Chapter 5 Social Engineering: Here’s How I Broke Into Their Buildings

Introduction

By this point you’ve probably noticed that a no-tech hacker is equal parts opportunist, actor, and con artist. Security experts roll up all of that and more in the term social engineer. A hacker experiments with a piece of technology to see if he can get useful results from it that its creator never intended. A social engineer does the same thing with human relationships.

The first part of this chapter is written by Jack Wiles. Jack is a security professional with over thirty years of experience in computer security, cyber-crime prevention, disaster recovery and physical security. He has trained hundreds of federal agents, corporate attorneys, CEOs and internal auditors on computer crime and security-related topics. His unforgettable presentations are filled with three decades of personal “war stories” from the trenches of Information Security and Physical Security. Because social engineering is at the heart of no-tech hacking, and Jack knows social engineering, I’m putting you in his capable hands. Take it, Jack!

How Easy Is It?

As an inside penetration team leader, I learned every exploit I could to conduct a successful inside penetration test. It was during those years that I gained most of my social engineering experience. These skills helped me to eventually hang up my dumpster diving penetration team jersey and retire from the Tiger Team world undefeated. Although I had several close calls, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that’s the role I was playing—effectively, it’s what I was.

In 1988 I was part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear conversations that went on when a “black hat” (or malicious) group targeted a victim by calling on the phone. The black hats were using social engineering skills to gain access to proprietary information, including passwords. What I heard one of the veteran black hats say to a trainee remains true today: “Social engineering is the easiest way to break into a system."

Why do attackers prefer social engineering as their attack vector? Let’s say you are an elite black hat hacker, and an international conglomerate has offered you big money if you can provide them valid sign-in credentials for their chief rival’s corporate network. In short, they want one or more user names and passwords.

Let’s call the target company International Acronym. As a “leet” black hat, you see no challenge whatsoever in learning user names for Acronym’s network. Most big corporations assign user names systematically, derived from employee names. If Joe Doaks works for Acronym, his user name is probably one of a few variations: joedoaks, jdoaks, JDoaks@Acronym, or some equivalent. If you can learn employee names, you can figure out user names. One obvious way to do this is to snag a printed corporate phone book (more on this later). But since you’re a smart and competent high-tech attacker, instead, you search Acronym’s Web site and find some names. You have many to choose from: executives, a PR person, a tech support manager, a marketing drone quoted in an interview … an email address here and there indicate what the structure of user names probably is. Great! All you need now is a password.

I’m about to compare what a high-tech hacker does to obtain a targeted valid password, versus what a no-tech hacker does to get a password. Ready? Here are the high-tech steps:

Scan Acronym’s network to see if any ports are listening on the Internet. You could scan the whole range of 65,000 ports in a matter of seconds, but Acronym’s Intrusion Detection Systems would go off like a Christmas tree wearing a car alarm. You’re too smart for that, so you perform your scan in stealth mode. You have to go in low and slow, scanning one port every few seconds, ideally from IP addresses all over the huge botnet you control.

Install malware on a victim machine. Assuming your port scan successfully reveals an open port, you next want to sneak your rootkit onto Acronym’s network. You program a little script that can exploit a dozen recently patched vulnerabilities, in hopes that Acronym hasn’t kept up with patching every application on their network. Packing and crypting a chunk of code that exploits holes in Internet Explorer, Quicktime, Yahoo’s toolbar, WinAmp, and other popular apps, you send it off. Like making your first million dollars, getting that first victim is the hardest. But since you’re so “leet,” we’ll stipulate that you successfully land your code on one of Acronym’s networked computers.

Enumerate the target network. Congrats! You’re on Acronym’s network. But how large is it? How many subnets does it have? Does it use routers, or switches? What connects to what? Can you find servers that contain password files? You’ll have to carefully map out the network, hiding your activity the whole time. And in today’s dog-eat-dog network environment, you might also have to fight off other hackers, or at least seal the security hole that got you in–so that a less careful hacker doesn’t blunder in and blow your cover.

