Social engineering contest sparks a reaction

News that DEFCON, a hacker conference, will include a Capture The Flag contest using social engineering techniques has sparked a fearful reaction from a US financial services industry regulator, warning their clients to be on their guard during the contest.

In fact, all organizations should must be constantly on their guard against social engineering attacks, contest or no contest.  If the contest serves to raise awareness of the widespread, easily exploited vulnerabilities created by naive and unattentive people, then I am all in favor of it.  Good on yer!  There should be one every month!  A big one, with headline coverage in all the news media!  With special prizes for the organizations that successfully resisted the social engineering attacks for a specified period!

Social engineering is of course one of the central issues in this month's NoticeBored security awareness materials on human factors in information security.  With people attacking people, it's self evidently about the human factors.

The announced contest is very restrained, with pre-set rules that limit the target organizations, the nature of the attacks and the types of information to be exploited.  Anyone who believes criminal hackers using social engineering techniques outside of the artificial contest situation would respect such arcane rules is deluded.  That's the real take-away lesson from this contest and the furore that surrounds it: if a bunch of social engineers really threatens your corporate information assets under the strict rules of the contest, then oh boy are you vulnerable to unethical attackers.

To give them their due, the FFIEC does advise clients to run security awareness and training activities:

"Financial institutions need to educate users regarding their security roles and responsibilities.  Training should support security awareness and strengthen compliance with security policies, standards, and procedures.  Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management.  Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc.  Training should also address social engineering and the policies and procedures that protect against social engineering attacks.  Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses."

I'm relieved that they don't actually say "annual awareness training courses" there at the end, but unfortunately I'm sure that's how many of their more naive clients will interpret the advice.  Annual courses are patently NOT the way to raise security awareness.  They have never worked as intended, as anyone who has either run them or been forced to attend will surely agree.  The change to ongoing/rolling security awareness programs makes all the difference.  So if "periodic" actually meant "continuous", I'd support the FFIEC advice.

What do you make of the social engineering contest?  Do you think it helps or hurts the cause for better information security?  Comments are very welcome.

Regards,
Gary