March 2019 A GUIDE ON THE RISKS OF SOCIAL ENGINEERING ON AN ORGANISATION AND HOW TO MITIGATE AGAINST IT Created by: Sajid Raza Student at the University of South Wales Approved by: Emma Derbi Project Supervisor
DISCLAIMER ! The Contents of This Guide Is To Be Used For Educational Purposes Only And NOT For Any Illegal Activities.
Table of Contents Table of Figures....................................................................3 1. What is Social Engineering...............................................5 1.2. Biology of Social Engineering.................................6 2. Threats of Social Engineering on an Organisation.........................................................................8 3. Attack vectors used by cybercriminals in social engineering attacks.................................................................................16 4. Methods Used to Mitigate Against Social Engineering ............................................................................................32 5. Summary.........................................................................49 Page | 2
Table of Figures Figure 1 - Anatomy of head showing the amygdala..............................................................................7 Figure 2 - Cartoon (Stu, 2014)....................................................................................12 Figure 3 - Graph showing phishing, spoofing and social engineering losses (Ayers, 2018)....................................................................................13 Figure 4 - Four phases of a social engineering attack (J. Van de Merwe, 2017) .............................................................................................20 Figure 5 – Fake Facebook login page (Cluley, 2011)....................................................................................22 Figure 6 – Legitimate Facebook Login Page (Cluley, 2011)....................................................................................23 Figure 7 - Spear Phishing (Sonntag, 2018)....................................................................................24 Figure 8 - Phone Phishing Cartoon (Hydro, 2018)....................................................................................25 Page | 3
Figure 9 - Graph showing the top 10 reported scams of 2018 (SCAMWATCH, 2018)........................................................26 Figure 10 - Graph showing highest reported delivery methods of scams (SCAMWATCH,2018)..........................................27 Figure 11 - Graph showing infected hosts by country from stuxnet worm (Statista, 2010).............................................30 Figure 12 - Stuxnet delivery illustration (Noor, 2018)...................................................................................31 Figure 13 - No Dumpster Diving Allowed (Social-Engineer, 2018)...................................................................................34 Figure 14 - No Phishing Allowed (Dungay, 2017)...................................................................................36 Figure 15 - Impersonation Cartoon (Inc, 2016)...................................................................................39 Figure 16 - Shoulder Surfing (Reviews, 2019)...................................................................................41 Page | 4
1. What is Social Engineering? Social engineering is a form of techniques and methods used by cybercriminals and non-cybercriminals (Penetration Testers). These techniques and methods are used to extract sensitive information through the use of both influence and persuasion. This is used to deceive people by convincing them that the social engineer is someone that they are not. Resulting in the social engineer or attacker being able to take advantage of people to attain information with or without the use of technology. The main purpose of social engineering is the same as that of hacking through the use of technical methods. This is to gain unauthorised access to computer systems, to carry out identify theft, to gain information about a person/company or to disrupt a service/s. Social engineers will carry out attacks knowing that the victims are not aware of the importance of the information that they are handling or giving away. Page | 5
1.2. Biology of Social Engineering It has been said for many years that there is some form of physiological aspect when it comes to social engineering, such as amygdala hijacking (emotional hijack). The amygdala is a section of the brain located deep within the temporal lobe that is responsible for both the detection and the immediate response to fear, also known as the fight-or-flight response that would cause an individual to respond to threats. Add a headingWhen the amygdala senses any form of danger, it carries out a split-second decision and triggers the fight- or-flight response before it is overruled by another part of the brain called the cortex. Throughout this process, adrenaline is released, resulting in increase of blood pressure, heart rate and breathing. When this happens, it will become difficult to think clearly and to concentrate as the brain will release stress hormones. Page | 6
