Social Engineering emphasis in security program

This topic contains 3 replies, has 2 voices, and was last updated by  Anonymous 8 years, 2 months ago.

  • Author
    Posts
  • #6883
     Anonymous 
    Participant

    I’m looking to overhaul our current security awareness program and I’ve been reading a lot of Lance Spitzner’s blog and it does seem like social engineering is increasing in quality at an incredible rate. I’m curious how often anyone doing sec. awareness training updates the social engineering topics or what are some of the methods used for this topic. Any information would be helpful.

  • #42533
     cd1zz 
    Participant

    Here is what’s been successful for us:

    • Try to discuss things that could impact their personal lives, like online banking, stolen email creds etc and how that would impact their personal lives. This seems to get people to listen and pay attention. After they’re listening you can explain how these same tactics can impact your business.
    • I’ve found that live demo’s that aren’t too technical but prove a point are very effective. Using the sound recorder or web cam modules in metasploit are perfect for this. We’ve noticed that people begin to really pay attention when they see this.
    • Keep your meeting short and sweet, otherwise no one will take anything away and it will be a waste of time. Try to drive home a few points but don’t over saturate them.
    • A little paranoia can go a long way, but don’t scare them.

    Bottom line for us is trying to “hook” the audience early so our users actually might learn something and become a little less risky on the network 🙂  These things have been very effective for us.

  • #42534
     Anonymous 
    Participant

    Thanks cd1zz.

    I definitely have enough paranoia to go around (why else would I be in infosec field) but I liked the spin on the personal lives. Most of the current program focuses on company resources and generally people could care less apart from just signing off on the “I completed the mandatory training” paper. As everyone uses their company internet for personal reasons these days, it could provide a nice eye opener.

  • #42535
     Anonymous 
    Participant

    I agree social engineering is I would say the most affective way to get access. As humans we alway want to trust people and sometimes are afraid to ask question we just take people for face value.

    I agree with cd1zz comments I think the training process is a life cycle and should alway try keep employee on there toes about the subject.

    Live demo and trying to map the situation to them is a good way to get the message across.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?