Staff Awareness and Training Programs
Gavin Watson, Senior Security Engineer, RandomStorm Limited
Staff awareness training can be one of the most effective methods of mitigating the risk of social engineering attacks. However, staff training of this type is often poorly designed and seldom executed. The reader will be introduced to the common mistakes businesses make and how they can be avoided.
Keywords
Awareness training; planning and design; departmental risks; departmental requirements; compliance drivers; foundational awareness; foundational training; departmental training; individual training
Information in this chapter
• Should we even have awareness training?
• Choosing the wrong management model
• Taking advantage of weak training programs
Introduction
In Chapter 14, the topic of creating a strong social engineering policy was covered in explicit detail. This chapter will now focus on staff awareness and training programs. Effective security awareness programs are often overlooked and where they are in place, they are frequently unfit for purpose. There may well be readers out there who can recall presentations discussing the dangers of weak or reused passwords, writing down passwords, leaving a workstation unlocked, opening e-mail attachments, giving out personal or sensitive business information over the phone, reporting suspicious behavior, not allowing people to tailgate behind them and challenging suspicious individuals on the premises. Unfortunately, as inevitable as it is that such security training will regularly occur, it is almost always ineffective at preventing social engineering attacks. What is worse is that it can also in some rare cases be so poorly executed as to have negative results on the overall security of the organization.
This chapter will discuss whether awareness and training programs are beneficial enough to warrant significant investment, examining the various flaws that prevent programs from achieving their objectives. Various issues such as lack of actual “training”, unsuitable management models and programs weak enough to be leveraged by attackers will be covered. Next to be discussed is how the general model for designing a program could be improved, focusing more on social engineering and less on generic security good practices. Elements such as planning, design, development and implementation will then be addressed, ensuring that social engineering issues are considered at each stage. The different types of awareness and training programs such as foundational awareness, foundational training, departmental training and individual training will be discussed in detail, including examples of workshop and role-play exercises. After that, an essential topic is how to ensure that any training has the right amount of impact and how outside assistance could enhance the program’s effectiveness.
Finally, the chapter will focus on how to ensure that a training program doesn’t fade into the background. After designing an effective program it is essential that it is regularly maintained, tested, improved and repeated. This cyclic approach to staff awareness training is extremely important, as a social engineer may well be waiting patiently for that one staff member to become apathetic and let their guard down.
Current awareness training
There is no doubt that security awareness training can potentially be beneficial to any business. The idea of raising people’s awareness of information security issues through a combination of presentations, media, newsletters, posters, etc. is theoretically sound. Such awareness and training would lay the foundations for improving the overall security culture across an organization. However, awareness and training programs are notorious for becoming tedious and failing to achieve their general objectives, especially that of reducing the opportunity for suffering a successful social engineering attack. In fact, the majority of awareness programs seldom mention social engineering in any great detail, instead concentrating on the fundamentals such as basic company computer usage policies and generic best practices. This is not to say that awareness training shouldn’t include these general topics, in fact most of them are essential. The problem is that most programs don’t expand on these concepts, put them into context or provide any actual “training” to deal with the security issues.
One assumption that awareness and training instructors could be making is that the “general user” is incapable of absorbing anything more complicated than the absolute basics. System administrators regularly curse at the general user’s apparent inability to pick strong passwords and almost burst a blood vessel at the discovery of passwords written on Post-It notes. Users are informed of policies and procedures when it comes to security and the various information security threats the business faces, the issue is that this information is rarely absorbed. The problem is not the users, it is the training program. This is even more significant when it comes to social engineering awareness programs. Some programs will make users aware of social engineering issues but rarely inform them of precisely how such attacks may occur. There may be some benefit in keeping training as nontechnical as possible, but this shouldn’t really apply to social engineering. As has been seen in previous chapters, social engineering is about exploiting human nature, which is a concept that should be accessible to anyone.
Should we even have awareness training?