Amygdala Figure 1 - Anatomy of head showing the amygdala This is where an attacker can take advantage of the individual and manipulate them into releasing valuable information as they will be in that fight-or-flight state and will therefore make quicker decisions without clearly thinking about what they are doing. Page | 7
2. Threats of Social Engineering on an Organisation For many decades, social engineering has been a huge risk for all company’s worldwide in all industries from IT to Financial to even the Medical industry. Cyber security has evolved which therefore means software vulnerabilities are becoming far more infrequent than they once were. However, people are much more exposed to attacks today than ever before. If you were to ask people today what they believed were the most effective attacks, they would most likely say technical. However, this is not the case as social attacks have climbed the ranks and become the most effective and practiced attacks in today’s society. In an industry survey, social engineering topped the list of the 10 most popular hacking methods. Warwick (2016) also stated that “More than 70% of almost 500 IT security experts polled by European Security Technology firm Balabit said they considered insider threats more risky”. This statistic more than confirms the findings of the survey. Page | 8
In February 2016, a hacker with the Twitter handle ‘@DotGovs’ claimed to have downloaded the details of thousands of FBI and Department of Homeland Security employees from the Department of Justice (DoJ) database. The hacker then proceeded to post links to what was apparently over 9,000 Department of Homeland Security (DHS) employees and a directory of more than 22,000 FBI employees. Within this FBI list was names, job titles, phone numbers and emails of up to 1,300 intelligent analysts and almost 1800 special agents. The attacker stated that he had called a support desk and claimed to be a new employee to which he was given an access code. The hacker claimed that he had used credentials of a Gmail account that he had by then already hacked to gain access to a DoJ database and proceeded to download up to 200GB of files. The way in which he gained access to the Gmail account was supposedly through a phishing attack which will be discussed later. Page | 9
Social engineering refers to both the application and design of malicious techniques.These techniques are used by attackers to take advantage of human targets. Additionally, to gain information that would be of some importance to them. In a security context, social engineering’s main purpose is to manipulate and persuade victims into disclosing confidential data. Also, to carry out actions that would be in breach of security protocols without the victims having any idea of what they have done. CSO (2012) agree with this by stating that “Social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology” instead of using technical methods such as a Denial of Service (DoS) attack for example. Page | 10
Davey Winder (2018) states that “a social engineer only needs to fool one person in your organisation to gain access to your networks and data”. Many IT professionals will agree today that most data breaches start with some form of social engineering. This goes to show how much of a threat social engineering Is. A company could have all the latest security products in place. However, all it would take is for an attacker to gain the trust of one employee in the company no matter how large or small and the whole company could be compromised. In concurrence with this is Kevin Mitnick (2002) who stated during an interview that “The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you”. This shows that many professionals agree that social engineering is a serious threat to all companies no matter how big or small. Page | 11
Companies are spending billions every year to keep up to date with hardware and software to help protect against malicious attacks. However, as Radha Gulati states “All of this is of no use if end users do not follow good security practices” (Gulati, 2002). What both Kevin Mitnick and Radha Gulati stated is very true and It is important that companies realise that no matter how much money they put into their security, it is pointless if their employees are not aware of social engineering and are not properly trained. Figure 1 below is a cartoon that sums up what both Kevin and Radha are saying. Figure 2 - Cartoon (Stu, 2014) Page | 12
In the past few years social engineering attacks have been rising at a steady rate. Advisen data show that the losses from social engineering attacks sky-rocketed between 2015 and 2016 and then remained at an all- time high in 2017 as shown in figure 2 below. Figure 3 - Graph showing phishing, spoofing and social engineering losses (Ayers, 2018) Page | 13
This shows that social engineering attacks are becoming more and more frequent and losses to attacks are growing at a rapid pace annually. Supposedly 95% of successful cyberattacks are the result of a phishing scam. According to the Symantec 2017 Internet Security Threat Report, over 400 businesses are being targeted by spear-phishing scams every day. This shows why the above graph is displaying such a high number of losses in the past 2 years. In the 2017, Annual Cybercrime Report from Cybersecurity venture, they stated that the cost of cybercrime could rise drastically to 6 trillion USD annually by the year 2021 which would be double the amount in 2015. From looking at both pieces of research from the Symantec report to the Official Annual Cybercrime it is clear that the cost of Cybercrime is increasing at a severe rate. Although the statistics are based in the United States it shows the losses worldwide will be much greater. Page | 14
