Building your social engineering awareness program
1. Building your Social Engineering
Awareness Program
Dave Keene
Wells Fargo
Information Security Engineer
May 7, 2015
2. 11
Agenda
Definition of Social Engineering and why it is effective
Recent Examples
Social Engineering Techniques
Building Your Awareness Program
Testing Your Awareness Program
Remediation
3. 22
Social Engineering Defined
Social Engineering is the practical application of
manipulation and deception against the human element
Relies on instinctive trust in people, a trust that is a
survival tactic as part of human evolution
– Think about your youth, things you were taught
• Politeness
• Kindness
• Sense of community
4. 33
Why does Social Engineering work?
Techniques used leverage this ingrained vulnerability of
trust
In other words, this is a zero day exploit with no patch
on the horizon
Like any other security risk, there are mitigating
controls
5. 44
Recent Examples of Social Engineering
Hospital Sues Bank of America Over Million-Dollar
Cyber heist – Krebs On Security
– “A Bank of America employee, contacted the Chelan County Treasurer’s office later
that morning and asked if a pending transfer request of $603,575.00 was
authorized,” … an employee in the Chelan County Treasurer’s Office, responded
immediately that the $603,575.00 transfer request was not authorized.
Nonetheless, Bank of America processed the $603,575.00 transfer request and
transferred the funds as directed by the hackers.”
Anthem – Tom DeSot, Digital Defense
– “It is highly possible that they are preparing for another attack, such as
a social engineering or phishing attack, that may give them access
to systems that they were unable to reach,”
6. 55
Social Engineering Techniques
Phishing
– Using crafted emails to manipulate a person into doing
something other than what they would normally do
Voice Phishing (Vishing)
– Traditional use of phone calls to convince a person to
disclose information
SMS Phishing (Smishing)
– Text messages with links that lead to charges on phone
bill
7. 66
Social Engineering Techniques
Flyer drops
– Flyers with enticing advertisements that lead people to
manually entering a link into their browser
Removable media drops
– CDs/DVDs labeled with interesting possible contents, USB
drives
– Content included contains malware, some of which can be
made undetectable by anti-virus
8. 77
Building Your Education Program
Create you policies and reporting processes
Before instruction can begin, you must have basic
policies in place for employees to understand
– Acceptable Use Policy
– Social Media Use Policy
Employees need a way to report Social Engineering
attempts
– Phishing mail box
– Phone line or voicemail box
• Monitoring and response is key!
9. 88
Building Your Education Program
Phishing Education
Teach users how to spot a phishing email
Unify communications and reduce use of email blasts to
all employees
10. 99
Building Your Education Program
Vishing Education
Educate users about voice calls
– Phone numbers are easily spoofed
Caller authentication
– Programs that will allow a challenge/response to ensure
the caller is authentic
11. 1010
Building Your Education Program
Smishing Education
Alert users to what smishing is, as it is not a commonly
used term
Disable short codes on company phones, or restrict
short codes to require an additional PIN
12. 1111
Building Your Education Program
Flyer Drop Education
Don’t keep a sterile work environment
Don’t allow flyers with shortened links
Have someone designated to check flyers for validity
13. 1212
Building Your Education Program
Media Drop Education
Make users aware of the risk of enticing USB keys or
other media that appears to have exciting/sensitive
data
Don’t allow unknown media into corporate computers,
or at minimum don’t allow files to be executed
– Restrict to certain USB identifiers or encrypted only
devices to be used on corporate systems
– Use Endpoint protection
14. 1313
Testing Your Education Program
Phish your employees
Use phishing software to phish employees
– Change the difficultly in spotting the phish, starting with
obvious then gradually removing obvious phish identifiers
• First phish contains gratuitous spelling mistakes, sense of
urgency, invalid sender and/or receiver, bogus URLs, etc.
• Each level reduces the phishing elements making the phish
harder to spot and reinforcing training
While there are open source phishing software, larger
organizations may need assistance from phishing service
providers and/or development of tools to assist in phishing
15. 1414
Testing Your Education Program
Vish your employees
This may take more effort as vishing is a live
manipulation exercise
– Find someone outside of the organization willing to assist
Many security firms offer these services as this is a
specialized skill yet highly important due to
effectiveness
16. 1515
Testing Your Education Program
Test flyer and removable media drops
Create internal tracking that can detect when users:
– Enter the flyer URL
– Execute removable media
Engage your technical staff for assistance, there are
tutorials on tracking with open source software for
testing your programs effectiveness
17. 1616
Remediate when training fails
Don’t just track failure, make sure you notify
employees if they put the company at risk
Engage legal and HR for advise on repeat offenses
Remember there is no perfect solution, there will still
be a small percentage that fall for these every time
– Investigate on restricting these users due to repeat
offenses
18. 1717
Summary
Definition of Social Engineering and why it is effective
Recent Examples
Social Engineering Techniques
Building Your Awareness Program
Testing Your Awareness Program
Remediation
19. 1818
Questions?
People are the weakest link in a security practice, but
properly trained can become the strongest asset in
protecting your company
Insert Sun Tzu quote here
Editor's Notes
“A Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.”
“It is highly possible that they are preparing for another attack, such as a social engineering or phishing attack, that may give them access to systems that they were unable to reach,” said Tom DeSot, chief information officer of cybersecurity firm Digital Defense Inc. in San Antonio.