serious problem is the fact that each device connected on the net is on its
own potentially vulnerable and subject to possible attacks by hackers.
security side, too, given that they can be not only manually broken, but
also more vulnerable against viruses, anomalies, etc., up to the crash of
some applications. Due to the peculiarities of these systems, it is clear
the potential negative impact from the production and social standpoint
and the consequent necessity to rethink the overall protection mechani-
sms against the multiple fraudulent actions.
report what is highlighted in the CLUSIT Report 2013:
Everyone has already become a potential target, simply because of being
connected to the Internet. Statistically, there are still distinctions betwe-
private citizens andVIPs, between men and women, adults and children,
-
ferences with respect to the victim type, but this depends above all on the
fact they are more and more specializing; yet, on the other side, they have
become so numerous and impudent, and their action is already so perva-

-
ce”, there are no “secure” categories anymore.
Information attacks have multiple goals. In general, we can distinguish
between gathering information that can become monetary value for the
hacker and breaking into systems for sabotage purposes:
-
mation asset, in order, for example, to be able to break into its
or to take possession of business information or industrial se-
In the second case, instead, the attack aims at directly causing
malfunctions or disruptions, or blackmailing the company by
threatening to create malfunctions and disruptions, through
the manipulation of internal systems.
Moreover, apart from the main objective, during the necessary time
period to complete the attack, all information stolen along the path and
potentially interesting (information on the credit card, bank account
exploited on the black market where they are sold at the list price accor-
ding to the information type11
.
3.3 The new“social”threats
Gli Information attacks can be only social, only technological, or be cha-
racterized by a combination of various aspects. In general, since attacks
can be highlighted:
: the user downloads (intentionally or by
of websites that exploit vulnerabilities in web browsers.They
are being increasingly used by attackers to target web browser
In both cases, the user intentionally follows a malevolent link either
received through mail or private communication, or shared on a Social
Media. Depending on the practical execution of the attack, it can be also
necessary to run a programme, plugin or attachment by means of the
user itself.
Attacks to data or services

between PC and Social Media, the risk is not canceled, but only, in some
cases, partially reduced.The Social fruition through mobile devices
even more exposed, the workspaces to which they are connected (users’
personal devices are often not equipped with protection systems and
therefore more subject to attacks that are potentially transferable to
It is interesting to notice how the perception of the risk and, therefore,
-
The list “ -
” -
One the most important aspects to be considered is the fact these risks
for the company are connected one to the other, but, on the contrary,
the potential threat is very often represented by a combination of them.
called malware 1.0, since they are built from the beginning to be integra-
ted into these new socially twisted threats.
Picture 2
Risk perception depending on social
platforms
Source: www.web-strategist.com, 2012

THE MOST IMPORTANT SOCIALTHREATS AGAINSTTHEVARIOUS
COMPANY’S ASSETS
Financial assets:
Productivity loss due to the time spent by employees on Social Me-
dia.
Industrial secrets and intellectual property:
Information on procedures and working modalities published by
Loss of control by the company on what is published on Social Me-
dia.
Physical security:
-
ten employees.
Information assets and company’s network:
Corporate image and reputation:

4. Examples of attacks
Social Media are therefore tools the company can use to improve its per-
let’s analyze three examples of attacks that exploit Social Media and that
can be combined into following steps making a complex attack.
4.1 Leveraging target’s trust
One of the most important aspects for successful social engineering at-
tacks is to obtain the target’s trust, in order to persuade people to execu-
te the target action.
-
ronment to do these activities: the connections developed within these
platforms are born, in fact, from the idea to link and gather people one
element in Social Engineering attacks.
To develop these attacks, it is possible for example to proceed either in
a direct manner
on other platforms, or in an indirect manner. In the second case, before
starting directly with the friendship request, the hacker develops some
relationships with the target’s friends, so to be then more credible and
reliable: people tend, in fact, to trust more and to positively reply to
requests from someone that is, apparently, already in their own contact
group.
Once obtained the target’s trust, the hacker can:
Gather further information (for a spear phishing attack on a
Interact with the target by sending malevolent links in the
updates or private messages, leveraging the trust gained on the
platform (this is therefore a spear phishing’s variation, which,
This kind of attack12
is increasing thanks to the available information
number and the low attention many people pay when accepting frien-
dship requests. In addition to this, also not being present on the Social
reserved information (http://www.guardian.co.uk/world/2012/mar/11/china-spies-facebook-attack-nato

