Social Engineering Awareness Training Part 2: Designing Effective Training Program

Designing Effective Training Program

Image Reference – Pixabay

In a continuation from the previous post, we have established the culture of security. The population is ready to be trained, thus raising awareness. This prerequisite is key for setting up the training. Effective training will raise awareness for all levels of employees and add a layer of protection to the organization while also removing a level of insider threat.

Developing the Awareness Training Program

The training needs to be organization specific. This eliminates any contradictory information from generic training from swaying the people the wrong way. Leave nothing to the imagination of the employees. If they have to improvise, they will likely get it wrong, as most of them are not information security professionals.

Effective training will raise awareness for all levels of employees and add a layer of protection to the organization while also removing a level of insider threat.

The training should be role and level specific. IT employees and privileged users face different issues than HR, PR, Finance, Contracts, Services, and C-Level executives. I recommend a minimum of three levels of training (denoted with *):

  • General Users or all users*
  • IT and Privileged users*
  • C-Level and Senior Management*
  • Role specific dependent upon public facing role (i.e. HR, Finance, Contracts)

The training needs to spell out key indicators of social engineering. Examples of actual emails and calls received should be shown and distributed. This is better than any discussion about the “Nigerian Prince,” also known as the “419” scams. Ask for examples that people have received. I have found setting up an email account for people to forward the emails to be effective. This allows information security professionals the ability to analyze what is coming in and to better tune the spam filters, create IDS signatures, block IP addresses, and assess the attachments (which are likely Ransomware) for impact.

Having the training be as customized as possible will trim time off the Incident Response effort once the inevitable happens and a user clicks the phish.

I recommend that organizations establish a non-punitive policy for employees that self-report effective social engineering like clicking the phish. There are obvious deviations based on patterns of conduct and intentions, but an innocent clicking of a phishing email should not, in my professional opinion, warrant punitive activity.

The final part of designing the training is delineating the actions for both handling known social engineering attacks as well as effective social engineering. My recommended guidelines are below:

Known Social Engineering:

  • What should happen to the email? Delete, Block Sender, or Forward – possibly as an attachment?
  • Who should be notified? How?
  • Provide specific email addresses, phone numbers, or office locations
  • Phone calls? What to obtain and who/how to report it to?

Successful Social Engineering:

  • Immediate Actions? Log off, step away, unplug network cable, or power the system down?
  • Who should be notified? How?
  • Provide specific email addresses, phone numbers, or office locations
  • Phone calls? What to obtain and who/how to report it to?
  • Remedial Training?

Conclusions

In conclusion, having the training be as customized as possible will trim time off the Incident Response effort once the inevitable happens and a user clicks the phish. Spelling out the specific actions removes the need for employees to improvise. Stressing the non-punitive nature of self-reporting is a key cultural component that will further empower the employees and drive better performance.

About the Author

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own  Blog and Podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone.

Twitter: @advpersistsec/@C_3PJoe

LinkedIn: linkedin.com/in/billyjgrayjr

Email: jgray@Advancedpersistentsecurity.net