In 2016, the number of internet users were around 3.4 billion and now in 2018 there is a little over 4 billion internet users which shows that there was a very large increase in internet users in the last 2 years. With this large of an increase in digital targets, there will be a definite increase in cybercrime as well. It is estimated that by the year 2022 the number of users will increase to 6 billion and 7.5 billion in the year 2030. It is no surprise that the next few years are going to see a considerable increase in losses from cybercrime and especially social engineering attacks. You can now go to the quiz menu and attempt 'Quiz 1: Threats of Social Engineering on an Organisation' and test yourself on what you have learnt in this chapter. Page | 15
3. Attack vectors used by cybercriminals in social engineering attacks Social engineering consists of many attacks used throughout different phases of an attack whether It’s during the research phase or the final play. Threat actors today are using social engineering methods to manipulate people into doing the work that at one point in time would have been carried out with some form of malicious code. Today’s attacker would much rather use social engineering to gain access to a network or to carry out some other form of malicious attack, this is because unlike more technical hacking methods, social engineering can be much easier, and the attacker would only need to exploit a single employee of a company to gain access to its whole network. Page | 16
According to a technical report written by Intel Security, there are two possible categories within social engineering, these are hunting and farming. Although not often practiced farming is a technique that can be used depending on the situation. “The attacker aims to establish a relationship with the victim in order to extract information for a longer period of time” (Raj Samani, 2015). During the farming process the potential victim could come to the realisation that they are being manipulated. At this point the attacker would switch to more criminal like tactics such as blackmail or bribery in order to keep the victim from talking. On the other side of the spectrum is hunting which unlike farming, the attacker will execute the attack with as little interaction with the potential target as possible. Any communication with the target would most likely be terminated once the attacker’s objective has been fulfilled. Page | 17
Hunting is the methodology most commonly used by cybercriminals in order to support their attacks. The objective of hunting is to try and extract as much information with as little contact as possible with the target. The most common attack vectors used with the hunting methodology is phishing, baiting and email hacking. Almost all social engineering attacks will consist of four distinct phases. These phases are research, hook, play and exit. The research phase can be thought of as the reconnaissance phase where the attacker will gather as much information as possible on the target person or organisation. During this phase, several techniques will be used to gather Open -Source Intelligence (OSINT) by the attacker. For example, Google, Whois, Maltego, Shodan, Social media and many other open source tools (Wordfence, 2018). Page | 18
The second phase of a social engineering attack is the hook phase. This is where an attacker will initiate contact with the target and try and gain control over the interaction. This will be done after they have carried out their reconnaissance from the research phase. In the hook phase the attacker will send a message or an email for example to the target which will contain a link that will act as the “hook”. If the target clicks on the link it will redirect them to where ever the attacker chooses. For example, a fake Facebook login page where the attacker will gain access to the targets log in details if they fall for it. When it comes to the play phase, Rahul Singh Patel (2013) states that it is where the attacker “aims to accomplish the purpose of the attack, which can be to extract information or to manipulate the target in order to compromise the system”. However, as stated in the ICANN Blog earlier the objective of the hook phase does sound like the play phase from Rahul Singh Patel. The hook phase and play phase can be mistaken for being the same stage as they are similar. Page | 19
The last of the four stages is the exit phase where the attacker will finalise the interaction with the victim of the attack and try to do so without causing suspicions. These four phases of a social engineering attack have been presented in a different way by J. Van de Merwe and F. Mouton (2017) as seen in figure 3 below. Figure 4 - Four phases of a social engineering attack (J. Van de Merwe, 2017) The phases above are basically the same research, hook, play and exit phases mentioned earlier but the names have been improved by Kevin Mitnick. He states that if in the last phase, the attacker has not extracted enough information from the victim, they can return to earlier phases until they have properly achieved their goal. Page | 20