Locate and copy the encrypted password file. Let’s assume Acronym runs a Windows network. You’ll probably use a tool like pwdump to snag a usable copy of their password hashes that you can ship to your own network to try to get at all those valuable passwords in clear text. You must move from one Acronym computer to another, like a series of stepping stones, moving ever closer to the main password server. And of course, you must do all this while concealing your activities, modifying logs and altering registry keys so that certain files do not update the date they were accessed.

Run automated cracking tools against the encrypted password file. With the password hashes in your possession, and your activity on the Acronym network carefully hidden, you rev up John the Ripper loaded with all your favorite dictionaries and a huge rainbow table. Once this process begins, you’ll probably have a few passwords in less than an hour. (If you’d like to see this working under lab conditions, check out the SecurityWise video, “How Password Crackers Work,” found at http://video.google.com/videoplay?docid=4683570944129697667).

Whew! That was uber-leet, but you pulled it off. And it only took about a week. Now let’s go for the same goal – a valid password on Acronym’s network – the no-tech way. Ready? Count the steps:

Make a phone call.

Make another phone call. While you’re chatting, ask for—and receive—valid login credentials.

Badda-bing, badda-done. In a moment, I’ll show you how that’s possible. For now, line up those two procedures side by side, and you can see why hackers find social engineering easier than high-tech attacks.

And the two-step version is the difficult version. Sometimes the Social Engineering Gods drop nuggets right into your lap. I stood on a street corner in Seattle waiting for a bus one day, and I overheard two workers near me discussing their corporate network. One employee described to the other his cool new password, stating it out in the open. He probably assumed this was safe because he felt anonymous. But when I took an incredulous glance back to see what kind of reckless wild man blabs his password on a street corner, there, dangling from a pocket of his cargo pants, was his employee identity badge. There was his name. Right above the logo for Amazon.com, whose headquarters was two buildings away. Amazing.

Social engineering can be that easy.

Even better: social engineering doesn’t rely on a faulty piece of high-tech equipment to mount the attack. Rather, it uses a skilled attack on the psyche of the opponent. Most of the time, it can be accomplished with a clipboard and a cheap business card. So besides being easy, social engineering can be dirt cheap. (Even crooks worry about overhead cutting into their profit margin.)

Over the past fifteen years, I have learned first hand just how easy it is to be an effective con man as I lead several inside penetration teams into client’s buildings who had hired us to test their vulnerabilities. Not one time did we fail or get caught as we roamed their buildings pretending to be employees. Everyone we encountered as we did our thing thought we belonged there.

How was that possible? Why, it’s just human nature.

Human Nature, Human Weakness

This is certainly not the first written work discussing social engineering. The more you read the various articles and books on the topic, the more clearly the common thread begins to emerge. A social engineer turns our sympathetic, helpful human nature against us and exploits us with it.

One of the best books on the topic comes from Kevin Mitnick, widely regarded as the King of Social Engineers. His book The Art of Deception: Controlling the Human Element of Security demonstrates in story after story the exploitability of human kindness.

Mitnick would often pose as someone who was in trouble or had a problem which could be solved if he just had one little piece of information from the person he was talking with. Usually the information he requested wouldn’t strike his target as sensitive data. For example, if you work at a bank branch in a national chain of banks, and someone calls asking for the address of another bank in the same chain, that doesn’t seem like information you should withhold. So people answered his questions. In the conversation, they unwittingly leaked more information: Slang terms that only insiders used. The official name of a form. How many digits are in an account number.

Mitnick excelled at assembling these innocuous bits of data and leveraging them to get more data. If someone calls you and uses all the slangy insider terms of your business, seems conversant in numbering systems unique to your office, and even mirrors your feelings about management and customers, you’re going to think that person is an “us,” not a “them.” And we always want to help “us."

