In “The Importance of Security Awareness Training“, SANS says:
“One of the best ways to make sure company employees will not make costly errors in regard to information security is to institute company-wide security-awareness training initiatives that include, but are not limited to classroom style training sessions, security awareness website(s), helpful hints via e-mail, or even posters. These methods can help ensure employees have a solid understanding of company security policy, procedure and best practices.”
Jayson E. Street and I agree, and we add that demonstrating attacks can have BIG impact on people’s comprehension of what’s at stake.
No one ever things: “it will happen to me”.
That’s why demonstrating human vulnerability within your own organization is so critical. When someone sees THEIR social media profile exposing corporate secrets, or THEIR personal laptop connected to a rogue access point, it hits home more than any “click-through-as-fast-as-possible online training” ever will.
Our class, “Achieving Security Awareness Through Social Engineering Attacks” arms students with the knowledge of how an attacker views a company.
Humans are your best defense against security breaches but also your biggest weakness.
We start with gathering information about employees to create direct, targeted attacks. We aren’t talking about phishing like “419 scam” emails or “Download this file!” emails sent to 1000 employees. Attackers know how to use direct phone calls, image analysis, metadata searching, and other OSINT techniques to gather data before crafting a customized attack against a single person, who may hold the keys to the entire organization.
Beyond email and other targeted attacks, criminals will try to infiltrate an organization using tools like a Hak5 Pineapple or USB Thumbdrive.
USB drop attacks are extremely prevalent, and the only defense is human awareness not to plug them in.
If an attacker has access to your physical system, they can perform a myriad of attacks, from plugging in key loggers to network intercepts to executing code on locked machines. A Bash Bunny is capable of pretending to appear to an operating system as a USB serial device, keyboard, or hard drive, while executing code. Very difficult to block at the OS level, but very easy to train users not to allow visitors and others not to get near their devices.
In “Achieving Security Awareness Through Social Engineering Attacks”, we will show you how to perform reconnaissance on your self, your employees, and your own organization. We will show you how to create a rogue WiFi access point and get people to connect (and perform attacks on devices after they are connected). We will show you how to perform physical attacks by simply plugging in a configured Bash Bunny to a target machine. We will then show you how to build a security awareness program that actually demonstrates security threats, not just talks about it. Engaging, interesting, and memorable “teachable moments” are far better for security awareness than anything that “checks a box” for compliance.
Join us at BlackHat USA to learn how to build or improve security awareness at your organization by thinking like an attacker.
Patch the human!
Additional Reading:
The importance of security awareness training for enterprise IT governance