Jane works in the accounting department of a medium sized manufacturing company and just completed her annual awareness training before heading home. She passed the phishing module with flying colors and felt ready for any email type attack that may come her way. While retrieving her keys she received a phone call on her mobile phone.   A man with a British accent introduced himself as a lawyer in London, they were reviewing a pending international case against her company and they needed some additional information to help defend the company.  Specifically they needed the company's financial records and bank information for the past three years.  The man confidently explained they had already talked to her boss and he approved the transfer of information, she just needed to email the docs to their account.

Fortunately, Jane's training went far beyond just phishing,  teaching her that many attacks happen other ways, to include in person, on social media or in this case, on the phone.  Something did not sound right.  After hanging up she immediately called her boss, who confirmed this was an attack. A very motivated cyber criminal had singled out her company and had conducted extensive research on LinkedIn and Twitter to learn everything possible about her department.  They were then calling key financial people to gain access to financial and other sensitive information.  However, since Jane reported the incident to the security team, an alert was sent out to all the employees and the attack was quickly stopped.

“Attacks on an organization’s sensitive information using social engineering are more targeted and more sophisticated than ever before,” noted Michael Alexander in his recent paper “Methods for Understanding and Reducing Social Engineering Attacks.” In the paper Mr. Alexander covers topics such as electronic access, baiting, pre-texting, tailgating, quid pro quo, social media and phishing. With every employee a target, it is myopic to focus solely on checking the phishing training box when there are so many other social engineering threat vectors hackers routinely exploit. Mr. Alexander outlines a personality-based approach to identifying priority vulnerabilities and training workers. His concept focuses on:

1.    Plan the training - Establish goals and put quantifiable metrics next to them
2.    Perform the personality testing - Select personality tests such as the OCEAN test based on organizational fit
3.    Design, develop & implement the security awareness program and training - Tailor training to personality types Mr. Alexander noted that:

End users are almost never trained to be wary of legitimate websites that everyone frequents such as Google or Amazon and how to tell the difference between the legitimate site and a spoofed one. But an attacker can spoof almost any site. Very few users are aware of this even though most of them go through “security awareness training” annually (Bullée, Montoya, Pieters, Junger, & Hartel, 2015). This is just one example of how, unless security awareness training becomes more sophisticated, organizations will remain vulnerable to attackers especially through social engineering. There are literally hundreds of other social engineering scenarios not mentioned.

Read the full white paper

Learn more about SANS security awareness training