• Choose a category
• All
• Classic-Fiction

• A description of how attackers use social engineering skills to deceive people.

• The methods used by social engineers to accomplish their objectives.

• How to recognize a possible social engineering attack.

• The procedure for handling a suspicious request.

• Where to report social engineering attempts or successful attacks.

• The importance of challenging anyone who makes a suspicious request, regardless of the person’s claimed position or importance.

• The fact that they should not implicitly trust others without proper verification, even though their impulse is to give others the benefit of the doubt.

• The importance of verifying the identity and authority of any person making a request for information or action. (See “Verification and Authorization Procedures,” Chapter 16, for ways to verify identity.)

• Procedures for protecting sensitive information, including familiarity with any data classification system.

• The location of the company’s security policies and procedures, and their importance to the protection of information and corporate information systems.

• A summary of key security policies and an explanation of their meaning. For example, every employee should be instructed in how to devise a difficult-to-guess password.

• The obligation of every employee to comply with the policies, and the consequences for noncompliance.

Social engineering by definition involves some kind of human interaction. An attacker will very frequently use a variety of communication methods and technologies in attempting to achieve his or her goal. For this reason, a well-rounded awareness program should attempt to cover some or all of the following:

• Security policies related to computer and voice mail passwords.

• The procedure for disclosing sensitive information or materials.

• Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.

• Physical security requirements such as wearing a badge.

• The responsibility to challenge people on the premises who aren’t wearing a badge.

• Best security practices of voice mail usage.

• How to determine the classification of information, and the proper safeguards for protecting sensitive information.

• Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.

Also, if the company plans to use penetration testing to determine the effectiveness of defenses against social engineering attacks, a warning should be given putting employees on notice of this practice. Let employees know that at some time they may receive a phone call or other communication using an attacker’s techniques as part of such a test. Use the results of those tests not to punish, but to define the need for additional training in some areas.

Details concerning all of the above items will be found in Chapter 16.

TESTING

Your company may want to test employees on their mastery of the information presented in the security awareness training, before allowing computer system access. If you design tests to be given on line, many assessment design software programs allow you to readily analyze test results to determine areas of the training that need to be strengthened.

Your company may also consider providing a certificate testifying to the completion of the security training as a reward and employee motivator.

As a routine part of completing the program, it is recommended that each employee be asked to sign an agreement to abide by the security policies and principles taught in the program. Research suggests that a person who makes the commitment of signing such an agreement is more likely to make an effort to abide by the procedures.

ONGOING AWARENESS

Most people are aware that learning, even about important matters, tends to fade unless reinforced periodically. Because of the importance of keeping employees up to speed on the subject of defending against social engineering