I’m certainly not against kindness. But it should co-exist with wariness. For this discussion, let’s consider threats from people who never were employees and don’t belong in your building. That kind of stranger should be easy to spot, and easy to stop, right? Right?

Hello? Is this thing on?

“Strangers who don’t belong in the building” is the category that my inside penetration team would fit into. When we roamed through buildings unchallenged, we definitely didn’t belong there (other than being hired to try to get there, but none of the employees knew about that). Someone checking out your building for possible espionage or future terrorist activities would also fit in this category. In theory, some employee inside the building should eventually figure out that there is a Trojan horse in the camp. Someone has gotten past whatever security there is at the perimeter, where entry was gained. Yet that was never what we encountered.

When I spent years doing this for a living, we were hired expecting to get caught. Our attacks were designed to become increasingly bold the longer I had the team in a building. Toward the end of just about every job, we were openly walking around as if we worked there, almost hoping to get caught by someone. We never did! Employees, time after time, acted in gullible bliss.

C’mon. Kindness and a desire to help is one thing. Being a sucker is a whole ‘nother thing. For more than three decades now, I have observed a lack of awareness of this concern. Over the years, I have seen comparatively few articles that address this silent but formidable threat.

We were good, but I suspect that there are many bad guys out there who are much better at it than we were, and they won’t try to get caught in the end as we did. We were also working under a few self-imposed rules that the real bad guys could care less about. Using forced entry, utilizing a crow bar to get through doors or windows, was a no-no for us. Our main tools were a cool head and our social engineering skills. So if we were never detected, despite working under those self-imposed restraints, imagine what a fat ripe target you are for a ruthless, conniving attacker who is playing for high stakes: riches versus prison.

Your organization needs to get its guard up. Toward that end, let me show you a specific example of how I tricked employees into giving me sensitive information. Then we can work on strengthening your defensive posture.

The Mind of a Victim

Any one of us, at any time, could easily become the victim of some form of social engineering. It is not possible to completely eliminate the risk. There are some things that can and should be done to reduce the risk as much as possible, and I’ll address some of them later this chapter.

Without some form of training (and practice) in learning how to resist social engineers, you could easily become a victim and not even know it.

Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might strike us as so improbable, we haven’t thought out an appropriate response. This is what social engineers count on. Without awareness of the problem and without an understanding of how our minds can be fooled, there is little defense against social engineering.

“Social engineering would never work against our company!”

That’s what a close friend of mine said one afternoon when we were talking about overall security and the threat of social engineering. I had related some of my adventures as a pen-tester, but my friend felt her organization was too sharp for my tricks. “We have good security and our employees wouldn’t fall for anyone calling on the phone trying to get information from them,” she insisted.

I said, “Give me ninety days so that you won’t know when I’m going to call, and I’ll test your theory."

She agreed, with one condition. When the attack happened, she wanted me to record it on audio tape and give it to her as a training aid for her to share with her employees. I liked the idea. The contest was on!

I made the call a few weeks later.

“Good afternoon,” a friendly voice answered. “Medical Group, this is Mary. Can I help you?"

I immediately put on my doctor hat, “Yes, this is Doctor Wiles,” I began. (It’s fun saying that even if it is totally fake). “I’m calling to ask a favor. We have a practice similar to yours in Richmond, and we’re considering purchasing a new medical billing system. Do you use a fully automated system for your accounting, and if so, do you like it?” My friendly voice didn’t raise any suspicion on her part. It was an apparently innocent question.

“Yes we do,” she said. “It’s called Doctors Database and I believe that they are located in Denver, Colorado."

So far, so good. She seemed willing to talk a little more, so I asked more questions. “Do they offer support when you have problems? We’ve heard some nightmares from friends who purchased medical billing systems and couldn’t get support once they paid for it."

“Yes, we’ve been very happy with their support,” Mary answered.

“How about upgrades and things that need to be fixed? Do they have someone locally that they send to work on the billing system?"