There is a growing belief that awareness training is so ineffective that it shouldn’t even be performed at all. Bruce Schneier, renowned security expert and industry guru, has commented that “…training users in security is generally a waste of time and the money can be spent better elsewhere.”. He believes that the ineffectiveness of security training stems from the abstract disparity between the “what you know you should be doing now and what the theoretical future benefit would be.”. For example, the encouragement of strong passwords to help prevent a “possible” attack happening sometime in the future. The idea of preventing a possible attack is of little conciliation for the annoyance of having to remember multiple complex passwords. Therefore, it far less likely those users would adhere to these common best practices. This is even more apparent when it comes to social engineering attacks. Users are told never to give out sensitive information such as passwords but are not given much information as to why or how someone might try to trick them into revealing that information. Not only is there a great gap between the good practice advice and the theoretical negative outcome of a success attack, there isn’t even a concrete understanding of the attack in the first place. Therefore, even if the user is passionate about security best practices, they remain vulnerable. For example, a user may know never to give out sensitive company information over the phone. However, should they receive a telephone survey about social media policies in the workplace, they may end up freely disclosing company information. An astute social engineer may ask them “Are you allowed to browse social media websites using your work computer?”. In answering this seemingly harmless question, the user inadvertently reveals whether or not they have outbound Internet access. As far as they are concerned, they’ve not given out any sensitive information, when in fact outbound Internet access is a key piece of information to a social engineer. This example is covered in more detail in Chapter 10. Had the user been made aware of the clandestine elicitation techniques used and the concept of information inference, they would have likely recognized it and avoided the disclosure. It could be argued that a strong policy preventing users taking part if surveys would have thwarted this attack, but as previous chapters have shown there are innumerable ways of achieving the same objective. For example, the social engineer may have impersonated a fellow staff member asking “…had they lost access to the Internet?”. Again, this would reveal whether or not the user has outbound Internet access in the first place. If users are not made aware of how attacks are performed, then they are unlikely to spot variations.
When considering the possibility of near perfect social engineering attacks, can we really expect general users detect them? An attacker could potentially plan a series of small attacks to span over several months or even years. Chapter 4 shows how long game attack strategies can be used to obtain sensitive information with very little chance of detection. A series of totally harmless calls over months is unlikely to be noticed but may very well be paving the path for a very elaborate and serious attack. The simple answer is that general users can’t be expected to scrutinize every face-to-face verbal interaction they have, interrogate every caller on the telephone, or thoroughly check every single e-mail for potential trickery. It all comes down to risk and the mitigation thereof. Businesses can never totally eliminate risk, but they need to recognize that they can reduce it. The potential for highly organized and highly funded criminal groups planning and executing an attack over a period of months is relatively low against most businesses of small to medium size. However, the chance of receiving general phishing e-mails or suspicious telephone calls is relatively high for business of all sizes. Therefore, through the awareness and training program, businesses are not expected to become immune to social engineering; it simply reduces the likelihood of common attacks being successful. If businesses decide not to implement awareness and training programs because they can’t stop determined attackers, then they will significantly increase the likelihood of amateur attackers successfully breaching their security.
Awareness without training
Reactive security awareness and training often starts at the end, that is to say that it presents the worst-case scenarios and consequences of bad security practice and then recommends specific good practice solutions. On the other hand a proactive approach to security must start at the beginning with the “what”, “who”, “why” and “how” of social engineering. For example, it is common practice to stress the importance of challenging an unrecognized person on the premises. Perhaps someone wearing a visitors badge has sat down at a hot desk and plugged their laptop into the network. Any “security aware” employee would be expected to challenge that person. Suppose they decided to do so and received the reply “Oh hi, I’m working with Stuart from IT as the phones are playing up again. He said it would be ok to grab one of the hot desks here in HR where it’s a bit quieter, is that ok?”. The staff member is likely to feel that they have completed their task, that the person has indeed been challenged and they responded with a known contact and plausible story. Challenging is not a natural thing for most people and as long as the situation looks right the challenger would rather accept it than cope with the unnerving situation of dealing with an impostor. They have followed the awareness and training and have acted in a security conscious manner. However, the awareness training has not addressed the “what”, “who”, “why” and “how” of this security incident. It may be a social engineer trying to gain access to the network by impersonating a contractor. The impersonation above consisted of a fake visitors badge, gaining credibility from dropping the name of an IT staff member and giving the pretext of repairs to the phone system. Therefore, a more effective response would be to “complete the challenge.” The individual, be them a visitor or contractor, should be able to provide an on-site contact. This contact should then be called to confirm the identity of the visitor, as they are currently unescorted. Alarm bells should start ringing if they are unable to provide a contact for various reasons and the associated department should then be called.