Some of the most popular social engineering attack vectors are phishing, Vishing, pretexting, Eavesdropping, Tailgating and baiting. There are many more techniques used by attackers, however the ones listed are the most popular. Phishing Is ranked number one by many professionals and companies worldwide as the most popular social engineering attack. This is because many of the successful social engineering attacks that have occurred in the past have contained a phishing attack in the attack methodology, resulting in the attacker gaining access to the target company’s network. Phishing attacks will use a combination of both social engineering and technology spoofing techniques. An attacker will attempt to contact a target posing as a different identity, maybe someone that the target knows (would be discovered during reconnaissance). In order to obtain valuable information about the person whether its log in credentials or a phone number etc. Page | 21
For example, an attacker would send the target an email containing a malicious link that once clicked would direct the target to a fake log in page such as Facebook. This is where the target would log in therefore not knowing they have just given their log in credentials to the attacker. Figure 4 below is an image of a fake Facebook login page where the victim would be sent to when clicking a malicious link for example. Figure 5 – Fake Facebook login page (Cluley, 2011) Page | 22
Figure 5 below is an image of the real Facebook login page. This shows how similar both a fake and legitimate login page can look and why it is so common for people to fall victim to the attack. Figure 6 – Legitimate Facebook Login Page (Cluley, 2011) Page | 23
There are many forms of phishing attacks for example spear phishing, phone phishing and clone phishing to name a few. A spear phishing attack would be an email scam that would be specifically targeted towards an individual, organisation or a business. Unlike a normal phishing attack where the attacker will have random targets, a spear phishing attack will be much more intricate and will go after a CEO of a company or high value targets. Figure 7 - Spear Phishing (Sonntag, 2018) Clone phishing is a phishing attack where the content and recipient from a legitimate, previously sent, email would be extracted by an attacker who would clone the email. The attacker would then be able to replace the real link or attachment with their own malicious version. They could then send the same email back to the recipient from a spoofed email address, resulting in the recipient believing it is a legitimate email that has come from the original sender. Page | 24
Phone phishing is similar to a regular phishing attack but is done by phone instead of email. An attacker will try to trick the target into believing that the message or the phone call is from a legitimate identity (friend or co- worker). They will try to manipulate the target into giving up passwords or any other personal information. The attacker may even trick the target into clicking a malicious link in a message for example resulting in the target downloading malware onto their mobile phone. Figure 8 - Phone Phishing Cartoon (Hydro, 2018) Page | 25
Figure 4 below is a graph presenting the top 10 reported scams of 2018 so far. As seen, phishing is unquestionably further than any other scam. The graph shows that there have been roughly 17,000 reports of phishing attacks. Figure 9 - Graph showing the top 10 reported scams of 2018 (SCAMWATCH, 2018) In relation to the graph above is an additional graph that shows the highest reported delivery methods of scams so far in 2018. By phone is currently the most reported delivery method with a little over 49,000 in first place and email in second with just over 28,000. In addition to this the losses are also displayed, and phone scams have caused just over $26 million in 2018 so far. Page | 26
Figure 10 - Graph showing highest reported delivery methods of scams (SCAMWATCH, 2018) Another popular social engineering strategy is tailgating where an attacker will follow someone with authorised access into a building, therefore using another person’s authorisation to gain access to somewhere they are not authorised to be. All an attacker would need to do is wait for someone with the proper authorisation to enter the building and then act as a legitimate person who has forgotten their ID. Most employees would let you in as they may be a in a rush or may not want to start some form of confrontation. Page | 27
One of the easiest ways in which an attacker can gain someone’s login credentials or any other vital information is to physically be behind the individual when they are logging in to their computer system, even if they are logging into Facebook on their mobile device. This process is called eavesdropping. As Chantler (2016), Roderic, Alan (2006) and Broadhurst stated “a social engineer may place themselves at a known ‘haunt’ for employees of a particular company, to be able to overhear ‘work chat’ over lunch”. Dumpster diving, aptly named, is the practice of searching through a company’s rubbish with the idea of finding any helpful information, for example employee records, graphs that may present important data or even receipts. In addition to this, occasionally an attacker can come across old computer equipment such as old hard drives, USB drives and other hardware which could be very useful to an attacker. Dumpster diving in addition to eavesdropping and tailgating can be utilised by an attacker during the reconnaissance stage as it offers them a very quick way to potentially gain valuable documents that could help later in the attack process. Page | 28