“No, they do everything over a modem that is attached to the system. We’ve never had a problem with their needing to be here."

I pressed on. “Before we make such a big decision, I’d like to speak with someone from Doctors Database to be sure that this would be the right billing system for us. Could you give me the name and number of the tech support person that you work with when you call them for support? Some of those technical people are very hard to understand. I always feel more comfortable after I’ve had a chance to speak with the people that our administrator will be working with when problems develop."

Mary apparently had a good working relationship with Doctors Database, because she seemed happy to give me a name. “Yes, we work with Jerry Johnson and he’s really easy to talk to. He should be in the office this afternoon if you call before six, east coast time. Their phone number is 800-555-1212 and they have someone available for support by phone twenty-four hours a day."

Little did she know that I now had almost everything that I needed. Just one more question, and I could politely say thanks and goodbye. “I really appreciate your taking the time to help me with this, Mary. After we get the new billing system, would you mind if someone from my office called your database administrator if our administrator has any user questions? It’s always easier to ask someone who actually uses the system rather than trying to get the vendor to answer simple questions. I promise that we won’t pester you."

She said that she was the administrator of the database and that she would be happy to answer a few questions for us. (It’s wonderful living in the friendly sunny south.)

“Thanks so much for helping me with this, Mary,” I politely concluded. “I’ll be sure to have our administrator call you only if he really gets stuck. Have a great week and thanks again."

What Was I Able to Social Engineer Out of Mary?

This apparently innocent phone call gave me everything that I needed for my final attack. Here’s what I got:

Her name was Mary, and she was the database administrator for the medical office

They used a medical billing system from a company called Doctors Database, located in Denver, Colorado

The tech support person that they worked with in Denver was named Jerry Johnson

Jerry accesses their computer over a modem to work on it

To the casual observer, that’s not a lot of dangerous information. Most of it seems to be pretty common knowledge that most people would willingly share. Note that I didn’t ask much about her computer, and I certainly didn’t ask anything about login IDs, usernames, or passwords.

The Final Sting

Two weeks later, a few minutes before quitting time on a Friday, the phone rang at The Medical Group.

John answered reluctantly on the third ring, knowing that someone calling in that late with a problem could cause him to miss a few precious moments of his three-day weekend. “Good afternoon, The Medical Group, John speaking. May I help you?"

I assumed my best social engineering voice and started my attack. “Hello John, this is Bill Jenkins from Doctors Database in Denver. We’re calling all our customers about a serious problem with our medical billing system. It seems that our last update had a virus that we were unaware of until this afternoon. It’s causing all of the accounts receivable records to be corrupted. Our entire tech support team is calling our clients as quickly as possible to let them know about the problem. I know that Mary normally works with Jerry Johnson, but he is currently working with another client and has asked me to handle the fix for your system. Can I speak with Mary?"

There was a brief silence. I could feel John quaking at the prospect of squandering the first evening of his three-day weekend. He finally answered. “With the holiday weekend coming up, Mary is off today. I act as her backup on the database work when she off, and I’ll try to help if I can."

Things were looking up! I began to spring the trap. “Mary’s not there?” I tried to convey a bit of panic in my voice. “John, I’m going to need to log in to your system to fix this, and I don’t have Jerry’s information in front of me—you know, your modem dial in number, login ID and password. If we need to get those from Mary, we may have a problem. That virus could be loose on your network all weekend.” Then I shut up and let the silence do the persuading.

It worked. I could hear him flipping through some papers. “I found it here in her notebook. The phone number is 555-867-5309, the login ID is doctor, and the password is also doctor."

I went into my good job routine to make him feel completely at ease. “John, you’ve been a great help, and I can take it from here. It’s been taking about four hours to clean this up and I know that it’s Friday afternoon. I don’t see any need for you to hang around. I’ll install the fix, and things will be back to normal when you get back on Tuesday. Thanks again for your help. Enjoy the weekend!"