It is only when a security incident has been understood from start to finish that the concept of how to tackle it can be understood. Significant improvements can be made with the introduction of workshop and role-based training to support awareness presentations, rather than relying on presentations alone. Suppose the awareness presentations informed staff that social engineers often pretend to be having an argument on the phone, so as to discourage challengers. Staff will now be better equipped to deal with that particular situation. However, the social engineer instead arrives on crutches and motions for the door to be kept open. This new scenario wasn’t covered and staff members become vulnerable. It is only through group led training sessions such as workshops that many different scenarios can be explored. There is a fundamental difference between “awareness” and “training”. The former is simply presenting a security issue so as to make people aware, which often simply involves instructional videos, posters and flyers. The latter is a far more practical approach of actually teaching skills. The fact is, most security awareness and training programs don’t actually involve any “training”.
Choosing the wrong management model
When it comes to designing and implementing an awareness and training program, the chosen model could have a significant impact on its overall effectiveness. As stated in NIST’s “Building an Information Technology Security Awareness and Training Program”, “Most awareness and training programs follow a Centralized Program Management Model and are therefore not taking advantage of the insight individual departments may have.”. A centralized model basically consists of management overseeing the design, development and implementation of the entire program and then passing the results to individual departments. The departments would then be responsible for monitoring the effectiveness of the program and relaying any results back to management. Such centralized models are most likely used for the time-saving benefits and general management convenience. However, by not incorporating the insights of each department, there is an increased risk of creating a very generic awareness program that fails to make any real impact. A preferable option would be to use a “decentralized” model. This moves the responsibility of design, development and implementation to each department, leaving management to drive the policy and budget. Decentralized models are usually adopted in large organisations where it makes more practical sense to have each department manage the bulk of the tasks. However, the advantages of this model in terms of social engineering, are that it ensures that departmentally specific attacks are discussed and appropriate training developed.
Taking advantage of weak training programs
From the perspective of an attacker, a standard security awareness training program is a double-edged sword. On the one hand it provides staff members with a foundational knowledge of general security concepts. If the awareness program has been even partially successful then it is unlikely that users will openly shout out their personal e-mail passwords across the office, or print off and hand over the business’s customer database to the general public on the street. On the other hand, as the training is so common place and usually follows the same general clichéd security themes, a social engineer can use it to gain credibility and adjust their attack scenarios to work with the training rather than against it. For example, staff may be used to the idea of not revealing their passwords to anyone, even if they’re members of the IT department. A social engineer could call the target, impersonate an IT department staff member and claim that they had received reports of e-mail accounts being locked out. They are concerned that a breach may have occurred and want to ensure that the issue isn’t company wide. They would like to see if that staff member is currently locked out and could check it remotely for them. They would inform the target that they would obviously never ask for a password to be revealed over the phone. Instead, they may ask the target to check that they have received the e-mail explaining the security concern and if so, to follow the link to ensure they can still log in without any issues. The link would of course be malicious and either directly exploit vulnerabilities in the target’s web browser or possibly direct them to a clone of the company’s e-mail portal, thereby harvesting the user’s credentials. Refer to Chapter 9 for a full breakdown of this type of attack.
If the users are not made aware of how attacks are performed and are not trained to deal with them, then it is relatively straightforward to take advantage of the awareness and training. A training program may not only be ineffective at achieving its general security goals, but can also be so ineffective that it can potentially aid attackers rather than defend against them. If this becomes the case, then the awareness and training program will be a very expensive waste of company time.
