One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares.
These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?
- Give these programs a good name. This may sound trivial, but there’s a reason to do this. “Catchy” names may well become the butt of jokes, but it keeps training programs – and their lessons – in the minds of users.
- Put users on the other side of the attack – teach them basic social engineering. There’s no better way of understanding how social engineering works than teaching how to do it. By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”
- Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. This can be dealt with culturally: let employees (and managers) know that there will never be a penalty for saying “no” and verifying with whoever’s in charge. Call/mailbacks (via information in company address books) should be part and parcel of company procedure.
Part of a good social engineering training program is “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees. However, some organizations try to reduce costs and rely on automated tests alone. This can be a problem – obviously “fake” tests will annoy employees and make them more vulnerable to real attacks. Organizations have to ensure that any tests carried out are as realistic as possible, to realistically and accurately measure the ability to resist social engineering.
Both testing and training have to be a continuous and never-ending process. Social engineering attacks, as with all attacks, only become stronger over time. Employees join and leave the company, or change their roles. A truly effective training program has to keep all of these in mind in order to protect an organization for the long haul.