SlideShare une entreprise Scribd logo

Social Engineering Audit & Security Awareness Program

CBIZ, Inc.
CBIZ, Inc.

The document provides information about a social engineering audit and security awareness presentation. It includes details about the presenters from CBIZ MHM, an accounting firm, learning objectives around social engineering and security awareness, and descriptions of different types of social engineering like phishing and pretexting. It also discusses what makes security awareness programs successful or fail, and how social engineering could be used internally by an audit department to test security controls.

BusinessTechnologie
1  sur  48
Télécharger pour lire hors ligne
Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
SECURITY AWARENESS PROGRAM
• Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
• What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
SOCIAL ENGINEERING AUDIT
• Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
• By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
• Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
• Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
• Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
• Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
• Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
• Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
• Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
• Real example – Telecom provider Pretexting - continued
• Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
– Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
• Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
• Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
• Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
• Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
• Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
• What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
• Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
• Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
• Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
• Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
• Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
• Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
• No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
• Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away
Questions?

Recommandé

Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringPaul Devassy, CPP
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 

Recommandé

Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Social engineering
Social engineeringSocial engineering
Social engineeringankushmohanty
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering BasicsLuke Rusten
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringPaul Devassy, CPP
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attackskrishh sivakrishna
 
Social engineering
Social engineering Social engineering
Social engineering Abdelhamid Limami
 
Cyber security
Cyber securityCyber security
Cyber securitySabir Raja
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptxMohammedYaseen638128
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Spoofing
SpoofingSpoofing
SpoofingSanjeev
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentationBokangMalunga
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and preventionStephen Hasford
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awarenessTerranovatraining
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramBen Woelk, CISSP, CPTC
 

Contenu connexe

Tendances

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Cyber security
Cyber securityCyber security
Cyber securitySabir Raja
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?JamRivera1
 
Spoofing
SpoofingSpoofing
SpoofingSanjeev
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptxPradeepKumar728006
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...ABHAY PATHAK
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentationBokangMalunga
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityDipesh Waghela
 

Tendances (20)

Network Security
Network SecurityNetwork Security
Network Security
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Social engineering
Social engineering Social engineering
Social engineering
 
Cyber security
Cyber securityCyber security
Cyber security
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
 
Spoofing
SpoofingSpoofing
Spoofing
 
Man in the middle attack .pptx
Man in the middle attack .pptxMan in the middle attack .pptx
Man in the middle attack .pptx
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Network security
Network securityNetwork security
Network security
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentation
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and prevention
 

En vedette

Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awarenessTerranovatraining
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramBen Woelk, CISSP, CPTC
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for studentsKandarp Shah
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales Ahmed Musaad
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMSblodotaji
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Patten John
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1Cheng Olayvar
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approachtschraider
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Chris Hammond-Thrasher
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 

En vedette (20)

Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
Engage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness ProgramEngage! Creating a Meaningful Security Awareness Program
Engage! Creating a Meaningful Security Awareness Program
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Metodology Risk Assessment ISMS
Metodology Risk Assessment ISMSMetodology Risk Assessment ISMS
Metodology Risk Assessment ISMS
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice? Why ISO-27001 is a better choice?
Why ISO-27001 is a better choice?
 
CIS Audit Lecture # 1
CIS Audit Lecture # 1CIS Audit Lecture # 1
CIS Audit Lecture # 1
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Iso27001 Approach
Iso27001 ApproachIso27001 Approach
Iso27001 Approach
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
ISCA-CA Final
ISCA-CA FinalISCA-CA Final
ISCA-CA Final
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 

Similaire à Social Engineering Audit & Security Awareness Program

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 

Similaire à Social Engineering Audit & Security Awareness Program (20)

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Post 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attrPost 11. Long term GoalThe Group’s goal is to offer attr
Post 11. Long term GoalThe Group’s goal is to offer attr
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 

Plus de CBIZ, Inc.

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023CBIZ, Inc.
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionCBIZ, Inc.
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023CBIZ, Inc.
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionCBIZ, Inc.
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionCBIZ, Inc.
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditCBIZ, Inc.
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCBIZ, Inc.
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOCBIZ, Inc.
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022CBIZ, Inc.
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRECBIZ, Inc.
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ, Inc.
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentCBIZ, Inc.
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCBIZ, Inc.
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionCBIZ, Inc.
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure TalentCBIZ, Inc.
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOCBIZ, Inc.
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionCBIZ, Inc.
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KSCBIZ, Inc.
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ, Inc.
 

Plus de CBIZ, Inc. (20)

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRE
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top Talent
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax Function
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure Talent
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special Edition
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KS
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
 

Dernier

20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxShruti Mittal
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreNZSG
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifeBhavana Pujan Kendra
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataExhibitors Data
 

Dernier (20)

20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptx
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
Jewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource CentreJewish Resources in the Family Resource Centre
Jewish Resources in the Family Resource Centre
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in Life
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
 

Social Engineering Audit & Security Awareness Program

  • 1. Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
  • 2. Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: acoble@cbiz.com Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email: kkonopasek@cbiz.com
  • 3. About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
  • 4. Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
  • 6. • Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
  • 7. • What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
  • 8. 1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
  • 9. 3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
  • 10. 4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
  • 11. 5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
  • 12. 5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
  • 13. 6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
  • 14. 1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
  • 15. 2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
  • 16. 4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
  • 17. 6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
  • 18. 7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
  • 19. 8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
  • 21.
  • 22. • Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
  • 23. • By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
  • 24. • Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
  • 25. • Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
  • 26. • Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
  • 27. • Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
  • 28. • Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
  • 29. • Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
  • 30. • Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
  • 31. • Real example – Telecom provider Pretexting - continued
  • 32. • Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
  • 33. – Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
  • 34. • Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
  • 35. • Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
  • 36. • Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
  • 37. • Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
  • 38. • Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
  • 39. • What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
  • 40. • Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
  • 41. • Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
  • 42. • Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
  • 43. • Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. www.xyzcu.com/HR Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
  • 44. • Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
  • 45. • Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
  • 46. • No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
  • 47. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away