.

Social Engineering emphasis in security program

<<

l33t5h@rk

Post Wed Oct 05, 2011 10:24 pm

Social Engineering emphasis in security program

I'm looking to overhaul our current security awareness program and I've been reading a lot of Lance Spitzner's blog and it does seem like social engineering is increasing in quality at an incredible rate. I'm curious how often anyone doing sec. awareness training updates the social engineering topics or what are some of the methods used for this topic. Any information would be helpful.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Oct 05, 2011 10:52 pm

Re: Social Engineering emphasis in security program

Here is what's been successful for us:

  • Try to discuss things that could impact their personal lives, like online banking, stolen email creds etc and how that would impact their personal lives. This seems to get people to listen and pay attention. After they're listening you can explain how these same tactics can impact your business.
  • I've found that live demo's that aren't too technical but prove a point are very effective. Using the sound recorder or web cam modules in metasploit are perfect for this. We've noticed that people begin to really pay attention when they see this.
  • Keep your meeting short and sweet, otherwise no one will take anything away and it will be a waste of time. Try to drive home a few points but don't over saturate them.
  • A little paranoia can go a long way, but don't scare them.

Bottom line for us is trying to "hook" the audience early so our users actually might learn something and become a little less risky on the network :)  These things have been very effective for us.
<<

l33t5h@rk

Post Thu Oct 06, 2011 8:34 pm

Re: Social Engineering emphasis in security program

Thanks cd1zz.

I definitely have enough paranoia to go around (why else would I be in infosec field) but I liked the spin on the personal lives. Most of the current program focuses on company resources and generally people could care less apart from just signing off on the "I completed the mandatory training" paper. As everyone uses their company internet for personal reasons these days, it could provide a nice eye opener.
<<

millwalll

Post Mon Oct 10, 2011 5:22 am

Re: Social Engineering emphasis in security program

I agree social engineering is I would say the most affective way to get access. As humans we alway want to trust people and sometimes are afraid to ask question we just take people for face value.

I agree with cd1zz comments I think the training process is a life cycle and should alway try keep employee on there toes about the subject.

Live demo and trying to map the situation to them is a good way to get the message across.

Return to Social Engineering

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software