You have heard all the stories. Social engineers (SEs) being held at gunpoint, nearly driving off cliffs, jumping into garbage chutes, or walking through front doors. (If you haven’t heard these stories, I highly recommend you read Chris Hadnagy’s newest book.) You’ve heard of SEs bypassing security in both the most exciting and the most simple ways. But what happens after the social engineering engagement? What is done about the vulnerabilities discovered? What happens if that vulnerability was a person? For the purpose of enlightening our readers, here is a peek into the aftermath of a social engineering engagement.
Before completely diving into this topic, it is important to understand that, as the professionals hired to do these jobs, we only have a limited view of what really happens after our job is done. What we can speak on is what we encourage our clients to do and our viewpoint of these “best practices.”
Many answers to vulnerabilities are straightforward. For example, in the case of the garbage chute, the facility now (hopefully) locks the doors behind their garbage cans. Of course, this may only be a slight speed bump to an SE that carries and knows how to use a lock picking kit. Either way, physical security improvements can bolster the security of a building in ways that will discourage many malicious parties from even attempting to act. Indeed, many vulnerabilities fall into this category.
As you may know, SEs look to human vulnerabilities in order to bypass what they cannot with a lock picking set or other tools. This brings up a two-part question; how can companies strengthen their human wall of security? And what happens to the employees who fall for these SE tactics?
Let’s start by looking into the first part of that question. How can companies strengthen their human wall of security? The best practice we have found to be effective is, simply, training. Proper training, when combined with reporting protocols and a corporate culture that encourages learning on all levels, is going to be the best defense for your company.
What Happens to the Employees Who Fall for These SE Tactics?
This brings us to the second part of our question; what happens to the employees who fall for these SE tactics? Here at Social-Engineer, LLC, we strongly encourage our clients not to punish their employees for failing a training test. Why? The purpose of training is for an employee to learn. Part of any learning experience generally involves failing (or falling short) in some aspect or another, and then improving bit by bit. If everyone were perfect at everything, there would be no room for learning or training. This holds true for social engineering engagements, whether that be phishing, vishing, or onsite engagements.
Let’s take this to an extreme and say there was a company that decided to fire every employee that failed a phishing test. What would happen to that company? Likely, they would lose a huge percentage of their work force and instill a culture of fear within their company. Additionally, now they need to replace that removed workforce with brand new humans that are just as or more vulnerable than the last batch. We strongly believe that fear like this should not be used to motivate or train. It isn’t effective or healthy. For this reason, we have conversations with all our clients about this situation to show it is better to train and retest, than to terminate and re-hire.
It is absolutely possible to train employees to be more secure without using negative tactics. It is even possible to leave them feeling better for having met you during these engagements.
Employee Vulnerabilities – Opportunities to Teach
Failing a training is generally not a negative in our view. If the hypothetical company above decides to train, rather than fire, the employees who fail these tests, what would happen to that company? It will increase the employees’ awareness of social engineering tactics and only aid them in being more secure and alert to these attacks in the future. This is the outcome we work with our clients to reach.
When the Risk is Too High
Not everything is always so black and white. Occasionally there will be engagements when an employee’s actions put themselves, others, and the company itself at a very high risk. To illustrate, imagine Social Engineer, LLC is hired to break into a client facility during night hours. Upon gaining entry to the building, the SEs find there is a security guard who is sleeping at their desk. This allows the SEs free access to this facility which contains the Network Operations Center.
Step out of the SE’s perspective for a moment. What if this scenario were real, and happening with real, malicious attackers? What would happen to that security guard? At the very worst, physical harm may come to them. At the very least, they would likely lose their job. In this scenario, the sleeping guard is putting the company and themselves at a very high risk of both possible compromise and possible physical harm, and some significant action must be taken. When it comes down to it, it is up to the client how to handle these rare, but serious, incidents.
Leaving People Feeling Better for Having Met You
Our overall goal is to train the client’s employees how to handle social engineering attacks safely and securely. By working with clients through our phishing, vishing, onsite engagements, network penetration testing, and other trainings, we have seen our clients’ social engineering risk factor drop significantly.
As a company, we strongly believe and teach that this can be done while leaving people feeling better for having met you. Sticking to our Social Engineering Code of Ethics and using tactics such as validation and rapport building, rather than intense fear or greed, ensures that the training they get is both beneficial and, hopefully, leaves them feeling better for having met us. If you would like to speak to one of our experts about partnering with us, please contact us here.