Problem solve Get help with specific problems with your technologies, process and projects.

Using social engineering testing to foster anti-social engineering training

Worried your users could easily be pwned? Learn about improving social engineering testing to foster anti-social engineering training.

A recent social engineering test resulted in security failures within some of the world's biggest companies. I'd like to run some informal social engineering tests internally. What are some of the most common or cutting-edge techniques worth trying?

Ask the expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

Recently, there have been a number of high-profile information security failures that can be traced to social engineering; even the RSA attack that led to the SecurID breach could be seen as a social engineering failure because an employee was reported to have enabled the attack by opening a malicious attachment from a phishing email. Running some informal social engineering tests internally will help make enterprises more aware of social engineering. Social engineering awareness should be included in any general security awareness program. These tests should be a part of the incident response plan, practiced like any other incident response procedures.

Often times, social engineering is used in general penetration tests. Some of the most common exercises in social engineering testing include antiphishing testing, during which employees are sent mock phishing emails to gauge how they respond. Security professionals may want to focus their anti-social engineering training where the most social engineering attacks are discovered: information found on an incident response record. If your organization has conducted incident responses in recent years, that's a good place to start, though there are plenty of high-profile breaches involving social engineering that can be good lessons as well.

In terms of training resources, a group of information security pros has put together a free social engineering toolkit that serves as an excellent starting point for enterprises that aren't familiar with the tricks employed by malicious social engineers, and Defcon has a social engineering contest where some of the most innovative social engineering takes place each year. Some of the most common social engineering breaches have been caused by run-of-the-mill phishing attacks, but organizations may want to include some of the cutting-edge methods from the Defcon 19 Social Engineering Contest results as well for good measure.

This was last published in May 2012

Dig Deeper on Security Awareness Training and Internal Threats-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.