The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [130]
The emphasis of these sessions should be on conveying an appreciation of the harm that can be done to the company, and to employees individually, unless all employees follow good security work habits. More important than learning about specific security practices is the motivation that leads employees to accept personal responsibility for security.
In situations where some employees cannot readily attend classroom sessions, the company should consider developing awareness training using other forms of instruction, such as videos, computer-based training, online courses, or written materials.
After the initial short training session, longer sessions should be designed to educate employees about specific vulnerabilities and attack techniques relative to their position in the company. Refresher training should be required at least once a year. The nature of the threat and the methods used to exploit people are ever-changing, so the content of the program should be kept up to date. Moreover, people’s awareness and alertness diminish over time, so training must be repeated at reasonable intervals to reinforce security principles. Here again the emphasis needs to be as much on keeping employees convinced of the importance of security policies and motivated to adhere to them, as on exposing specific threats and social engineering methods.
Managers must allow reasonable time for their subordinates to become familiar with security policies and procedures, and to participate in the security awareness program. Employees should not be expected to study security policies or attend security classes on their own time. New employees should be given ample time to review security policies and published security practices prior to beginning their job responsibilities.
Employees who change positions within the organization to a job that involves access to sensitive information or computer systems should, of course, be required to complete a security training program tailored to their new responsibilities. For example, when a computer operator becomes a systems administrator, or a receptionist becomes an administrative assistant, new training is required.
Training Course Contents
When reduced to their fundamentals, all social engineering attacks have the same common element: deception. The victim is led to believe that the attacker is a fellow employee or some other person who is authorized to access sensitive information, or authorized to give the victim instructions that involve taking actions with a computer or computer-related equipment. Almost all of these attacks could be foiled if the targeted employee simply follows two steps:
• Verify the identity of the person making the request: Is the person making the request really who he claims to be?
• Verify whether the person is authorized: Does the person have the need to know, or is he otherwise authorized to make this request?
note
Because security awareness and training are never perfect, use security technologies whenever possible to create a system of defense in depth. This means that the security measure is provided by the technology rather than by individual employees, for example, when the operating system is configured to prevent employees from downloading software from the Internet, or choosing a short, easily guessed password.
If awareness training sessions could change behavior so that each employee would always be consistent about testing any request against these criteria, the risk associated with social engineering attacks would be dramatically reduced.
A practical information security awareness and training program that addresses human behavior and social engineering aspects