Networks represents a threat, since it become easier to hackers creating
4.2 Identifying the right lure
Spear phishing is a particular kind of phishing.This last one is carried
out, for example, through e-mails that require to unlock one’s own bank
account or to send money to needy people.
These e-mails are usually characterized by a poor-cared graphics, gram-
mar mistakes, references to banks one has no relations with.They are
therefore generic e-mails exploiting the law of big numbers and levera-
ging the fact that, by sending this type of mail to million people, sooner
or later, it will be possible to get in touch with someone.
Spear phishing doesn’t leverage quantity, but quality, instead.
Objective of this phishing type is to compromise workplaces and users
through more targeted attacks addressed to subjects of particular inte-
rest, as a direct or indirect way to access relevant and strategic data. In
this case, a customized lure is created by exploiting the targeted user’s
“digital dossier”, which gathers all personal and work information in pos-
session of the hacker.
Spear phishing mails are actually carefully prepared and focused for
seem to be from a friend or a company mail account (internal or from a
Networks represent a very rich information source.
-
cessary step would be to take possession of some access credentials and
compromise some workplaces.To do this, spear phishing represents the
ideal and most often used technique.
-
tical Social Network, for work environment, all users insert their current
to get visibility.Through the platform’s native functions, it is possible to
start analyzing, for example, current employees, latest employed people
users generally tend to be rather cautious and to set privacy levels in a
more or less strict way. Nevertheless, it is often possible to get a photo
information, anyway. Moreover, users sometimes create a link between
their blog, twitter account and other applications, providing additional
about that user.

-
-
latively simple to correctly identify one’s own target and start gathering
necessary information for the spear phishing attack. In fact, many users
-
and in case also the events the user has participated to.
Once closed the analysis phase, hackers can send a very customized mail
prepared for the most vulnerable target to start the attack’s following
success rate for spear phishing mails created like this is extremely high13
and can reach 70%14
.
4.3 Connecting information
information that employees share on the net: the so-called OSINT activi-
sources and connect the various information.
In addition to exploiting this information to increase a possible digital
dossier and prepare spear phishing attacks, it is possible, in some cases,
to use this information to analyze competitors’ activities and prepare
some feedbacks in advance (for example, by submitting new customers
In this context, we can highlight, for example, how geolocation through
-
geolocate most frequently
often possible to discover meeting rooms’ names (to be used for
Networks (in many cases, people most frequently sharing tend to
-
scribed.
2010.

.Together with geolocation, in
many cases, people insert some images in the updates. Photos
sometimes show buildings’ external sides, but in various cases,
photos of interior areas are published, too, thus providing ha-
ckers with important information, for example about the com-
Identifying clients
cautiously, in many cases, it is possible to analyze transfers and
identify company’s clients and partners: this activity is often easy
to do, since people, in addition to geolocation, frequently add
Locating plants -
yees may geolocate and publish images of places that should
be reserved or the existance/presence of which should not be
widespread.
hackers can already get a big number of interesting information.
-
-
forms, in fact, it is possible to write in the update the place one is
writing from and, very often, to “tag” also other people. So, it is
also possible to indirectly gather information on users, by means of
contents shared by third people and that owners cannot even keep
under control.

5. Defense strategy against
Social-driven Vulnerability: a 360°
paradigm shift
New information security threats greatly leverage various key factors.
Some of them have been widely discussed and are mainly related to pe-
and leverage on the exploitation of this attitude.
On the one hand, considering the increasing complexity of technological
infrastructures, there are numerous initiatives aimed at really strengthe-
ning information systems. Modern operating systems keep on adopting
new techniques15
to prevent a malevolent software, should it be brought
by a user into its own PC or spread by browser or other software vulnera-
bilities, from compromising the core of the system and being able to fully
access all data and inputs. In this sense, the social approach is the one
that best manages to overcome the security barriers set by the company
and to drive the user to adopt behaviours against which no countermea-
sures have been implemented yet.
On the other hand, while the issue about the massive analysis of activity
trackings through technological devices is currently widely managed by
IT solution vendors (however complex it is to deal with this issued in the
much less for matters like the Information Security oriented monitoring
of company’s social exposition. In that respect, information and material
to do “social-driven” attacks are more and more available to hackers,
without an adequate information counterpart for people in charge of the
company perimeter’s protection.
-
tents accessed by users: it will be surely possible, with an accurate tu-
to attack a restricted number of people or malevolent code that is built
ad-hoc to be transmitted through those lures.
In addition to this, there is a business evolution related to cybercrime
that is increasingly pushing towards an organized approach strongly
aimed at a rapid return on investments.The creation and engineeriza-
tion of sophisticated malware, even though through the contributions
of people still working “by passion” today, actually require the costs of a
15 Like for example “sandboxing” techniques, “address space randomization”, or “trusted computing”.

