Social Engineering in the Enterprise

I was watching some of the Social Engineering Toolkit (SET) tutorials this weekend, and this really got me thinking. How many enterpises actually brief their employees on Social Engineering, and how it can be avoided? This should be part of the security training programme within any large organisation and yet so often this vital piece of security is often overlooked or ignored.

I’ve often found that so many organisations will spend a fair chunk of their budget on the latest IT security measures, like web application firewalls, database proxys, etc, but they neglect the easiest target of all, which is the staff.

If staff aren’t properly trained to recognise Social Engineering attacks, then they won’t know how to respond, and this is a threat to your business. I’ve had countless e-mails sent to me by users over the years with comments like the following.

“I recieved this e-mail telling me to please change my password on Facebook,it looked a bit weird, but after I changed it, it didn’t seem to take effect, should I be worried?”

Now, aside from the fact that the user is using their work e-mail address to sign up to a social networking site, this wreaks havoc on my mind for a few minutes, then I realise that it’s not the user’s fault. It’s down to the organisation and their security team to educate users to pick up on things like this.

As security professionals, every now and then we need to look at things from a different point of view, I know that it’s all too easy to mutter the words “Stupid users, or “Really? What were they thinking?” But unless we educate users, how can they help us to secure our organisations?

A step in the right direction would be to try and get some time reserved from your organisations induction programme for Information Security, and make sure that you cover Social Engineering in as much detail as the employees can handle.

If you don’t know where to start have a look at Social-Engineer.org the guys are doing some amazing work.

Share