1. Building your Social Engineering
Awareness Program
Dave Keene
Wells Fargo
Information Security Engineer
May 7, 2015

2. 11
Agenda
 Definition of Social Engineering and why it is effective
 Recent Examples
 Social Engineering Techniques
 Building Your Awareness Program
 Testing Your Awareness Program
 Remediation

3. 22
Social Engineering Defined
 Social Engineering is the practical application of
manipulation and deception against the human element
 Relies on instinctive trust in people, a trust that is a
survival tactic as part of human evolution
– Think about your youth, things you were taught
• Politeness
• Kindness
• Sense of community

4. 33
Why does Social Engineering work?
 Techniques used leverage this ingrained vulnerability of
trust
 In other words, this is a zero day exploit with no patch
on the horizon
 Like any other security risk, there are mitigating
controls

5. 44
Recent Examples of Social Engineering
 Hospital Sues Bank of America Over Million-Dollar
Cyber heist – Krebs On Security
– “A Bank of America employee, contacted the Chelan County Treasurer’s office later
that morning and asked if a pending transfer request of $603,575.00 was
authorized,” … an employee in the Chelan County Treasurer’s Office, responded
immediately that the $603,575.00 transfer request was not authorized.
Nonetheless, Bank of America processed the $603,575.00 transfer request and
transferred the funds as directed by the hackers.”
 Anthem – Tom DeSot, Digital Defense
– “It is highly possible that they are preparing for another attack, such as
a social engineering or phishing attack, that may give them access
to systems that they were unable to reach,”

6. 55
Social Engineering Techniques
 Phishing
– Using crafted emails to manipulate a person into doing
something other than what they would normally do
 Voice Phishing (Vishing)
– Traditional use of phone calls to convince a person to
disclose information
 SMS Phishing (Smishing)
– Text messages with links that lead to charges on phone
bill

7. 66
Social Engineering Techniques
 Flyer drops
– Flyers with enticing advertisements that lead people to
manually entering a link into their browser
 Removable media drops
– CDs/DVDs labeled with interesting possible contents, USB
drives
– Content included contains malware, some of which can be
made undetectable by anti-virus

8. 77
Building Your Education Program
Create you policies and reporting processes
 Before instruction can begin, you must have basic
policies in place for employees to understand
– Acceptable Use Policy
– Social Media Use Policy
 Employees need a way to report Social Engineering
attempts
– Phishing mail box
– Phone line or voicemail box
• Monitoring and response is key!

9. 88
Building Your Education Program
Phishing Education
 Teach users how to spot a phishing email
 Unify communications and reduce use of email blasts to
all employees

10. 99
Building Your Education Program
Vishing Education
 Educate users about voice calls
– Phone numbers are easily spoofed
 Caller authentication
– Programs that will allow a challenge/response to ensure
the caller is authentic

11. 1010
Building Your Education Program
Smishing Education
 Alert users to what smishing is, as it is not a commonly
used term
 Disable short codes on company phones, or restrict
short codes to require an additional PIN

12. 1111
Building Your Education Program
Flyer Drop Education
 Don’t keep a sterile work environment
 Don’t allow flyers with shortened links
 Have someone designated to check flyers for validity

13. 1212
Building Your Education Program
Media Drop Education
 Make users aware of the risk of enticing USB keys or
other media that appears to have exciting/sensitive
data
 Don’t allow unknown media into corporate computers,
or at minimum don’t allow files to be executed
– Restrict to certain USB identifiers or encrypted only
devices to be used on corporate systems
– Use Endpoint protection

14. 1313
Testing Your Education Program
Phish your employees
 Use phishing software to phish employees
– Change the difficultly in spotting the phish, starting with
obvious then gradually removing obvious phish identifiers
• First phish contains gratuitous spelling mistakes, sense of
urgency, invalid sender and/or receiver, bogus URLs, etc.
• Each level reduces the phishing elements making the phish
harder to spot and reinforcing training
 While there are open source phishing software, larger
organizations may need assistance from phishing service
providers and/or development of tools to assist in phishing

15. 1414
Testing Your Education Program
Vish your employees
 This may take more effort as vishing is a live
manipulation exercise
– Find someone outside of the organization willing to assist
 Many security firms offer these services as this is a
specialized skill yet highly important due to
effectiveness

16. 1515
Testing Your Education Program
Test flyer and removable media drops
 Create internal tracking that can detect when users:
– Enter the flyer URL
– Execute removable media
 Engage your technical staff for assistance, there are
tutorials on tracking with open source software for
testing your programs effectiveness

17. 1616
Remediate when training fails
 Don’t just track failure, make sure you notify
employees if they put the company at risk
 Engage legal and HR for advise on repeat offenses
 Remember there is no perfect solution, there will still
be a small percentage that fall for these every time
– Investigate on restricting these users due to repeat
offenses

18. 1717
Summary
 Definition of Social Engineering and why it is effective
 Recent Examples
 Social Engineering Techniques
 Building Your Awareness Program
 Testing Your Awareness Program
 Remediation

19. 1818
Questions?
People are the weakest link in a security practice, but
properly trained can become the strongest asset in
protecting your company
Insert Sun Tzu quote here