SlideShare a Scribd company logo

Social Engineering Audit & Security Awareness

CBIZ, Inc.
CBIZ, Inc.

The document provides information about a social engineering audit and security awareness presentation. It includes details about the presenters from CBIZ MHM, an accounting firm, learning objectives around social engineering and security awareness, and descriptions of different types of social engineering like phishing and pretexting. It also discusses what makes security awareness programs successful or fail, and how social engineering could be used internally by an audit department to test security controls.

BusinessTechnology
1 of 48
Download to read offline
Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
SECURITY AWARENESS PROGRAM
• Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
• What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
SOCIAL ENGINEERING AUDIT
• Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
• By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
• Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
• Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
• Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
• Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
• Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
• Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
• Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
• Real example – Telecom provider Pretexting - continued
• Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
– Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
• Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
• Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
• Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
• Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
• Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
• What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
• Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
• Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
• Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
• Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
• Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
• Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
• No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
• Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away
Questions?

Recommended

Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
Jahangirnagar University
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Paul Devassy, CPP
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 

Recommended

Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
Jahangirnagar University
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Paul Devassy, CPP
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
William Gregorian
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Prabhat kumar Suman
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
pinkutinku26
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
James Krusic
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
primeteacher32
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 
Social engineering
Social engineering Social engineering
Social engineering
Abdelhamid Limami
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
MohammedYaseen638128
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
Internet Security
Internet SecurityInternet Security
Internet Security
Peter R. Egli
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
Pratum
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
waqasahmad1995
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
A. Shamel
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
Ben Woelk, CISSP, CPTC
 

More Related Content

What's hot

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Internet Security
Internet SecurityInternet Security
Internet Security
Peter R. Egli
 

What's hot (20)

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Social engineering
Social engineering Social engineering
Social engineering
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 

Viewers also liked

Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
tschraider
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
Cheng Olayvar
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
tschraider
 

Viewers also liked (20)

Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
ISCA-CA Final
ISCA-CA FinalISCA-CA Final
ISCA-CA Final
 

Similar to Social Engineering Audit & Security Awareness

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
Kimberly Hood
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
anhcrowley
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 

Similar to Social Engineering Audit & Security Awareness (20)

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 

More from CBIZ, Inc.

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
CBIZ, Inc.
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
CBIZ, Inc.
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
CBIZ, Inc.
 

More from CBIZ, Inc. (20)

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRE
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top Talent
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax Function
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure Talent
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special Edition
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KS
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
 

Recently uploaded

Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 

Recently uploaded (20)

Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 

Social Engineering Audit & Security Awareness

  • 1. Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
  • 2. Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
  • 3. About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
  • 4. Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
  • 6. • Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
  • 7. • What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
  • 8. 1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
  • 9. 3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
  • 10. 4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
  • 11. 5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
  • 12. 5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
  • 13. 6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
  • 14. 1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
  • 15. 2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
  • 16. 4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
  • 17. 6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
  • 18. 7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
  • 19. 8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
  • 21.
  • 22. • Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
  • 23. • By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
  • 24. • Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
  • 25. • Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
  • 26. • Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
  • 27. • Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
  • 28. • Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
  • 29. • Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
  • 30. • Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
  • 31. • Real example – Telecom provider Pretexting - continued
  • 32. • Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
  • 33. – Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
  • 34. • Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
  • 35. • Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
  • 36. • Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
  • 37. • Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
  • 38. • Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
  • 39. • What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
  • 40. • Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
  • 41. • Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
  • 42. • Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
  • 43. • Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
  • 44. • Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
  • 45. • Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
  • 46. • No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
  • 47. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away