,

Social Engineering Awareness Program: PART 1

Building the Culture to Support a Social Engineering Awareness Program

Today, companies are investing more than ever before on protecting their IT infrastructure. As a response, hackers and, in turn, penetration testers are using a different vector to gain access to enterprises: the human element. Humans can be exploited using a variety of methods collectively known as social engineering. This broad category includes phishing, spear phishing, whaling, vishing, smishing, pretexting, dumpster diving, and tail gating.

Social Engineering hinges upon Dr. Cialdini‘s Six Principles of Persuasion:

  1. Authority
  2. Reciprocity
  3. Commitment and Consistency
  4. Social Proof
  5. Likability
  6. Urgency/Scarcity

The attackers use these persuasion methods to achieve their goals.

THE CULTURE

In organizations of all shapes and sizes, the culture of the organization drives the security of the business and its people. You may have witnessed toxic culture in many organizations that cast security to the side as a nuisance.

The key in preventing social engineering is to incubate a culture of security. This has to be seen at all levels of the business from the C-Level executives to the lowest janitor or Intern. Security does not need to be ingrained to the point that any employee can pass the Security+ exam, but some level of awareness is necessary. Every person needs to feel empowered and understand his or her role in the security effort.

Penetration testers are using a different vector to gain access to enterprises: the human element.

In doing this, the business empowers employees and lets them know that they are valued. When security is integrated into this culture, the employees will be more perceptive to learn new concepts and apply them in the workplace. Ironically enough, from my experience, they take these concepts home and will willingly tell you how they have done so and thank you, the security professional for bringing it to their attention.

Collaboration serves security well, as the employees are those who understand the “norms,” they are the eyes and ears of security and can often report something much faster than any software in the event that something is “off.”

Once the people understand that the program is not “out to get them,” they will more readily accept and apply the concepts. Collaboration is more important that punitive measures or restricting of any assets in the eyes of the layperson. Collaboration serves security well, as the employees are those who understand the “norms,” they are the eyes and ears of security and can often report something much faster than any software in the event that something is “off.”

CONCLUSION

In conclusion, a culture of value and awareness is required to properly implement any awareness program. This is a means for the employee to feel valued and appreciated, thus having incentive to see the security effort succeed as they are part of the team. Having the culture really is a prerequisite for any awareness or training program. Once this is attained, the program can move on to the next step.

About the Author

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own  Blog and Podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone.

Twitter: @advpersistsec/@C_3PJoe

LinkedIn: linkedin.com/in/billyjgrayjr

Email: jgray@Advancedpersistentsecurity.net