SlideShare ist ein Scribd-Unternehmen logo

Social Engineering Audit & Security Awareness

CBIZ, Inc.
CBIZ, Inc.

The document provides information about a social engineering audit and security awareness presentation. It includes details about the presenters from CBIZ MHM, an accounting firm, learning objectives around social engineering and security awareness, and descriptions of different types of social engineering like phishing and pretexting. It also discusses what makes security awareness programs successful or fail, and how social engineering could be used internally by an audit department to test security controls.

BusinessTechnologie
1 von 48
Downloaden Sie, um offline zu lesen
Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
SECURITY AWARENESS PROGRAM
• Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
• What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
SOCIAL ENGINEERING AUDIT
• Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
• By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
• Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
• Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
• Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
• Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
• Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
• Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
• Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
• Real example – Telecom provider Pretexting - continued
• Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
– Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
• Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
• Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
• Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
• Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
• Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
• What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
• Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
• Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
• Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
• Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
• Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
• Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
• No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
• Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away
Questions?

Empfohlen

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
Rashid feroz
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
AbdalrhmanTHassan
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
Pankaj Dubey
 

Empfohlen

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
Rashid feroz
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
AbdalrhmanTHassan
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
Pankaj Dubey
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
North Texas Chapter of the ISSA
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
It security and awareness training 5 10-2018
It security and awareness training 5 10-2018It security and awareness training 5 10-2018
It security and awareness training 5 10-2018
jubke
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Phishing
PhishingPhishing
Phishing
guicelacatalina
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
Ben Woelk, CISSP, CPTC
 

Weitere ähnliche Inhalte

Was ist angesagt?

NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
North Texas Chapter of the ISSA
 

Was ist angesagt? (20)

Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
NTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in DepthNTXISSACSC4 - Layered Security / Defense in Depth
NTXISSACSC4 - Layered Security / Defense in Depth
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
It security and awareness training 5 10-2018
It security and awareness training 5 10-2018It security and awareness training 5 10-2018
It security and awareness training 5 10-2018
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Phishing
PhishingPhishing
Phishing
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 

Andere mochten auch

Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
tschraider
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
Cheng Olayvar
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
tschraider
 

Andere mochten auch (20)

Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Social engineering
Social engineering Social engineering
Social engineering
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 

Ähnlich wie Social Engineering Audit & Security Awareness

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
Kimberly Hood
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
anhcrowley
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
Swati Gupta
 

Ähnlich wie Social Engineering Audit & Security Awareness (20)

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture
 

Mehr von CBIZ, Inc.

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
CBIZ, Inc.
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
CBIZ, Inc.
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
CBIZ, Inc.
 

Mehr von CBIZ, Inc. (20)

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRE
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top Talent
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax Function
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure Talent
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special Edition
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KS
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
 

Kürzlich hochgeladen

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
dlhescort
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Damini Dixit
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 

Kürzlich hochgeladen (20)

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 

Social Engineering Audit & Security Awareness

  • 1. Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
  • 2. Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
  • 3. About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
  • 4. Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
  • 6. • Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
  • 7. • What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
  • 8. 1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
  • 9. 3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
  • 10. 4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
  • 11. 5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
  • 12. 5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
  • 13. 6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
  • 14. 1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
  • 15. 2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
  • 16. 4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
  • 17. 6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
  • 18. 7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
  • 19. 8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
  • 21.
  • 22. • Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
  • 23. • By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
  • 24. • Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
  • 25. • Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
  • 26. • Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
  • 27. • Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
  • 28. • Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
  • 29. • Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
  • 30. • Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
  • 31. • Real example – Telecom provider Pretexting - continued
  • 32. • Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
  • 33. – Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
  • 34. • Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
  • 35. • Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
  • 36. • Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
  • 37. • Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
  • 38. • Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
  • 39. • What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
  • 40. • Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
  • 41. • Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
  • 42. • Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
  • 43. • Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
  • 44. • Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
  • 45. • Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
  • 46. • No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
  • 47. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away