Training for social engineering awareness and detection should follow both technological and people processes.
Speaking at the B-Sides London conference, Gavin Ewan, regional sales manager EMEA at Xiphos Research Labs, followed his talk on social engineering from last year's B-Sides London with real-life examples of social engineering and advice on how to not become a victim.
Using a late friend as an example, Ewan said that social engineering training is often "dominated by the need to study niche areas to understand attacks", but instead said that this "turns into circus monkeys".
He said that by drilling down into information on people from social networks and official sites, can result in ransom situations and collection of large amounts of data. He said: “People are not stupid or greedy; they are doing their job. In my view, 90 per cent of a social engineering attack is information gathering and the other ten per cent is the actual attack.”
Ewan highlighted both passive and aggressive defence methods, with passive concepts being to use a strong spam filter; consider reducing internet and email access; and instructing on not opening attachments or unsolicited emails.
The aggressive defence concepts were: to look at training in identifying phishing or malicious websites; do attack role plays; testing the physical perimeter; and looking at spear phishing tests.
In regard to social engineering training, Ewan said: “You need a social engineering framework for mere mortals. Construct a process that is similar to sales, but for social engineering and know how real attacks work. Also build a social engineering framework that people can follow, and test it.
“We are also salespeople and you have got to sell to your colleagues as if you get it wrong, we're getting it wrong.”