A model for effective training
Figure 15.1 shows a possible standard model for developing an awareness and training program, based on NIST’s 2003 “Building an Information Technology Security Awareness and Training Program”. It uses a decentralized model placing the responsibility on each department to create the bulk of the program. The following sections will discuss how each part of the model can relate to social engineering.
The role of management
In order for any awareness and training program to be at all effective, there must be complete buy-in from upper management. This is why the management section lies at the very top of the model. The management team will be expected to secure and provide a suitable budget based on discussions with each department. The decentralised model puts the responsibility on each department to assess their individual risks and requirements and relay this back to management. Management is also responsible for creating and enforcing the company policies that form a great deal of the foundation for the topics covered in the program (See Chapter 14 for a full breakdown of creating hardened policies and procedures). However, from a social engineering standpoint, management buy-in has a far greater importance. Management roles are high value targets for social engineers for the purposes of both impersonation and access to high privileges. For example, there may be procedures in place to validate callers before providing information or performing tasks. If management decides to “pull rank” and pressure the employee into waiving the procedure because they can’t remember their employee number, then the social engineer can do exactly the same. Equally, if additional security controls such as two-factor authentication have been implemented on e-mail accounts, they must also apply to and be fully supported by management, as their accounts will likely be the first to be targeted. All too often management figures may believe that they are too important for basic procedures such as screen saver locks or complex passwords, or they perceive them as too much of an inconvenience. Managers must appreciate how their roles make them unique targets to a social engineer. Therefore, management has a greater responsibility to ensure they are fully involved in the program and not just there to create policies and assign budget.
Planning and design
The initial planning and design stage is crucial for ensuring that an awareness and training program is aligned with the business’s requirements, stays within scope and ultimately supports its mission. This is all the more necessary to ensure that it does not end up being generic training that fails to grab the attention of staff members. The program should directly correlate the business’s critical assets with the most significant risks they face as a whole. One particular business may have to deal with the crippling risk of web server denial-of-service (DoS) attacks, which would cause them to lose millions of dollars. Another business may consider their customer database to be their primary asset, where a social engineer invasion would result in unrecoverable loss of confidence from its clients. These events are normally associated with traditional malicious hackers utilizing exploit code and distributed denial-of-service (DDoS) attacks. However, social engineering could also be used to gain remote access into the network, disable the web server and access the customer database. Whatever the asset, threat, vulnerability, or risk a business faces, it should be clearly reflected in the awareness and training program that is designed. This should not be confused with the risks each individual department faces. These should be the overall risks for the company as a whole.
The planning and design stage establishes content for the “foundational awareness” and “foundation training” sections of the program. This initial planning and design stage will create the best practice recommendations and correct usage guidelines that reflect the primary risks the specific business faces. Once this initial foundational content is planned and designed, individual departments can then build upon this content by applying their own specific risks and requirements.
Individual departments
Now that there is buy-in from management and the policies have been established, the individual departments can spearhead the creation of bespoke awareness and training program content. As previously stated, the decentralized model places the primary tasks within the control of the individual departments. Although every department always needs training, it is still a good idea to assess the current security posture and determine areas that should be focused on as a priority. It may be the case that users are already very aware of the threat of social engineering, but that does not mean they are equipped to deal with it.
Social engineers will target different staff members, in various departments, in very different ways. A receptionist may be targeted via telephone to arrange a meeting or to obtain a door pass. A finance administrator may be targeted in person and tricked into providing access to the corporate database. Previous chapters have clearly demonstrated how different objectives require different scenarios. There is a great breadth to social engineering attacks in terms of both potential complexity and creativity. Therefore, staff members from different departments will require very different training. For example, receptionists are arguably the most targeted individuals in the business. They are trained to be helpful and quite rightly so. They will often hold the keys or information a social engineer needs to access the building’s restricted areas. The type of training aimed at a receptionist’s role would focus on elicitation techniques specific to their role (i.e. via telephone and physical security elements such as fake badges and tailgating). The training would mainly cover the various techniques used to gain access to the building. This type of training would be quite different to that aimed at the chief executive’s role. Their training would more likely be focused on spear phishing attacks and credential harvesting techniques, after all, gaining access to the chief executive’s e-mail account could have devastating results. Therefore, the chief executive’s training might be more technically focused (i.e. remote attack, e-mail attack vectors). The risk exponentially increases where a third party is involved, as it makes it easier to impersonate staff members they have never met. A third party’s training would focus on how attackers may attempt to circumvent the current procedures for resetting passwords. However, this is not to say that a business shouldn’t take receptionists through spear phishing attacks, nor chief executives and help desk technicians through the dangers of tailgating. It is simply that the more focused and targeted the training program is, the more likely it is to succeed in achieving its aims.