When a relieved John hung up, that was probably the last he thought of “Bill Jenkins.” You know, until his boss played the tape back for him later.

Why did this scam work?

Without a little bit of awareness training, and a little bit of ongoing suspicion when speaking with strangers on the phone, anyone could fall for this kind of an attack.

Many of the hundreds (perhaps thousands) of people who have heard the audio version of this two-part attack have told me that they would have fallen for it as well. That first innocent phone call set the stage for a very believable second phone call where the keys to the kingdom were given away. A lot could have happened to that computer from Friday afternoon until Tuesday morning. Did the real Doctors Database (name changed – this is not their real name) know anything about this incident? Absolutely not! They would have had no idea that a hacker was throwing their name around. Was Jerry Johnson a real person who worked tech support for Doctors Database? Absolutely! Mary worked with him regularly. But Bill Jenkins was a figment of my imagination, carefully placed into a scenario made believable with a generous sprinkling of real facts. Facts that I had socially engineered out of his co-worker.

On top of the social engineering attack vector, the Medical Group’s passwords were also extremely insecure. I’m not a big fan of passwords based on words in the dictionary, but that topic falls outside the scope of this book. If you want to pursue it, check out Perfect Passwords by Mark Burnett.

Countering Social Engineering Attacks

One of the best defenses against social engineering is awareness. Every employee should be educated on how easily social engineering can be used, the large threat it poses if not detected, and some simple countermeasures. In this section, we’ll look at some of the most important things for you to consider as you plan your defense against possible social engineering attacks.

Be Willing To Ask Questions

If there is one thing I was taught at a young age it was to never be afraid to ask questions. If you don’t know the answer, ask. This didn’t really work during my fourth grade math tests, but everywhere else rendered great results. Asking questions shows intelligence. Not asking because you think you know it all is a sign of fool-headedness. Even if you know the answer, asking questions provides a way to tactfully measure others’ knowledge of the topic you may be discussing. People like to assume things as well. I can assume that because you’re calling me and asking me a question that you must have some knowledge about the subject, or else why would you be calling me?

Facial and body expressions are also ways that people communicate but this doesn’t really help when you’re having a conversation on the phone. By asking questions back to any suspicious caller, you will drive away most of them. Ask for a phone number where the caller can be called back. That doesn’t guarantee anything, but I’ve often had potential social engineers hang up after that question. They don’t have an untraceable number ready.

Decide ahead of time, and write into policy, what kinds of questions will and will not be answered about the company over the phone. This is an area where employees can get involved. At a monthly meeting, you can stage a “Social Engineering Attack Drill.” I’ve never been fond of role-playing sessions, but this is one area where role-playing is both fun and effective. The incoming caller can be engaged in industrial espionage, competitive spying, intentional destruction, just plain curiosity or any number of things. If the team “defending” the company prepares for the questions that might be asked over the phone, there is a good chance that they will hit on most of the questions that real social engineers ask. When they answer the phone in the role-playing scenarios, they benefit from rehearsing the act of considering carefully before answering questions.

Once our employees were made aware of this threat, their antennas went up as soon as a call came in that was even the slightest bit strange. Your telephonic awareness will improve, too. Of course phone attendants shouldn’t be insulting or rude to callers, but it’s entirely possible to be firm and alert without sounding impolite. If a caller is legitimate, they may even come to appreciate your willingness to protect company information. Don’t you feel safer about making credit card purchases at a store where the cashier politely asks to see your picture ID?

Security Awareness Training

I was surprised to discover that employees really were interested in improving their company’s security posture. But it makes sense: if the company succeeds, they succeed. At the very least, their paycheck is assured.

After we ran our security awareness program for awhile, attendees became active participants in the ongoing training. They would send me security-related articles. I was amazed to discover that my training had come full circle. Now, my students had become teachers, and the end result was extremely rewarding for all of us. As the network of informal security proponents grew, security was becoming an interesting challenge instead of a chore.

