Designing an Awareness Training Plan for Social Engineering Threats from Employees Using Social Netw

The Weakest Link in Security: Users

Taak:

Application: Designing an Awareness Training Plan Imagine you are a mid-level manager in a busy company. One day, you have a few minutes between meetings and decide to answer e-mails. You notice that one of your e-mails is from your boss. The e-mail indicates you and the other mid-level managers are to provide the name of a subordinate that is worthy of promotion (for a publicly posted job). The name must be submitted by clicking a link embedded in the e-mail. You click the link and enter a name. You are able to answer only a few more e-mails before rushing into your next meeting. A few days later, you are called into an office where your boss and the Chief Security Officer (CSO) are waiting for you. They have lots of questions for you—starting with why you have been accessing employee files. You have been social engineered. In the IT space, some fairly sophisticated technologies and controls exist for protecting IT assets. As you have learned in this course, the idea of an impregnable system is a myth. Determined attackers can always find a way in. Often, the quickest and easiest way to compromise systems is by tricking employees via social engineering—the ability to use social skills to gain access to a host, system, or sensitive information. For this Assignment, design a presentation that consists of 6–12 slides for an awareness training plan that addresses social engineering threats stemming from employees using social networking sites in the workplace. Address how hackers might use personal information available on these sites (e.g., relationships, pictures, degrees, and travel information) to social engineer employees.

You have probably heard the familiar phrase that something “is only as strong as its weakest link.” Well, what if that “something” is security? What do you think its weakest link is? You may have come up with a wide variety of possible answers, such as legacy systems, mobile devices, or analog modems. Although all of these are definite candidates, the answer is users. They are the one vulnerability over which you have the least control.

Attackers have targeted users for years and have had great success exploiting this vulnerability. With lots of practice and access to the vast amounts of information about potential targets on the Internet, attackers have gotten really good at socially engineering users. Consequently, social engineering attacks are a major threat.

Whether it is a virus, malware, or a new social engineering technique, new threats emerge almost daily. It is seldom, however, that attackers radically change their methods. Unfortunately, this is one of those times with the emergence of advanced persistent threats (APTs). With naïve users and APTs, the perfect storm is lingering on the horizon. Fighting APTs requires a complete reexamination of how security hygiene practices and security policies are implemented. Organizations must prepare quickly before the storm hits.
This week, you will analyze techniques used by APTs, design countermeasures to defend against APTs, and design a training awareness plan to combat social engineering.