October 6, 2011 at 3:24 am #6883
I’m looking to overhaul our current security awareness program and I’ve been reading a lot of Lance Spitzner’s blog and it does seem like social engineering is increasing in quality at an incredible rate. I’m curious how often anyone doing sec. awareness training updates the social engineering topics or what are some of the methods used for this topic. Any information would be helpful.
October 6, 2011 at 3:52 am #42533cd1zzParticipant
Here is what’s been successful for us:
- Try to discuss things that could impact their personal lives, like online banking, stolen email creds etc and how that would impact their personal lives. This seems to get people to listen and pay attention. After they’re listening you can explain how these same tactics can impact your business.
- I’ve found that live demo’s that aren’t too technical but prove a point are very effective. Using the sound recorder or web cam modules in metasploit are perfect for this. We’ve noticed that people begin to really pay attention when they see this.
- Keep your meeting short and sweet, otherwise no one will take anything away and it will be a waste of time. Try to drive home a few points but don’t over saturate them.
- A little paranoia can go a long way, but don’t scare them.
Bottom line for us is trying to “hook” the audience early so our users actually might learn something and become a little less risky on the network 🙂 These things have been very effective for us.
October 7, 2011 at 1:34 am #42534
I definitely have enough paranoia to go around (why else would I be in infosec field) but I liked the spin on the personal lives. Most of the current program focuses on company resources and generally people could care less apart from just signing off on the “I completed the mandatory training” paper. As everyone uses their company internet for personal reasons these days, it could provide a nice eye opener.
October 10, 2011 at 10:22 am #42535
I agree social engineering is I would say the most affective way to get access. As humans we alway want to trust people and sometimes are afraid to ask question we just take people for face value.
I agree with cd1zz comments I think the training process is a life cycle and should alway try keep employee on there toes about the subject.
Live demo and trying to map the situation to them is a good way to get the message across.
You must be logged in to reply to this topic.