 |
|
Defense Against Social EngineeringHackers are not always the technological geniuses that the media tells us they are. However, even the greenest script kiddie can be an outstanding social engineer. We must be prepared to defend against this non-technical but insidious attack, one which plays upon our workers' sincere desire to get the job done and help others to do the same. A really competent social engineer can make a target trust him or her to such an extent that the worker casually gives out sensitive internal information. It may not be a significant disclosure in and of itself, but the information gleaned by such manipulation can easily be combined with other small bits to produce a detailed and dangerous roadmap to our organizational treasures. We have to teach our staff how to be helpful without giving away the store, to serve their legitimate customers without being or even appearing to be paranoid. This class presents multiple scenarios and role-playing exercises to help us fully comprehend the threat and construct a realistic defensive program.
Day 1AN ISSUE OF TRUST — Find out why social engineering works so well, and why it is so hard to defend against. Analyze how all of us — not just hackers — are sometimes guilty of this type of manipulation, and why, in spite of that, we also are all subject to being successfully manipulated. TYPES AND THREATS OF SOCIAL ENGINEERING — Examine the methods used by unauthorized people to gain information they're not supposed to have. Codify different types of social engineering attacks, common targets for the cons and the information they are after. Gauge the effect on organizations of successful, or even partially successful social engineering episodes. RECOGNIZING AN ATTACK — Learn techniques for differentiating between a legitimate request for help and a probe for information. Analyze characteristics that can point to a manipulation or ease your mind about a real request. RESPONDING TO A SOCIAL ENGINEERING ATTACK — You know someone unauthorized is trying to get information, or worse, has gotten it. What do you do now? How do you limit the damage? How do you close the holes? Learn what factors would make you consider calling authorities and what they would be asking from you to serve as evidence. Day 2TRAINING OBJECTIVES — How should the subjects of social engineering attacks change their ways to augment the security of the organization, while still remaining helpful and cooperative? Determine what behavioral changes we are seeking. Learn how to frame our desired changes so that they fit the organizational culture. Look at ways to sell this internally as part of our training and awareness program. DEFENSIVE TECHNIQUES — Learn what we can do in defense, and how to convey the message to our employees. Discover methods for handling inquiries that are helpful and professional, but that verify the requester's identity before disseminating potentially valuable or damaging information. See how emphasizing a "trust but verify" mentality can significantly reduce the risk. TRAINING METHODOLOGIES — Analyze in detail a wide range of techniques for making defense against social engineering a normal part of the organizational culture. See how formal courses, briefings, bulletins, training videos, role-playing sessions, case studies, penetration tests and possibly other methods might work at your shop. CASE STUDIES AND ROLE PLAYING — Throughout both days of this course, attendees will participate in multiple exercises. We will analyze real and hypothetical scenarios, with attendees playing the parts of perpetrator and intended victim. |