Posters

As my homegrown awareness seminars took off, so did my awareness poster campaign. I thought it would be a good idea to get the word out through the use of posters, but I wanted to make posters that were effective, eye catching and cheap. My self-imposed criteria also demanded that they be easily reproducible on a standard copy machine. With those thoughts in mind, I sat down with a clip art book and a slightly wild imagination. After about two hours, I had enough clip art drawings, and appropriate clever sayings, to design enough posters for the next two years. I sent out a new poster every three months to a select group of people. It didn’t take long for others to call and want to be added to my list for receiving the next poster. Some people started to collect them and line them up along their walls.

Creating posters is easy, but you need to do it right or you won’t get results. Remember that the vast majority of employees don’t work in IT and thus, don’t understand our special jargon, acronyms, and slang. The last thing you want is to make a poster that you think rocks the house, while your target audience thinks it’s pointless, mystifying or annoying. You know: “SB1386: It’s the Law!” If you’re not in IT (and not in California), you would have no idea that the poster is trying to encourage you to bear in mind the state bill that compels businesses to keep their customers’ Personally Identifiable Information private.

Here are some of my suggestions for making security posters that people like and remember:

Use plain language, not acronyms and technical terms that non-IT people don’t know.

One poster, one thought. Don’t post a memo of five or ten or twenty important bullet points. That’s not memorable, and from more than four inches away, it’s not readable, either. There is no worldwide rationing of posters. If you have more to say, you can always make another poster. But try to convey only one idea per poster. Ideally, Keep It Simple Stupid and say it in fewer than fifteen words.

Involve humor if at all possible. Security is not inherently funny, but if you want a share of your co-workers’ minds, humor works far better than attempts to coerce or intimidate.

Keep an eye on pop culture. Posters based on pirates (Pirates of the Caribbean), cartoon characters (Shrek, anything Pixar-related) and the like make for popular reminders. All you need is a big imagination, a bit of Photoshop skills, and an eye for security (and how to avoid copyright infringement).

Emphasize a specific action you want users to take. You could make a poster of a skulking figure, emblazoned with, “Remember: hackers want your password!” But what is an employee supposed to do in response? Better: “Longer is stronger! Choose passwords longer than 14 characters.”

Use posters as reinforcement. Even the World’s Best Security Awareness Poster, all by its lonesome self, can’t improve your security culture. Posters are best used as reminders that reinforce more in-depth training employees have received.

If you like the notion of making affordable posters but are stuck for catchy ideas, you can find great slogans on line. Check out the clever work by Gary Hinson at www.noticebored.com. Or get more conventional examples at http://www.ussecu-rityawareness.org/highres/security-awareness.html.

After about six months of sending these posters to whomever wanted one, I received a visit from a stranger I had never seen in our building before. He came to my desk, said hello and introduced himself as a corporate external auditor who was auditing a group in our building. I knew and worked with a number of our own internal auditors, but this was the first real live external auditor that I had ever met. The first few seconds while we were shaking hands, I had that feeling from grade school: “Crap, the Principal has come to visit me; what have I done wrong?” I don’t care to experience that intimidated feeling often. But he quickly made me feel at ease by telling me that he wanted to meet whoever came up with these posters. They were so simple and yet so effective that he wanted to take the idea back to his company. I said thanks, and help yourself. (External auditors get whatever that want don’t they?) It really drilled home a lesson. You can put up a huge variety of posters, but to an auditor, they all say the same thing: due diligence.

I even started a contest to see who could submit the most interesting poster suggestions for the following year’s posters. I had prizes and everything. Just a little imagination and off you go creating your own. Have fun!