software factory’s activity.The trade of customized malware has rea-
ched much higher prices if compared to the “general purpose” malware.
Therefore, this pushes organizations towards a strongly target-focused
approach, making the tool choice almost only a matter of advantage and
convenience.Today, one of the means enabling to maximize the costs/
exploitation.
On the basis of the numerous current tendencies highlighted so far, it is
clear that it is necessary to protect a company in a new way (whatever
a real paradigm shift in the study and predisposition of the company’s
defense system.To sum up, it is necessary to envisage a parallel evolution
both of human factor involvement and of the technological approach used
in the planning of corporate protection’s operations.
Today, although with the unavoidable unlimited variations characterizing
each organizational asset, information security’s countermeasures are
usually in charge of a dedicated IT area.This typically operates with a
with the development of core business solutions and involving the pre-
-
logy is therefore often the core of any information security plan, since
the adopted approach sounds “let’s identify the adequate technology”.
-
tions that take into consideration the growing importance played by pro-
cesses, too.Therefore, the technologies adopted to develop the overall
be also easy to be monitored and integrated in corporate systems for
information gathering and processing.The growing change in that sense
-
less also this step is not enough, yet, and requires a further evolution.
Strong choices are necessary to enable the shift from the current situa-
tion where the human factor is “separated” from technology and “en-
dures” security to a situation where people are actively involved in the
security processes. Such a paradigm shift is extremely challenging for the
-
-
tion towards this model, in fact, it is required to share objectives, more
or less intensely, with functions that are not directly connected with the
corporate “technological” dimension, but related to the management

Moreover, executing the “patching of human factor’s vulnerabilities16
”
is not such a deterministic process, with given results, as the patching
-
comprehensible how it can be complex to set new “attitudes” within the
most commonly used social attack approaches, and reduce those beha-
viours that can enable the attacks themselves.
In this context, it seems that the winning strategy is to generally rethink
the monitoring of the security level reached by the company both by
creating new areas focused on the “social” dimension and by rethinking
the technological monitoring in the perspective of a more detailed and
integrated for a 360° defense that should be as complete as possible, and
Considered in the technological context, these probes are the traditional
detection points of not authorized IT accesses and actions, while, applied
stop, attack attempts.
The scheme represented in Picture 3 highlights such a change of appro-
ach: no more only a solid perimetral security independently from the
contents to be protected, but a set of actions that aim at protecting ma-
chines, information, users both as single aspects and as part of a whole.
-
rity interventions must include at least three action macro areas, while,
today, not all of them are always adequately considered and monitored:
Picture 3
Distributed and multilayer protection
scheme,integrating various comple-
Source: CEFRIEL, 2013

The technological monitoring extended to all of the company’s IT
The “monitoring on the monitoring”, conceived as strong stron-
ghold of the processes that allow, from the results and alerts
barriers.
action lines with respect to the possible intervention needs.
5.1 Social monitoring
-
larly delicate, since it implies two operating aspects that are potentially
elements of attention and organizational involvements as regards their
execution.
-
tion on the Social Media (synergic, but not equivalent to activities that
are more and more often developed to monitor brand reputation17
and
sentiment18
-
formation people that are variously linked to the company expose on
the Social and more in general on the Internet.The issue is complex and
-
toring activities on media contents with a more “personal” nature and
cannot be simply on demand, but it must take place in a continuous and
should not only cover known areas (the company’s digital properties, i.e.,
also focus on all contents that can be reached on the Internet although
not known by the company. In fact, this sort of contents is often extre-
mely similar to the original company’s contents, so that, in many cases,
they are confused with them. Consequently, they can be fully manipu-
lated at their liking by people managing them and thus used to target
18 People opinion towards a given brand, product or service.The sentiment analysis is used to try to under-
stand people predisposition towards the analyzed element.

to do opportune activities towards internal users that are in the position,
as previously described, to represent a bridge to overcome the perime-
through focused assessments and attack simulations, the real interven-
tion need, also considering possible awareness activities already execu-
ted. In this case, the detected numerical data is not important in abso-
lute terms, but as representative of an overall percentage of exposition
towards a possible social attack of the reference company sample used
to highlight what areas of the target users are more subject to what types
In particular, the emerging analysis dimensions cover from the demo-
graphic characterization of the sample, or of the potential access level
to corporate information, to the combination of social and technological
factors characterizing the attacks that have turned out to be the most
that manages and direct them, guaranteeing adequate follow-ups on the
envisioning the necessary involvement of various company’s subjects”
5.2 Technological monitoring
at the same time, it cannot obviously exclude technological operations.
It is necessary to highlight, in fact, that, although the intervention on the
social dimension has been unavoidable by now, it is anyway not enough
to protect the company, since the technological dimension keeps on
defense will be the one that is able to leverage both dimensions at best.
Picture 4
subject category and attack typology