Departmental risks
Performing risk assessments is a pivotal part of the process toward improving security. There are many ways this can be accomplished, such as quantitative and qualitative methods, expressing risk objectively and subjectively. Risk assessment methodologies are beyond the scope of this book, however, it is important to understand their significant role in creating effective awareness and training material. The risks to an individual department will vary greatly from one department to another. The finance department may consider loss of integrity with their database as the greatest risk. Whereas the human resources department may deem the loss of confidentiality in staff records as their greatest risk. These general risks are important and they will inevitably be included in the foundational awareness and training. However, these are general departmental risks whereas, from a social engineering perspective, there may be additional concerns. For example, in terms of social engineering attacks, the IT department faces the risk of being impersonated for their privileges. The sales department may be at risk of remote telephone attacks aimed at leveraging their desire to make sales. The salesman may be sent an e-mail with a promising lead only a click away. These types of social engineering risks may not be immediately obvious to each department, especially if they have had no prior experience with social engineering. It is also important to establish who will be responsible for the risk assessment process. Will the management take responsibility for the process or will a third party be hired? Both general and social engineering risks should be identified and used as the basis for the departmentally specific training sections of the program.
Departmental requirements
Each department will have a different set of individual “requirements” that have security implications. The finance department may need to print and store mountains of sensitive financial documents. These documents may be stored in cabinets in and around the office. During the planning and design stage, they may not have considered social engineers simply walking in and lock-picking the cabinets to steal the documents. The assessment of their risks may only have focused on a compromise of their digital database.
The purpose of a social engineering attack need not only be focused on information retrieval, it could well be trying to achieve a DoS situation. Therefore, another aspect of departmental needs is what they consider critical to their operation. Each department should consider what essential needs they have and explore how a social engineer may leverage them.
Compliance drivers
Legal responsibilities are a constant pain for most managers, especially those in the realm of information security. However, they clearly improve security if only by raising the current state to something approaching satisfactory. Without compliance drivers, most companies would continue on in blissful security ignorance and complacency, opening the doors to all manner of attacks. When it comes to planning and designing awareness and training programs, compliance drivers must be considered for obvious reasons. In most cases, the policies set by management would take compliance drivers, local policy and national policy into account, but it is still necessary to examine them at the departmental level. It may be the case that the company is actually required to have social engineering assessments and staff awareness and training.
Procedures
As previous chapters have clearly shown, social engineers will take advantage of weak procedures whenever they can. The methods for testing current procedures and designing hardened ones are explained in detail in Chapter 14. The results of that process should be incorporated into the awareness and training program. It should be clearly shown how seemingly solid procedures can be vulnerable to attack, how the business’s own procedures have been tested and hardened, and what specific procedures within each department may be targeted. By walking staff through each stage as above, they will be better equipped to detect variations in attacks and spot new weaknesses in procedures that may have been missed. There is also far less chance of staff misunderstanding the security implications of procedures or taking shortcuts for the sake of convenience.
Development
At this point the individual departments will have planned and designed their sections of the program; it is now time to develop the methods of delivery. The material should be broken down into foundational awareness, foundation training, departmental awareness and training, and individual awareness and training. It is at this point that the distinction between awareness and training needs to be fully established. The awareness material will make staff aware of a specific issue and the training will give them the understanding and skills to deal with it. The following is an example of how a specific security issue would be broken down. This list is not exhaustive, it is simply to illustrate the different material that would be presented.
• Third-party help desk
Staff can contact the help desk to have their Microsoft Outlook Web Access e-mail password reset.