One of the most notorious malware attacks, Stuxnet considered to be the first cyberwarfare weapon, targeted an Iranian nuclear facility in 2010 with the intent to not only infect its computer systems, but to specifically target and physically destroy centrifuges used to produce enriched uranium that was used to power nuclear weapons and reactors. The reason this is mentioned is because the way in which Stuxnet was delivered was via a malicious USB stick. It is believed that an individual whose identity remains unknown walked into the nuclear facility and dropped a malicious USB device, this can be thought of as a road apple attack. This is because in the old days, if an individual saw an apple laying on the ground as they were walking down the street, their first intention would be to steel it. It Is the same concept as someone would see the USB and would want to take it for themselves. This same USB device was picked up by an employee and plugged into a computer system within the facility which is how the malware was installed. Page | 29
Through zero-day vulnerabilities the malware was able to compromise the Windows-based computer system and spread to others in the same network through remote messages and USB drives. As a result of this, the malware could spread to any other USB devices connected to the computer system. It was estimated that roughly 984 uranium enriching centrifuges were destroyed. Figure 11 - Graph showing infected hosts by country from stuxnet worm (Statista, 2010) Page | 30
Based on what has been said, it would be reasonable to say that the delivery process of the Stuxnet worm was a social engineering attack. This is because the delivery method relied heavily on an employee being tempted enough to pick up the malicious USB and plug it into a computer system within the facility. Stuxnet has been rumoured to have been created by both Israel and the United States in a bid to physically destroy Iran’s nuclear facility. This is an example of where social engineering plays an important part in an attack as serious and well thought out as Stuxnet. Figure 6 below is a graph showing the percentage of infected hosts by country. Figure 12 - Stuxnet delivery illustration (Noor, 2018) You can now go to the quiz menu and attempt 'Quiz 2: Attack vectors used by cybercriminals in social engineering attacks' and test yourself on what you have learnt in this chapter. Page | 31
4. Methods used to mitigate against social engineering If a social engineer wanted to gain access to your personal employee records for example, no technology would be able to stop them from doing so. This is where good employee training and awareness would come into play. According to Kevin Mitnick (2001), companies that conduct penetration tests report that there is a 100% success rate when attempting to break into computer systems using social engineering attack vectors. The best way to mitigate the threat of social engineering is to have a mix of both security technologies with security policies that will lay down some ground rules to educate and train employees. Having employees that are aware of social engineering and its risks will ensure that a company is well protected. Kevin Mitnick (2001) states that “Some authorities recommend that 40 percent of a company’s overall security budget be targeted to awareness training”. Page | 32
This is crucial as many companies will believe that wasting their budget on expensive technology and the newest security products will keep their company safe. However, without investing in proper awareness training they will always be a target to attackers and the likelihood of their companies being compromised will be much greater. Employees need to be more vigilant, if they are aware of social engineering methods then they might be able to realise when a suspected attacker is trying to manipulate them. As Christopher Hadnagy said, “Our first mitigation is security through education”. If an employee is not educated in the methods used by attackers, then there is no way they will be able to defend against them. This is important to understand from a defensive security point of view. Below is a list of common social engineering attacks and how to prevent against them. Page | 33
Dumpster Diving Prevention In order to prevent attackers from dumpster diving, it is imperative that all trash is properly secured and placed within monitored areas. Additionally, all important documents containing sensitive data should be shredded immediately once becoming obsolete. Old storage devices such as hard drives or USB’s need to be properly erased or destroyed. Motion-sensitive cameras and proper lighting can also scare attackers away as they will not want to risk getting caught. Especially if the attacker is a rogue employee who may not want to get caught, potentially resulting in them losing their job or worse. Figure 13 - No Dumpster Diving Allowed (Social-Engineer, 2018) Page | 34