In this sense, continuous monitoring must be linked to a “divide et impe-
ra” attitude, which is certainly not new in the best practices to protect IT.
Keywords like “defence in depth”, segmentation, intrusion detection
and prevention with lures on the internal networks are not new, in fact,
to those who manage and plan the company’s IT also paying attention
to security problems, and such an attitude must be actually considered
the company’s external perimeter is not enough, but it is necessary to
segment also the internal structure and defend the various sections’
perimeters19
. Only by doing this, it is possible to prevent a single perime-
ter’s violation, obtained through social means and therefore below the
technological detection radars within the company, from becoming a
complete access to the company’s information assets.
-
ced PersistentThreats today: hackers’ investment on the information
searching activity that enables the social phase of their attacks is often
widely rewarded, once passed through the external perimeter, by the
evidence there is a low level of internal protection.
Nevertheless, this is not enough.There must be also a regular analysis
to promptly react to possible attacks and to isolate the compromised IT
portions avoiding worst consequences.
-
cial monitoring previously described is required to complete the “lateral”
defending structure of a “castle”.The purpose is to protect both from the
new intrusions “from above” that can directly hit people “overcoming”
the walls and from the new techniques that persuade them to directly
open the castle’s “main gate”.
5.3 Prevention and control
-
gies and the social monitoring do not prove to be enough, since it is also
necessary to insist on control processes so not to make those interven-
-
fore, the monitoring will not be done only on ICT equipment consoles
but, since the human factor must be more and more integrated in the
technological chain, it will be necessary also a monitoring on “human”
-
grating Security and Systems Engineering,Wiley, 2006

of the inputs coming from people, which should themselves become
control “lures” in addition to the technological ones installed on the PC
and within the networks20
.To this extent, it is essential, for example, a
-
tion procedures, i.e., concatenated actions done by multiple subjects at
multiple levels to stop and neutralize ongoing attacks.
5.3 Organizational implications of the integrated approach
to corporate security
company’s organization.The more the starting condition (also of a “cul-
-
-
tures, if present, should be also involved, like those in charge of Inno-
vation or Risk Management (the social risk, like all other risks, must be
-
ting contexts.
In particular, the value of involving the Innovation structure is related to
the fact the new security approach outlined so far is not only innovative
on the whole, but it also requires a series of single interventions fully
disruptive in respect to the company’s traditional activities, both in terms
of development and implications.
strengthens security, on www.net-security.org, May 2013.

6. Conclusions
Security technological interventions are required to contextually evolve
horizontal,
integrating external perimetral protection with the internal one, and the
vertical, raising interventions from the level of technology to the level of
people.
In particular, it is necessary an integrated approach represented by a set
functions and in synergy also with the allocated budgets for structures
-
-
drivenVulnerability’s dynamics. Moreover, it promotes the reduction of
dangerous behaviours for a 360° protection programme of company’s
information assets.
Authors
© CEFRIEL - Milan, February 2014 - Some rights reserved
This work is released with a Creative Commons License (http://creativecommons.org/licenses/by-nc-
nd/3.0/
were made.
You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or
your use.
-

CEFRIEL experience
-
tion and management of modern company information systems.
-
rience acquired in supporting the innovation process of companies and
and information availability are critical factors.The operating model is
enhanced by the capability to aggregate, manage and transfer the com-
petences acquired in project development and by the steady relationship
with information security managers and professionals.
-
ve characteristics: not only the support to outline and implement the
company’s social strategy, but also the user sentiment analysis about
contents the company shares on Social Networks.
The Security and Social Media competences acquired and continuously
developed have been applied for years so far to innovation projects deve-
loped in collaboration with primary Italian organizations to assess social
and technological vulnerability.

T: +39 02 23954 1
www.cefriel.com
INNOVISION
PAPERFEBRUARY 2014

Facing Social Media Vulnerabilities

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Facing Social Media Vulnerabilities

Similar to Facing Social Media Vulnerabilities (20)

Recently uploaded

Recently uploaded (20)

Facing Social Media Vulnerabilities