• Foundational awareness
Users are made aware of the following topics:
• What the service is, how it works and the procedural documents.
• The sensitive nature of company e-mails and guidelines to creating strong passwords.
• The dangers of using weak passwords, reusing passwords and writing down passwords.
• The dangers of accessing their e-mail accounts using public access terminals and unsecured wireless networks.
• Foundational training
Users are involved in workshops and hands-on presentations that cover the following topics:
• How social engineers may attempt to gain access to their e-mail account
• How social engineers may attempt to trick the user into revealing their password, covering telephone techniques and malicious websites
• Departmental awareness and training
Help desk staff are involved in workshops and hands-on presentations that cover the following topics:
• Exploring how the current password reset procedures have been developed, focusing on how they have been hardened to social engineering attacks.
• How legitimate callers may attempt to circumvent the current password reset procedures.
• How social engineers may attempt to circumvent the current password reset procedures.
• The results of internal social engineering exercises performed to assess whether the staff are validating callers correctly and detecting attempts at social engineering.
• Individual awareness and training
• Highly privileged department staff such as management or supervisors are involved in discussions and workshops focusing on their specific privileges and how they could be leveraged (e.g. if password reset procedures involve their input at any stage).
Ensuring impact
The awareness and training material developed at this stage will not only be relevant to the business but also be relevant to the staff. Departmental and individual level training will be significantly effective at putting the training into context for the users. Having seen how an attack is planned and executed in regard to their specific department, or their specific procedure, staff are far more likely to appreciate its importance.
When specific departmental training is developed and social engineering attacks are broken down into stages, it is important to emphasize the worst-case scenario for each security issue. Without presenting the ultimate consequences of not following the advice, it is difficult for the trainee to fully appreciate the issue, even if they thoroughly understand the attack from start to finish. For example, users are often told not to reuse passwords, as this is a very common bad security practice. What is rarely explained is the reasoning behind this advice. An explanation of the security issue could be presented as follows.
If passwords were to be reused on multiple websites then they all become only as secure as the weakest website. An attacker may gain access to a poorly secured website holding no sensitive information, then use the “reused” password to gain access to a website containing sensitive information. This becomes a serious company concern if passwords are reused between personal and business accounts.
Every security issue presented should be accompanied with a worst-case scenario for the business that puts the issue into context for the employee.
Being that different people respond better to different training methods (e.g., one person may prefer to assimilate information through reading books and articles, while others will learn best through listening to presentations and watching videos), it is important to ensure that a variety of training delivery methods are employed ensuring effective awareness assimilation.
Foundational awareness
Foundational awareness program material should be applicable to all staff members but should not be too generic. It is important to tailor the material to match the business’s values, goals and mission. Typical areas this section would cover may include topics such as the following:
• The threat of viruses, worms and malware
• Workstation security, screen savers and lockout screens
• Laptop security, theft and encryption
Often social engineering is just a single subject within the above list. Personnel are taken through what social engineering is and some of the most cliché stories to explain how criminals may use it. Covering only the basics in this way is unlikely to provide a decent level of awareness to base training upon. Therefore, it is important to expand on these general subjects to include at least the basic common social engineering techniques. The following is an example of topics that may be considered for inclusion:
• Social engineering methodologies
• Shoulder surfing and privacy
• Spear phishing techniques and spam
• Telephone information elicitation techniques
At this stage, the foundation of the awareness and training program is being outlaid. Personnel are provided with all the general security information and best practice advice they may need. The next step is to provide actual training in key areas where that training would be the most beneficial.
Foundational training
When it comes to social engineering training, hands-on workshops are invaluable in developing defensive skills that personnel may need to explore, test and gain insight into the various security issues. When they understand how attacks are executed, they will be able to detect when such an attack is being attempted in different contexts. For example, spotting general phishing e-mails is relatively easy, often due to their poor use of English and adherence to common themes such as lockedout bank accounts or a one-time only money-making scheme. However, spotting spear phishing e-mails is not so easy, especially if they are highly targeted and well crafted. It is more effective to train staff in how these attacks work than providing them with general tips on spotting the common examples.
