Comments on social engineering from several of our first members.
One of the ways I am able to test the awareness of our users in remote locations is to use what I call “dangerous donuts”
Where I use a box of donuts, to distract people at the entrance and allow a second person to try and gain access to the secured areas of that particular location.
This can very effective if you utilize a third person at a locked door in a less traversed part of the facility and use the second person to let the third person in.
I think this will always be a challenge. There is no solution. We are asking EVERYONE to be a cynic in regards to information. We can train and train and train, but people will always fall back to their nature. I think we’ll find that cynical people are easier to train, and optimists will not be.
I’m not saying not to train, but the training will never end. There is no magic training course that once it’s been taken, this will never happen again. Like there is just one thing we can say to all employees that will turn on the light bulb of cynicism/skepticism.
This is something we deal with currently, mostly with night shifts. Most employees don’t verify who it is behind them and just want to be helpful in holding the door open for someone. We are slowly changing the mindset to make sure that person who wants in has a valid reason to be in the building.
The whole “piggybacking” thing is definitely an issue but some companies make a huge deal about it to us when we only have a main office of about 40 people. We easily know if someone unfamiliar is trying to get into the office or computer room. No one is even allowed in the computer room other than about 3 of us and yet every company that asks me how we prevent piggybacking into the computer room is shocked when I say that we watch carefully and close the door behind us.
This would definitely work at our institution, especially with the doughnuts!!
As with many companies piggy backing is an issue at my site. However, the education of the employees has been an effective way of combating this. We have classroom training where the employees have a chance to discuss the possible issues that can arise with piggy backing. I also have some outside people, trusted friends, try to enter during mornings and at lunch. When they are successful they let me know. I then take video logs and talk with the employee on a one to one basis and ask them why. This gives me more info that will allow me to update my training.
Isn’t CEO Fraud actually Social Engineering, too? I thought it was just something that bigger companies got hit with until my CFO showed me an email yesterday that came to him “from” our CEO (whose office is right across the hall!) that was the classic CEO Fraud, complete with bad English and typos.
Yes, CEO Fraud is social engineering.
I shared a video in my Security+ class a couple months ago. It shows how easy it is to conduct social engineering with a crying baby.
We are starting to see incoming email made to look like the CEO but if you look carefully the return email is something else. The name in outlook looks correct but you must look at the actual email addy to see the deception.
Body of the emails were spot on and hard to pick out deception from.
I love this Josh! I hope you don’t mind if we use it
After attending the Chicago Cyber Security Summit, it only reinforced our training initiative. We can continue to add tools/services and the latest/greatest, waste time, money and efforts…and ultimately it can all be bypassed by the efforts of social engineering. KnowBe4 is one of the best tools in our arsenal at the moment as it focuses on the real attack surface - people. Educated staff are the greatest defense. Over 95% of all attacks enter via web clicks or links in emails…not traditional hacking.
That’s the same one I sent to my users… great video of how easy it can be!
Ray, it is a great video, but sometimes although you show your users, they don’t take it seriously.
Here is another video from the genius Kevin Mitnick.
We see these whale attacks all the time and they are becoming more sophisticated. Accounting team has added additional protocols for wire transfer authorizations and other checks and balances with clients/vendors. I would recommend adding a SPF (sender protection network) record to DNS which essential creates a list of email addresses that are allowed to send from your domain. Your spam filter will then check this list and refuse the email or mark as spam that doesn’t fit the SPF criteria.