This post is about social engineering. It will cover some of the dangers of social engineering and focus more on what a corporation or a company can do to help better prepare their employees for those kinds of situations.
Security Awareness Training
The most important and something we don’t do enough is the basic security awareness training. Employees need to be aware of certain situations that look odd, keep them ingrained with understanding that even if they don’t want to admit it or don’t like the fact, they are part of the security team. Every employee no matter what their function is – they also have the duties of protecting the company and protecting the company’s assets. That’s part of their job. If the company goes out of business because of compromised info, they no longer have employment. It is in their best interest to make sure that the company is secured so that they can continue making money and keep paying people their salaries.
When we mean security, we’re very good at talking about how bad things can be and how wrong it is and how someone has done something wrong, but when you’re trying to give security awareness training to an employee, that’s not the best avenue of approach. Managers need to start educating their employees and give them positive reinforcement. When an employee does something good, like question someone before they’re trying to get into the door behind them – reward them, make notice of that: “You did a good job,” it’s like: “We’ll print it in the company’s newsletter saying you were recognized for being security conscious.”
They react to that. People react to being positive. And also it becomes competitive, because now Susan saw James recognized as security conscious person, he got the recognition. Well, now she’s going to want that recognition too, so she’s going to keep an eye up for an opportunity to catch someone or do something that is insecure. It’s important to focus on that kind of competition, it is important to empower people to try to be secure and security conscious.
Constant Reinforcement of Security Ideals
It doesn’t always have to be a pen test. Cordially, pen tests are not going to save you. Constant reinforcement of security ideals and security practices are what’s going to keep you safe. It’s ideal to have an employee just walk through the area making sure the Clean Desk Policy is being enforced, making sure no passwords are written underneath the keyboard, making sure they’re not posted on the monitor, doing those kinds of things.
Because even if you find nothing, people see that, and in that instance they realize: “Oh, they’re looking to make sure the area’s secure. I have to keep making sure my area’s secure as well, because I don’t want to be called out in a negative way saying that I was doing something unsecure, because that would go to my manager, my supervisor.”
Even if they don’t find anything, they’re promoting in a passive way security awareness and the security conscious environment. It’s not those little things when humans can be patched every second Tuesday of the month. It has to be a constant kind of awareness, constant kind of environment where you show that.
And what is good for the lowest mailroom or janitorial staff, any entry level positions – it has to go for the CEO and the CIO of the company too. Top managers have to live to that kind of ideal too.
If company is compromised, it mostly happens from the CEO. Because when the bad guys are attacking, when they’re going after your company – they’re not going after the mailroom, they’re not going after the clerk or the entry level person, they want to go after the CEO, they want to go after the CIO. Why? Because usually top managers think they deserve an exception to the security policies. They may not need antivirus software updating all the time because they crash the system or it runs too slow. They don’t have to use the two-factor authentication token, they just have to use their password. They don’t have to have the password minimal length and special character requirements everybody else in the company does. They just want it to be their first name so that it’s easier for them to get in.
And when the company is compromised, they’re not going to come back and say: “Oh, my bad.” They’re going to be: “Why didn’t you protect me from myself? Why weren’t you doing the job that was protecting me from me harming the company?” So that’s one of our responsibilities as well, telling the executives things they may not really want to hear. But that’s what we have to do, because we’re trying to protect the company from the human element.
Socially Engineer Your Employees
Basically you want to socially engineer your employees and your environment in order to protect the company from social engineering. Make the people more conscious, suddenly change the environment so that people are more suspicious, that they are more questioning of what’s going on. They must question things that may be out of the ordinary.
Usually after compromising a network or a company, most pen testes see and feel by people’s facial expressions, by their body language that they were suspicious but still let the intruders in. Later on, after the pen test workers say: “Yeah, I knew there was something not quite right, but he said he was supposed to do this, I didn’t want to challenge him.”
It is guaranteed next time they’re going to challenge. Next time, and it is part of inoculation, it is giving them that encouragement, giving them that kind of courage to stand out and say: “Hey, this doesn’t seem right. I’m going to question you.” People need to understand they have to do something in such situations, call the security, call the police, call someone, react to it in some way, not just ignore it. And that’s one of the key things that employees have to understand. They don’t necessarily have to confront the situation, but it is an imperative and part of their responsibilities to report the situation.
About the Author: Alex Lamman is a 25 years old software engineer, snowboarder and just a loving father from Germany. He is Internet security addict and helps to run Privacy PC – a website which guides you through security and privacy news, tips and antivirus software reviews.