Anti-social engineering training: The first line of defense against human error

Security team member Jeffrey Catalfamo details the key elements of a successful anti-social engineering training program.

Identity theft has become the crime of the decade.  No longer content with targeting the individual, attackers are now working toward the big score; your customer data. 

The physical hardening of a network can be easily circumvented by one simple, yet conversely multifaceted element, the human component

When it comes to protecting a network, IT professionals typically turn to technology.  The more layers of technology we pile on, the more diverse each layer becomes; therefore, the more secure the networks must be.  Enterprises tend to fail, however, because they neglect to focus internally.  This does not mean a failure to scrutinize the security tactics and maintenance of the enterprise itself (although we, the doctors of IT, tend to make the worst patients). Rather, there is a negligence with respect to focus on those whom the systems are entrusted to protect; the users. 

The physical hardening of a network can be easily circumvented by one simple, yet conversely multifaceted element, the human component.  Successful attackers often take on the role of social engineers, indirectly attacking a hardened network by manipulating the network users. Because of this common and ever-present threat, it is equally important for enterprises to invest time and effort in training, educating and testing of this vital security component. In this article, we’ll discuss the best ways to conduct this anti-social engineering training.

A social engineering training primer
The first and most important item to point out concerning user training is it is a cyclical process; there is no start or finish.  Social engineers are constantly evolving their craft, developing new and innovative ways of duping users into compromising themselves or their organizations.  It is the job of enterprise network security teams to keep abreast of these methods and share with users the ways in which these attempts can be spotted, and subsequently protected against.  Testing is just as critical, as it shows areas of vulnerability as well as strength. Results provide a general systematic evaluation so practices may be improved upon and security teams might gain a better understanding of where efforts need to be refocused.

An anti-social engineering training effort needs to begin with the security team.  This team should be responsible for the creation of policies and procedures geared toward protecting the individual and the enterprise network.  The team should be comprised of personnel from different areas of the organization. 

Their secondary function is to provide support of all policies and procedures within their area of operation.  They also must assist with the creation of training materials for employees.  To that end, security IT training should be a formalized process for all new employees.   Time needs to be spent specifically on the topic of network security and anti-social engineering training.  This training should focus not just on how to pass a social engineering exercise, but on how to spot attacks and more importantly, how to react when one is encountered.  The threat vectors, which should be covered in this process, include:

  • Face-to-face interactions:  This exercise is commonly referred to as “how to spot the phony repairman/vendor.”  Role-playing is a great tool to demonstrate how the most simple questions or the persistence of an irate vendor can be the strategic maneuver of an attacker who is attempting to gather information or gain access to your site.  Policies need to be set in place with regards to sharing computer resources with vendors and fellow employees.
  • Email: Samples of email attacks are abundant.  Generally, people see a few come into their inboxes each week; these should be saved to be used as training guides for spotting phony email addresses.  Staff should be educated on how to verify domain names (fdic.com vs. fdic.gov) as well as the typical aggressor tactics they may come across. Some examples can be found in email offers with a deal that is too good to be true, or an archetypal sense of urgency tag line, such as “act now” and “only 20 slots available.” Employees should be trained to look out for signs of incongruence; emails that are “from” an employee but do not conform to company email policy. This could be an email missing a signature block, or fonts do not confirm with company standards. Red flagging such incidences is what’s known as the “stink test.”  If something stinks, it’s most likely malicious, so seek guidance immediately.
  • Websites:  Training on website security goes hand in hand with email.  Teach employees how to review a link without clicking on it.  Many phishing attack emails will contain links to the aggressor’s websites.  In many cases, the displayed link does not match the underlying link within the email. Trainees should learn to read domain suffixes that are frequently encountered, such as www.computerhope.com.jargon/num/domains.htm.  Again, the stink test applies; emails "originating" from the FDIC would most likely not direct you to FDIC.com.jp as this fictitious domain resides in Japan.
  • Telephone:  Procedures should be in place that direct staff on how to deal with phone attacks.  Staff should be instructed not to blindly follow the directives of a caller.  Teach them to correctly and efficiently use the resources at hand, such as caller ID and internal directories.
  • Hard copy data:  Dumpster diving is an expedient, commonly practiced method for assailants to acquire information to compromise enterprises and individual consumers alike.  Strict policies should be in place to reduce the likelihood of this threat.  Suggestions for protection against this risk include the use of lockable file drawers and file rooms, as well as lockable shred bins.

The practical anti-social engineering training recommendations illustrated above can be used as the foundation of a basic end-user security training program.  However, employee training is just the beginning; training needs to be reinforced periodically.  The real necessity to a security program’s success is a competent social engineering testing firm.  A good firm will help evaluate training plans by conducting real-world tests of your team.  A company’s performance during a third-party social engineering engagement can validate the success of your training, demonstrate training shortcomings, and help identify individuals who may require remedial or additional training. 

After each test, which should be done regularly, an after-action meeting should be held to determine training/retraining needs.  This includes a review of all pertinent policies and procedures.   A retooling of the training process, based upon the results of testing and a review of policies, should be mandated to ensure that training stays current and is based upon need and potential threat.

An information security breach is a costly matter.  Each year, billions of dollars are spent by organizations in an attempt to recover from the effects of a security breach.  The reputational risk alone can be reason enough to worry about this type of misfortune.  Although IT professionals can use a layered approach of technology to physically protect their computer systems, it is crucial that the human element is accounted for.  Failure to address the potential for human error will leave a glaring hole in overall enterprise security, leaving an inevitable trail of breadcrumbs leading to sensitive customer information; the leakage of which would mean disaster. An anti-social engineering training effort enables an organization to proactively deal with this risk before an attack happens, rather than after the fact.

About the author:
Jeffrey Catalfamo is the AVP of information technology at Hudson Heritage FCU. He has more than 25 years of experience in the trenches supporting users and IT decision makers.

This was last published in November 2011

Dig Deeper on Security Awareness Training and Internal Threats-Information