Henry Dalziel | General Hacking Posts, Hacker Hotshots | June 15, 2013
Ignore social engineering training at your peril.
Make your people aware of the ever-growing scams out there. Seems obvious but trust us, we are constantly amazed how many people fall victim to ‘simple’ phishing attacks.
Social Engineering is all about coercing you into doing something that you feel is ok to do – but is clearly not ok for your security. Best example would be getting you to click your mouse that (unknown to you) triggers a wrapper in a trojan and hey presto, there go your bank login details, company accounts etc.
The human is dumb.
The most stupid link and most vulnerable link in the security chain is the human. Here at Concise Courses we are all about information security education and it certainly gives us pleasure to promote the necessity of effective employee phishing training. Taking advantage of human behavior is the name of the game when it comes to social engineering. An organization can employ the world’s great information security professional but that won’t prevent a phishing attack if it succeeds at hacking someone in your organization.
Employees need social engineering training – period. Basic stuff like email phishing, spear phishing etc must be drilled home in a practical and engaging way. For example, a way to educate your workforce in an engaging way would be to send them all an email without warning that is made to look moderately suspicious, and must be from ‘sent’ from someone that they do not know asking them to download a file. Those that do will trigger a non-lethal program that only installs a screensaver of a clown on their desktop with a message saying “Report To [Name] – Your IT Head of Department, You Need To Learn Why What You Did Was Bad!!!” Making mistakes is the best way to learn when it comes to social engineering prevention.
Tailgating, dumpster diving etc are all standard basic training that also needs to be incorporated in any social engineering program, but those can really be achieved by creating habitual patterns of behavior. For example ensuring that all documents are shredded before entering the trash will within a short space of time become second nature to your people.
There are a gazillion different phishing tricks out there but it really is key that your people are made fully aware that their actions can lead to reactions, i.e. downloading a “You Won A Million Dollars” should be obvious to most as being a scam but malware ridden emails can be made to look a lot more ‘normal’ and ‘appealing’.
What do you do for your social engineering training? Nothing at all? Just a little bit? Tell us – we wanna know!
Lastly – check out our Hacker Hotshot web show titled “Go With the Flow: Strategies For Successful Social Engineering” with Chris Silvers – which was a superb insight to social engineering hacks with REAL examples! You’ll love it.