Social engineering attacks and other penetration testing techniques can often make the victim feel like they've been tricked or betrayed, but if user awareness training is presented effectively by an enterprise's IT security team, it could instill a security-aware culture in the organization, according to a security expert who has been studying the issue.
You have to come up with a way that makes it important to the end user.
senior information assurance analyst, Information Assurance Professionals Inc.
Effective communication is at the heart of deploying social engineering training, said James Philput, a senior information assurance analyst at Information Assurance Professionals Inc. IT teams know there is often a vulnerability in a widely deployed piece of software within the organization that is scriptable, easy to exploit and potentially could cause serious problems. But one of the biggest problems in the security industry is figuring out a way to make the result of those problems relevant to the user, Philput said.
"Standing there and saying that a bad guy will get in and take all your stuff or will ruin your computer or crash it is not effective for users," Philput said. "You have to come up with a way that makes it important to the end user."
Philput will deliver a presentation at the 2012 Black Hat Briefings in Las Vegas, explaining how to communicate the need for social engineering tests to upper management, and how to effectively deploy them to build relationships, not destroy them.
"I'm hoping that this will provide a more positive way for the information security team to use some of their skills to improve security as a whole for the organization and at the same time build a better relationship with the organization they secure," Philput said.
Social engineering testing often involves mock phishing emails, but pen testers can also drop thumb drives in an attempt to get employees to connect them to their computer, an often serious lapse in judgment. Some security teams test employees by making a mock phone call, pretending to be a remote employee or representative of a business partner with a problem that needs to be solved quickly. Phishing emails are the least expensive option and also the easiest to track, Philput said. The drills can be an alternative to an online training course. Over time the security team can identify employees or specific parts of the organization that may need extra training.
Philput said the IT team should begin its testing program by assessing the policies that are in place and whether or not they have been effectively communicated to employees. Secondly, Philput said, organizations should regularly inform employees that testing could be implemented at any time. It's a step that helps avoid negative feelings of betrayal, Philput said. Finally, reward employees who pass the test and treat errors in judgment as a learning experience, he said.
More from Black Hat 2012
See more of SearchSecurity.com's special coverage of Black Hat 2012.
A social engineering drill can be extremely effective, Philput said, especially in organizations that don't have a major security orientation or ongoing information security training program. An important step is to properly design the training and present it to the users. "If it isn't presented properly, it's never going to have any effect; it's never going to have any impact," Philput said.
The worst user awareness programs are delivered annually online, Philput said. End users quickly race through them and in some organizations Philput has seen users sharing an answer sheet to the multiple choice questions.
"The best I've seen for user awareness, and [the] most difficult to implement in my experience, is the training in groups between 30 to 60 users with a member of the infosec team," Philput said. "That humanizes the infosec people to the people they are securing. You get these sometimes basic, sometimes fascinating questions coming from the end users. I've seen a lot fewer hits on social engineering attacks because the users are much more willing to call the security people if they suspect something is wrong."