Phishing Prevention To protect against phishing emails, an individual should: - Not open emails in spam folders or emails whose recipients you do not know. Avoid emails that want you to give up or confirm personal or financial information. Some phishing emails will try to get the victim to react quickly. - Not open attachments in emails of unknown origin. - Use a reputable and trustworthy anti virus software such as Kaspersky or Symantec. - Carry out regular backups to external hard drives or to the cloud. Once properly backed up, external storage devices should be disconnected as ransom ware is capable of encrypting backups drives. Page | 35
- Do not pay ransom. The reason for this is because criminals are using blackmail as they know that people will pay it. Victims don’t want to lose all the files on their computer systems which could be personal to them. It is common for these criminals to even when payed, still not give the victims data back. It would be better to file a police report as they will be able to guide you in what to do next. Figure 14 - No Phishing Allowed (Dungay, 2017) Page | 36
To protect against phishing as a company, the following should be taken into consideration: - Companies should train employees annually or every few months. All employees such as IT staff, managers, end-users, help desk and assistants should be made aware of the latest social engineering attacks whether they have a background in IT or not. - Employing penetration testers to conduct a social engineering test that would help keep employees alert and would result in them evading attacks. - Be cautious of emails that come from unrecognised senders especially if they are asking for financial or personal information. Page | 37
Tailgating Prevention In order to prevent tail gating a number of measures can be implemented, for example: - Employing security guards would be very beneficial because they could verify that employees are really employees by checking badges or ID’s etc. - Implement biometrics such as finger prints, facial or voice recognition, palm recognition. This would make it extremely difficult for an attacker to tailgate and get into a building. - Visitor badges to ensure any guests are well documented. - Pin numbers can be implemented into the regular card readers. Page | 38
Impersonation and persuasion Prevention Train employees/help desk to never give out passwords or other confidential information by phone. Train them to take a break if something doesn't feel right. For example, if an individual comes in and requests confidential information or seems to be acting suspicious, the employee should take a step back and think about what to do next instead of just blindly following the potential attackers requests. Figure 15 - Impersonation Cartoon (Inc, 2016) Page | 39
Impersonation on help desk calls Prevention All employees should be assigned a PIN specific to help desk support so that when they do call the help desk, they can confirm that they are a legitimate employee. Additionally, all employees with desk support related roles should be appropriately trained to deal with social engineering. This can be done by running live scenarios to see how those employees respond to suspected attackers. They could then be taught based upon their reactions, for example what they could have done better in the situations to avoid giving the possible attacker any valuable information. Page | 40
Shoulder Surfing Prevention Not typing in passwords with anyone else present is the best tip for protecting against shoulder surfing. To protect against shoulder surfing on mobile phones you can tilt you screen making it difficult for people to see. Also, you can type in a password or any other sensitive information while standing against a wall if using a mobile phone. If using a computer system, privacy filter screens can be used to make it difficult for shoulder surfers to read any sensitive data on your computer screens. Figure 16 - Shoulder Surfing (Reviews, 2019) Page | 41
Stealing Sensitive Documents Mark documents as confidential & require those documents to be locked. If paper files are needed, they should be shredded as soon as they become antiquated. Anything from receipts to personal records should be shredded as that type of information can be extremely useful to an attacker. Some good rules to follow in order to protect against social engineering are to: · Educate yourself. · Be aware of the information that is being released by you or your employees/colleagues. · Figure out which of your assets would be most valuable to an attacker. · Create and implement a good policy that employees can follow. Page | 42
A number of sources agree that implementing these rules would be very beneficial to both individuals and companies. For example, an article on tripwire included 5 tips to improve defences against social engineering, these 5 tips were education, awareness, policies and constant software and hardware updates. These tips are almost exactly the same as the rules stated above. It is evident that by following them, an individual or company can absolutely diminish the risk of being socially engineered as they will know what attack vectors can be used against them and what to do if they are attacked etc. In addition to the above methods there are also security policies that a company can implement. For example, SANS has created a bundle of policies and guidelines called “The Social Engineering Awareness Policy” that they have written for companies who would like to implement it. These policies and guidelines lay a good, strong foundation for a company that wants to protect against social engineering attacks. Page | 43
