Becoming a Coach
If you’ve ever volunteered to coach youth sports — especially T-ball — you’ve probably learned as much as the kids about how to teach and train someone to perform an activity. The first lesson of coaching: it involves repetition. When I helped coach T-ball, our first day of practice involved running to first base over and over and coaching kids to listen to the first base coach. We spent a lot of time on the fundamentals and basics of baseball. When all is said and done, the purpose of T-ball is to provide the kids with a basic knowledge of the game and awareness of what to do when the ball is hit.
The goal of security awareness training should be similar to coaching T-ball. We should understand that the audience is not full of security experts, and we need to provide basic knowledge and appropriate action to take when faced with an incident. We also need to repeatedly test the effectiveness of the training program. Unlike T-ball, however, we need to keep score, not to shame an employee but to measure our coaching. Verifying employees have retained this information and will deploy their training in the future is the key to a successful security awareness program.
Common Testing Methodologies
Administering a quiz after a training session is a common testing approach, but quizzes are ineffective if using a one-and-done approach. Remember, coaching is repetition. Random web-based quizzes throughout the year may provide a better measurement unless employees share answers.
Workplace Security Review
Employees can become desensitized to confidential information in the work area. A great way to test your clean desk policy and physical security policy is to observe your workplace. Take pictures of any security violations — it is the best form of evidence — and share the results of your physical checks during your next security awareness training session.
Dumpster diving can literally be a treasure trove of information for anyone who wants to create a highly successful social engineering campaign. A pair of latex gloves is always recommended for this test. One of the best (cleanest) methods to perform this test is to follow the cleaning crew around after business hours and observe what information is being disposed of as ordinary garbage (not in shred bins; that’s where you want employees to put confidential information).
Pretext Phone Calls
In larger organizations, pretext phone calls may be performed by an internal resource that isn’t well-known or by an outsourced auditor or consultant. The tester can perform the test via the phone (voice/text) or internet (email/chat) posing as a customer, vendor, or business partner who is requesting confidential information or login credentials. The tester needs to have a good cover story as to why the information is needed. Testers will often use popular spoofing tools to display local area codes, phone numbers, and alias names when impersonating a person or company.
We have all likely performed this test once in our life without realizing it. As an example, when I go to the gym, the attendant is supposed to swipe my card to grant and track my access. However, if I have my earbuds in and stare at my phone, I’m allowed to walk by unchallenged. I look like I belong at the gym; why inconvenience me? If a tester looks like they belong to your organization, will your staff challenge their identity?
Flash Drive Drop Attack Test
Another great test is to bait users with a “lost” USB (Universal Serial Bus) flash drive. How many employees will call IT? How many will plug the device into a company workstation? This test may be performed by capable IT Staff with help from the internet or performed by an outsourced auditor or consultant.
Phishing Attack Simulation
One of the best ways to determine if your employees are aware of the threat posed by a phishing attack is to perform a controlled test (simulated attack) of employee email. Test emails should provide clues covered in training that should tip the recipient of the deception. Directing the recipient to a website link will allow the tester to gather evidence of who opened the email and who followed the link. Such testing may be performed by skilled staff or by a third-party provider. It is recommended that testing be performed throughout the year to maintain employee awareness.
Share the test results with the management team by documenting your findings using generic terms such as passwords written down and stored within eyesight, confidential information stored in unlocked desk drawers after hours, etc. Avoid using names of employees in the written reports but be prepared to offer details when asked. Keeping in mind the goal is not to demean an employee but improve the organization’s security awareness. The risk of social engineering attacks cannot ever be 100% mitigated, but you should strive to improve the results (fewer violations) each year.
Employees should be informed that such testing may occur at random. The results of testing should be shared with employees to emphasize the fundamentals in the test that should have raised a red flag and the actions that users should have taken.
Security awareness and testing methodologies must continue to evolve with attack methods, and the best way to provide evidence of progress is to monitor performance through observation testing.
Shane Daniel, Senior Information Security Consultant, SBS CyberSecurity, LLC