Videos

As the demand for my internal security awareness seminars started to increase, I was faced with an ever-growing problem. More and more groups wanted to see the presentation, and I couldn’t possibly get to all of them. After all, giving these seminars wasn’t even a part of what my immediate group was supposed to do. My next step was to recommend that a video be prepared and used by all of the groups that I couldn’t get to. The initial reaction was that it would be too expensive. A studio-quality video can cost over $1,000 per finished minute to create. At those prices, even a 30-minute video would be out of the operating budget for most groups.

I had something much less elaborate in mind. With the help of a friend and a video camera, I created it less than two hours for just about zero cost. Just to see how it would look, we ran the camera during an entire 30-minute session that I presented to a small group. We then created a video of nothing but the slides that were used. The remaining hour was spent editing the two videos together. Our intent was to try this a few times until we got it right. We were trying to come up with something that would be cheap (the most important part at the time) and effective. We had no idea how successful our first attempt would become. Over 100 copies of it were sent all over the company, and most copies were shown a number of times throughout the next year to ensure that everyone had a chance to see it. As far as I know, it is still being shown.

I shared all of this here for a reason. If I can do it, so can you or someone in your company. I learned that homegrown videos are quite popular. In some ways, they gain a certain additional credibility if they are ‘real life’ and not overly commercial. The equipment to create them is getting more sophisticated and less expensive all the time. If you try this yourself, I think that you will be pleasantly surprised at the outcome.

For examples of an IT department that has made pretty good home-grown security awareness videos for next-to-no money, check out the work by WatchGuard Technology’s LiveSecurity team:

WatchGuard Technologies’ “Drive-by Download” video

http://video.google.com/videoplay?docid=-3351512772400238297&q=livesecurity “Contrary Wisdom from Syngress Authors"

This looks expensive but it was shot with two lights, a camera, and a black piece of velvet taped up in a hotel room.

http://video.google.com/videoplay?docid=-2328105253826896657

If you like these, you can see much more by visiting www.video.google.com and searching on “WatchGuard LiveSecurity."

If you are a US citizen, you can also receive free Information Assurance training videos from the Department of Defense. Many are appropriate to show to non-technical employees. For information, visit http://iase.disa.mil/eta/iaetafaq.html.

Certificates

Someone else in the company was pleasantly surprised by my seminars, posters and videos: internal auditors and attorneys. As with the external auditors, the internal guys felt that all this work provided many examples of security-minded due diligence. Our efforts demonstrated that our company was trying its best to prevent computer security violations, both internal and external. In order to help spread the word about the seminars, and to provide further evidence of our commitment to security awareness training, I eventually created a “Certificate of Attendance” that I sent to every attendee.

Even though they are inexpensive to create, the final product can be very professional looking. In fact, as I traveled around the company, I saw a number of them hanging near the desks of former attendees. You can create your own company certificate as easily as I did. All you need is some good certificate stock (blank paper), a word processor and a laser printer. After you experiment with the fonts and word sizes, you can keep a template that only needs to have the names mail merged to create the documents. They will look as professional as any that you will ever see, and you will have one more thing that the internal auditors will love to see hanging on the walls.

How long will you and your company have to continue your awareness campaign? Probably for as long as you continue to work and computers continue to exist. I’m far from a doomsday person, but the more computers pervade every aspect of our lives, the more computer security issues become a major concern.

Security awareness and resistance to social engineering sounds burdensome at first. But it’s not. Learning to question strangers and keep your guard up becomes second nature quickly. Think about all the other security behaviors you’ve learned over your lifetime. You learned not to flash a big roll of cash when you are in crowded places. You learned not to leave your purse unattended on a restaurant table while you visit the restroom. You learned to walk quickly and purposefully when you cross an unsavory part of town. You learned to lock your house when you leave. These are so ingrained into your habits, only the rare person with a mental disorder says, “Because of all the risks, I will never leave my house."

Resistance to social engineering and no-tech hackers can become just as intuitive and ingrained. The key is to stay aware, and remain vigilant in your efforts to inform those around you about the risks and the countermeasures.