SANS states that the 2 main purposes of these policies are “To make employees aware that (a) fraudulent social engineering attacks occur, and (b) there are procedures that employees can use to detect attacks” meaning that employees need to be vigilant of social engineering attacks and need to know or be aware of the techniques that attackers are using. Page | 44
Additionally, they need to know who to contact in case of an attack. The second purpose is to develop detailed procedures for employees to follow in order for them to make the best choices. For example, if a suspected attacker is trying to extract sensitive information from the employee at the help desk whether in person of over the phone. In this situation, the employee would need to be able to make choices that would not result in the sensitive data being handed over to the possible target. It is important that any awareness program/policy that is being developed is tailored towards all employee groups within a company. For example, managers, IT support, security guards, computer users and assistants etc. Each employee role should be given different training because a security guard for example would be dealing with people entering and leaving their building all day long. Therefore, they need to make sure that they are not allowing random people into the building without properly verifying that they are a legitimate employee of the company. Page | 45
Whereas on the other hand, someone working at the support desk may be dealing with people over the phone and would need to be able to tell when someone is acting suspicious or trying to manipulate them into giving up sensitive information. Kevin Mitnick (2002) says that the best designed information policies should be able to not only inform the learners but should also capture their attention and make them want to learn. The training process should be both interactive and engaging for the learner, resulting in them remembering what they have learnt. Page | 46
Christopher Hadnagy (2002) said that many Fortune 500 companies spent millions on security training, education and services, however they all had very bad security awareness. The reason why was because the security awareness was not personal to the employees and therefore, they did not care as much. This demonstrates that personally tailored awareness training and policies are a deciding factor in making employees feel like they are really helping and making a change. There are many ways in which awareness training could be made more interactive and engaging, for example demonstrating social engineering methods by using role play to get employees more involved. Another way would be to reward employees for carrying out good security practices such as logging out of their computers when they are done using them. An unannounced inspection could be done by a senior member of the company. They could leave a piece of candy at their desk for example which would make the employee feel good about keeping safe and having good security awareness. Page | 47
In a SANS article, it states that gamifying security awareness allows employees to have fun and to be competitive with colleagues while learning. Implementing a leader board where all employees can gain points by taking part in quizzes, passing phishing tests/assessments, employees can earn physical or online badges for completing a certain level or course. Additionally, having challenges where different employee groups or departments can take part in teams and challenge each other. Employees may be trying to beat each other and get to the top of the leader board, however, the whole time they will be increasing their security awareness and taking part in a game and having fun at the same time. You can now go to the quiz menu and attempt 'Quiz 3: Methods used to mitigate against social engineering' and test yourself on what you have learnt in this chapter. Page | 48
5. Summary To summarise, social engineering is a rising threat to both individuals and companies alike, causing losses in the hundreds of millions annually, potentially increasing to billions with the rapidly increasing rate of internet users and the Internet of Things growing larger every day. Attacks like Stuxnet are a thing of the past and in today’s digital age social engineering attacks are becoming increasingly more advanced and sophisticated. It is only a matter of time before the next big attack happens. Stuxnet proves that with the help of social engineering, attacks can no longer only damage a computer system, or a network but can cause physical disasters which could result in loss of life. It is increasingly more important that people are aware of social engineering, including how they can mitigate against it and reduce the risks of themselves or their company’s falling victims to attacks. The research that has been carried out throughout this literature review will provide a good foundation for the next stage of the project. Page | 49
Search