The following are examples of typical workshop activities that might be considered for use:
These activities encourage the attendees to explore the various security situations, giving them a greater insight into how social engineers think. It will often be the case that staff members already know of weaknesses in their own procedures, they just may have never explored how they could be leveraged. This type of training can commonly reveal new security issues as the personnel begin to pick apart all the security aspects of the business they work for. The results of these training sessions can often lead to improved policies and procedures.
These workshops are obviously only one way of delivering awareness “training” but should prove to be the most effective. This same material could be delivered through computer-based training, web-based training or even written tests. However, the group situation of mindmapping ideas, swapping stories and discussing various possibilities is extremely effective.
Departmental training
Departmental level training follows the same theme as foundational training but has a more narrow focus. Training at this level will focus solely on the current procedures and risks associated with a specific department. Therefore, each department will be involved in departmental training, but the content may be very different for each.
The following is an example of workshop activities aimed specifically at the reception. As previous chapters have discussed, receptionists are high value targets. There are a great many risks they face that would seldom be included in any general job training.
The above examples cover some of the specific social engineering risks a receptionist would face. Each security issue is explored as the attendees try to provide as many different scenarios as possible. Once the reception personnel are involved in this type of training, they will become far more resilient to attacks, as they spot them as just another variation of what they have already discussed in training.
Individual training
Training specialisation should be taken further to actually provide individual level training. There may be certain individuals within the business that have very specific privileges; perhaps they are one of a handful of people that know a specific door code, maybe they are the only person with access to the CCTV system. Whatever their specific privilege, they could be targeted because of it. Training of this type would be delivered through custom computer-based learning, web-based assessments, or perhaps through individual one-to-one training from a professional security consultant. The important part of this section of the program is identifying those individuals in the first place. The obvious examples would be chief executives and members of upper management. However, if a cleaner has a key to open any door in the building, then they may well be a primary target. Another example might be with physical media backups to an off-site location. As a consequence, the individual (or third party) assigned responsibility for moving the media from one location to another may then become a high value target.
Implementation
Now that each department has developed the awareness and training material, it is time to implement that training. The decentralised model assigns responsibility of implementation on each department. However, they will be expected to provide regular progress and performance updates to management.
It is important that, prior to the rollout, staff be informed of the awareness and training program and why the program has been developed. For example, has the program been created as a result of the business’s ongoing dedication to information security or as a result of a resent breach? The reasoning should be fully transparent and support the program if possible.
Outside assistance
Where businesses neglect social engineering both in terms of their susceptibility to it and in regard to their awareness and training programs, it is likely that they will design below par material. Similarly, these businesses are unlikely to have sufficient knowledge to present confidently on the subject to their staff. When this is very much the case for a business, outside help may be required.
The first and most obvious assistance that could be provided is to perform a social engineering assessment. This would provide a current snapshot in time of the business’s susceptibility to social engineering attacks and help the business assess whether or not they need to invest in specific awareness and training programs. If current training programs already exist, then the assessment may highlight weaknesses with that program. Previous chapters have discussed in great detail the various benefits of performing assessments, however, when it comes to awareness and training programs, the benefits of assessments depend on how the results are used. Assessment results can be used as a basis for very relevant material that creates real impact. Individual departments can plan and design their awareness and training programs around what actually happened (in terms of what the consultants were able to achieve), rather than on just what could potentially happen. Material based on actual events will resonate with staff members effectively and ultimately achieve greater impact and longevity.
It may be the case that a business is very much aware of their vulnerabilities and believes that an assessment will not reveal anything they didn’t already know. This is often the case when real successful social engineering attacks have already been detected and not prevented. The most common response at this point is to hire consultants to provide boiler-plate training courses to try and mitigate any future risk. However, these training courses are often fairly generic and won’t necessarily apply to the various risks that the particular business may face. Instead, the business could hire security consultants to provide services such as the following:
• To provide the insights into social engineering so as to assist in the design of company specific awareness and training material.
• To act as vehicles to deliver the company specific training, rather than provide boiler-plate training courses.
