Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Oct 28, 2010

Security awareness versus social engineering





The thumbnail above shows the first of a series of 6 posters in November's NoticeBored security awareness module on social engineering.  It's a particularly important topic for us because security awareness is by far the most important control against social engineering.  Alert employees who appreciate the threat and know what to do if they feel they are being targeted stand a much better chance of resisting attacks than those who remain blissfully unaware throughout.

As always, the NoticeBored newsletter sets the scene for the topic and outlines the risks associated with exploiting people rather than technologies. 

The social engineering capture-the-flag competition at this year's DefCon hacker conference was a real eye-opener for many: we couldn't help but notice a number of prominent organizations hastily sending out warning notices to their employees ahead of the CTF competition, even though the rules of the game were strictly limited to keep the event ethical and educational.  What's more, not all the competitors were experienced social engineers - many were beginners - yet ALL of the targets were successfully compromised.  If management feels so worried about a mere game, how come they seem to be ignoring the real-world social engineering attacks from accomplished and determined social engineers who don't care about rules?  How bizarre!

If social engineering is of concern to your organization, please get in touch whether you would like to purchase just this awareness module, or perhaps take out a full subscription to the monthly NoticeBored service.  We'd love to help you deliver a best-in-class security awareness program.


Regards,
Gary