Think about the last security awareness training that you were forced to sit through by your employer. Do you remember anything specific from it? Neither can I. Why is that? Personally I believe it is because most of our awareness training is boring and isn’t written in a way that’s interesting at all. They dump tons of information at us, but don’t tell any kind of a story. People like and remember stories. Typical training misses this entirely and wastes a great opportunity to get its message out by sharing real stories that are being shared online.
A few weeks ago I was asked for my opinion on defending against social engineering attacks by Katherine Teitler of the MIS Training Institute for a blog post. Her question was what would I recommend to my clients to decrease the chances of a successful social engineering attack? My first comment was that the problem people face is that they are generally trusting and don’t really understand what a bad guys are trying to do. Because of that, they are more likely to become victims. My second comment was that we should share stories that are freely and publicly available to make people aware of what’s happening. So how about some examples?
First, let’s check out this video of a detective from the Victoria Texas Police Department talking to a scammer who is pretending to be the IRS. Sgt. Chris Guerra received a phone call from an automated dialer that is pretending to be from the IRS and is threatening him with legal action due to tax evasion. Sgt. Guerra decided to seize on this as a way to teach folks and made the Youtube video of an entertaining and educational conversation with a scammer from Pakistan. Go ahead and watch the video and enjoy. Can you imagine the impact of that video being included in your next training session? People would be talking about it for days and sharing it with friends and family because it was so wild sounding.
How about another example? About five years ago a coworker and I were assigned to do a physical penetration test of a company’s office. The client knew that we were going to be successful and that they weren’t going to like the results. But they wanted to use this as information for their awareness training and they wanted it to be personal to the company. My coworker pretended to be an inspector hired by the owner of the building to ensure fire detection systems were still in order, that emergency exits were accessible and some other stuff. The receptionist wouldn’t let him walk in to look around on his own, but instead called someone who had some responsibility for the layout of the office. This person accepted the story he was told and then proceeded to give my coworker a guided tour of the office! The internal security team watched as the tour occurred and about died when they realized what was happening!
The information that he gathered up was used later by me to walk into the office while wearing a fake, but official looking employee badge and steal a laptop from a desk in the middle of the work space. Fast forward a year and a half or so. We were called back to do an onsite web app penetration test. We would sign in every day and get escorted back to our workspace. We were watched constantly by everyone at the office. They remembered that someone had gotten away with stealing a laptop during an assessment and were working hard to make sure it didn’t happen again. They remembered the story and it changed the organization’s awareness.
That’s the goal of security awareness training! Sure, it needs to cover policy items and procedures for notification, but it also needs to change the employees’ awareness of what can happen and what bad guys are willing to do. So tell a story. Go online and find examples of recent scams and tell the story from the perspective of a victim. Ask your employees to put themselves into the shoes of the victim and imagine this happening to them. That’s much more powerful than a dry dump of facts in a canned video. At least for portions of the training (if not all of it) ditch the crappy corporate language and tell a real and interesting story. Then you’ll start to see people change and become truly aware of what bad guys are trying to do. Then you will be accomplishing your goal of security awareness.
Interested in Web App Penetration Testing?
We are launching a new online course in web application penetration testing called Breaking Web Application Security. The course will be released in September 2017 and will be hands on, practical assessment training. If you would like to hear about webinars related to the course and updates about its release, please sign up to our mailing list so we can let you know. Thanks!