The first service allows the company to maintain control of the design of the awareness and training material, while taking advantage of the knowledge of the consultants. The second service creates additional impact by having the material delivered by professional social engineers. This is not to say that boiler-plate services are not beneficial, is it simply that businesses should ideally provide their staff with relevant business specific material. Of course, both services could be requested to really accelerate the progress and performance of the program.
For very security conscious businesses, their main focus on awareness and training programs may be related to maintenance, having already fully established a program. They may have already hired professional social engineers to identify vulnerabilities in their procedures and gaps in their staff training. At this point the business may decide to explore the risk associated with long game attack strategies. It may be the case that a business’s assets are of such significant importance that unlikely risks need to be mitigated. Professional social engineers could be hired to explore social engineering techniques that span over months. The consultants may be hired to target specific individuals or design elaborate scenarios involving multiple blended attack vectors. The results of assessments of this type would form the basis for very specific training, perhaps associated with a single individual. This type of service would inevitably come with a large price tag but would uncover weakness that no short game assessment ever could.
Maintenance
Business information security can be thought of as a living, breathing organism that constantly changes. Policies and procedures are updated, new staff members start, existing members change roles or leave, technology advances and attacks evolve on a daily basis. To remain competitive and effective, there is little choice but to accept this ever-changing environment and try to embrace it where possible. However, the awareness and training material has been planned, designed and developed based on a snapshot in time, not on an ever-changing system. If material was designed to be applicable to the business regardless of its current state, then it would inevitably be generic and lose its impact. Therefore, any awareness and training program must be regularly tested to ensure it is still effective and updated where necessary.
Businesses should record all instances of awareness presentations and training sessions to establish if the program is actually being implemented correctly. If staff are away or not attending the training sessions, then weak points in the security will be created. However, tracking its progress is quite different from tracking its effectiveness. Often a program’s effectiveness is determined by the results of surveys, interviews, questionnaires and formal reports. These may well provide some insight into whether the awareness and training material has increased the overall security. However, the only way to really know how effective the program is, would be to test it practically.
Internal social engineering assessments, as discussed in Chapter 16, are the best way to test the program’s effectiveness practically. Internal assessments of this kind can be highly controlled and very specific to individual aspects of security such as a single procedure or maybe even a particular staff member, though ethical considerations would obviously apply in this case. Every aspect of the social engineering awareness program should be regularly tested, whether it be an internal test or via a professional third-party company. It is from the results of these tests that the current material can be improved and new material created. The awareness and training program should be constantly growing and evolving alongside the business.
Summary
General awareness and training programs have their flaws, especially in regard to social engineering. The lack of actual hands-on training leaves staff hopelessly ill equipped to detect attacks, and even less so to prevent them. While security experts debate over whether or not awareness training should even be performed, social engineering training is pushed further and further to the back burner. The worrying issue here is that awareness and training programs are a truly critical part of a company’s defense against social engineering type attacks. There is only so much that technology, hardened policies and hardened procedures can achieve. If businesses are to effectively defend themselves from social engineering, they need to properly train the individuals that are being targeted. However, it is important to ensure that the program is properly designed, tested and regularly improved, so as not to have weaknesses that could be leveraged by attackers.
A general model of creating awareness and training programs has been presented, with each section discussed in relation to aspects of social engineering. During the initial stages of planning and design, the importance of management “buy-in” and keeping the program aligned with the business’s mission are vital first steps. The individual departments can then spearhead the creation of tailored training material, ensuring that the right assets are identified and the most significant risks addressed.
The use of departmental and individual level training provides staff with the knowledge and skills they need to help prevent attacks. Training such as workshops and role-play activities encourage users to explore the various security issues, gaining a real insight into the attacks and how best to defend against them.
Once the awareness and training program has been designed it should be implemented systematically and its progress and performance monitored. Regular testing should occur to ensure that the program is achieving its objectives. Any failings should be quickly identified and used to further improve the program, using outside assistance from professional social engineers where necessary.
The next chapter will discuss the benefits and challenges associated with businesses conducting their own internal social engineering tests.