Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfinformation could endanger the company as well as their own personal information and jobs. In a sense, being careless about information security at work is equivalent to being careless with one's ATM PIN or credit card number. This can be a compelling analogy for building enthusiasm for security practices.
Establishing the Training and Awareness Program
The person responsible for designing the information security program needs to recognize that this is not a one-size-fits-all project. Rather, the training needs to be developed to suit the specific requirements of several different groups within the enterprise. While many of the security policies outlined in Chapter 16 apply to all employees across the board, many others are unique. At a minimum, most companies will need training programs tailored to these distinct groups: managers; IT personnel; computer users; non-technical personnel; administrative assistants; receptionists; and security guards. (See the breakdown of policies by job assignment in Chapter 16.)
Since the personnel of a company's industrial security force are not ordinarily expected to be computer proficient, and, except perhaps in a very limited way, do not come into contact with company computers, they are not usually considered when designing training of this kind. However, social engineers can deceive security guards or others into allowing them into a building or office, or into performing an action that results in a computer intrusion. While members of the guard force certainly don't need the full training of personnel who operate or use computers, nonetheless they must not be overlooked in the security awareness program.
Within the corporate world there are probably few subjects about which all employees need to be educated that are simultaneously as important and as inherently dull as security. The best designed information security training programs must both inform and capture the attention and enthusiasm of the learners.
The aim should be to make security information awareness and training an engaging and interactive experience. Techniques could include demonstrating social engineering methods through role-playing; reviewing media reports of recent attacks on other less fortunate businesses and discussing the ways the companies could have prevented
the loss; or showing a security video that's entertaining and educational at the same time. There are several security awareness companies that market videos and related materials.
NOTE
For those businesses that do not have the resources to develop a program in-house, there are several training companies that offer security awareness training services. Trade shows such as Secure World Expo (www.secureworldexpo.com) are gathering places for these companies
The stories in this book provide plenty of material to explain the methods and tactics of social engineering, to raise awareness of the threat, and to demonstrate the vulnerabilities in human behavior. Consider using their scenarios as a basis for role-playing activities. The stories also offer colorful opportunities for lively discussion on how the victims could have responded differently to prevent the attacks from being successful.
A skillful course developer and skillful trainers will find plenty of challenges, but also plenty of opportunities, for keeping the classroom time lively, and, in the process, motivate people to become part of the solution.
Structure of the Training
A basic security awareness training program should be developed that all employees are required to attend. New employees should be required to attend the training as part of their initial indoctrination. I recommend that no employee be provided computer access until he has attended a basic security awareness session.
For this initial awareness and training, I suggest a session focused enough to hold attention, and short enough that the important messages will be remembered. While the amount of material to be covered certainly justifies longer training, the importance of providing awareness and motivation along with a reasonable number of essential messages in my view outweighs any notion of half-day or full-day sessions that leave people numb with too much information.
The emphasis of these sessions should be on conveying an appreciation of the harm that can be done to the company, and to employees individually, unless all employees follow good security work habits. More important than learning about specific security practices is the motivation that leads employees to accept personal responsibility for security.
In situations where some employees cannot readily attend classroom sessions, the company should consider developing awareness training using other forms of instruction, such as videos, computer-based training, online courses, or written materials.
After the initial short training session, longer sessions should be designed to educate employees about specific vulnerabilities and attack techniques relative to their position in the company. Refresher training should be required at least once a year. The nature of the threat and the methods used to exploit people are ever-changing, so the content of the program should be kept up to date. Moreover, people's awareness and alertness diminish over time, so training must be repeated at reasonable intervals to reinforce security principles. Here again the emphasis needs to be as much on keeping employees convinced of the importance of security policies and motivated to adhere to them, as on exposing specific threats and social engineering methods.
Managers must allow reasonable time for their subordinates to become familiar with security policies and procedures, and to participate in the security awareness program. Employees should not be expected to study security policies or attend security classes on their own time. New employees should be given ample time to review security policies and published security practices prior to beginning their job responsibilities.
Employees who change positions within the organization to a job that involves access to sensitive information or computer systems should, of course, be required to complete a security training program tailored to their new responsibilities. For example, when a computer operator becomes a systems administrator, or a receptionist becomes an administrative assistant, new training is required.
Training Course Contents
When reduced to their fundamentals, all social engineering attacks have the same common element: deception. The victim is led to believe that the attacker is a fellow employee or some other person who is authorized to access sensitive information, or authorized to give the victim instructions that involve taking actions with a computer or computer-related equipment. Almost all of these attacks could be foiled if the targeted employee simply follows two steps:
Verify the identity of the person making the request: Is the person making the request really who he claims to be?
Verify whether the person is authorized: Does the person have the need to know, or is he otherwise authorized to make this request?
NOTE
Because security awareness and training are never perfect, use security technologies whenever possible to create a system of defense in depth. This means that the security measure is provided by the technology rather than by individual employees, for example, when the operating system is configured to prevent employees from downloading software from the Internet, or choosing a short, easily guessed password.
If awareness training sessions could change behavior so that each employee would always be consistent about testing any request against these criteria, the risk associated with social engineering attacks would be dramatically reduced.
A practical information security awareness and training program that addresses human behavior and social engineering aspects should include the following:
A description of how attackers use social engineering skills to deceive people.
The methods used by social engineers to accomplish their objectives.
How to recognize a possible social engineering attack.
The procedure for handling a suspicious request.
Where to report social engineering attempts or successful attacks.
The importance of challenging anyone who makes a suspicious request, regardless of the person's claimed position or importance.
The fact that they should not implicitly trust others without proper verification, even though their impulse is to give others the benefit of the doubt.
The importance of verifying the identity and authority of any person making a request for information or action. (See "Verification and Authorization Procedures," Chapter 16, for ways to verify identity.)
Procedures for protecting sensitive information, including familiarity with any data classification system.
The location of the company's security policies and procedures, and their importance to the protection of information and corporate information systems.
A summary of key security policies and an explanation of their meaning. For example, every employee should be instructed in how to devise a difficult-to-guess password.
The obligation of every employee to comply with the policies, and the consequences for non-compliance.
Social engineering by definition involves some kind of human interaction. An attacker will very frequently use a variety of communication methods and technologies in attempting to achieve his or her goal. For this reason, a well-rounded awareness program should attempt to cover some or all of the following:
Security policies related to computer and voice mail passwords.
The procedure for disclosing sensitive information or materials.
Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.
Physical security requirements such as wearing a badge.
The responsibility to challenge people on the premises who aren't wearing a badge.
Best security practices of voice mail usage.
How to determine the classification of information, and the proper safeguards for protecting sensitive information.
Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.
Also, if the company plans to use penetration testing to determine the effectiveness of defenses against social engineering attacks, a warning should be given putting employees on notice of this practice. Let
employees know that at some time they may receive a phone call or other communication using an attacker's techniques as part of such a test. Use the results of those tests not to punish, bur to define the need for additional training in some areas.
Details concerning all of the above items will be found in Chapter 16.