Penetration testing can often entail thousands of dollars' worth of industry-leading scanning and penetration testing tools. But, testing for social engineering -- a cruder and more inexpensive attack method -- should also be a part of any company's penetration testing repertoire. After all, while attempts to crack servers, passwords and network devices are frequently thwarted by sound security configurations, social engineering attacks often allow for access to sensitive company information.
Social engineering is difficult to defend against because it involves human beings, whose actions and behaviors are strongly influenced by their feelings and emotions, and a desire to often be too helpful -- a vulnerability that is ingrained in human nature.
So how can the entrenched habits of employees be altered with a mere ten minutes of security awareness training?
While there is agreement that any sound information security program should include social engineering, a company's defenses should not end there.
We have found that almost every organization falls short in supplying its employees with the right tools to defend the company against social engineering attacks. It takes more than giving employees the information about the threat; they also need the resources to protect themselves and the company. A company needs to develop a defense strategy that includes policies, specific procedures, training and auditing.
Processes that can help your organization defend against social engineering include: methods of identifying callers and visitors; sign-in and escort procedures for visitors; emergency procedures for responding to hostile behavior; and, finally, training employees to politely say "no" to requests for information -- it is their responsibility both to the company and its customers.
After sufficient time developing processes, provide training and awareness for all employees so they are clear as to their responsibilities.
However, developing documented processes to defend against social engineering and training employees is not sufficient. Stopping there would omit one critical component of a good defense strategy: auditing. Through auditing, a company can effectively measure how well it has prepared its employees to defend against social engineering attacks.
Auditing should include methods that are commonly used by social engineers. Send a bogus email or make phone calls to a sample of your employees and request some piece of sensitive company information. Make an attempt to piggyback into restricted areas such as a server room or smooth-talk past the security guard. Security guards often work for a contract company, but it is vital that they not be left out of the awareness loop.
Monitor and tally the results of an audit and then provide feedback to the organization. If your company has an employee recognition or reward program, tie it into your audit results; take advantage of the opportunity to give your employees some praise.
If your employees know what social engineering is, you're halfway there. Now it is time to take the next step.
Sean Kelly and Michael Montagliano are CISSP certified technology consultants working for consilium1, based in Rochester, N.Y.