Security

Final- Example Security Awareness Training Plan

Company: Zill, Inc.

Method of Training: Speech and PowerPoint presentation, survey, follow-up emails, random social engineering and phishing tests.

Plan of Attack:

In my opinion, the greatest threat to our company’s cybersecurity is a lack of knowledge of best practices and proper Internet etiquette; to combat this, I have comprised a security awareness training campaign to educate our employees on the dangers of social engineering and how they can defend against common cyberattacks. By researching the various methods cybercriminals utilize in hacking, stealing, or damaging systems, logins, and, and both personal and company-specific data, I will demonstrate how each employee is on the frontlines on always-raging cyberwar. I will start my campaign with a detailed PowerPoint presentation with an emphasis on shining light on the dark world that is social engineering; in this presentation, I will begin by defining what social engineering is, then share its various methods of obtaining unauthorized data, and finally, show how every employee can defend both themselves and Zill, Inc. from cyber-threats. The PowerPoint presentation will accompany a speech describing what the plan is, why it is essential, spark interest in the topic, as well as how each additional phase of the project will happen in the coming days. In this scenario, I am presenting to a large group of individuals at once, possible through a recorded or live presentation.

The speech section of the presentation will be tracking for attendance by being able to see who viewed the video or who is in attendance. To ensure the participation of viewers throughout the entire video (and to limit employees from just logging into it for a second and not viewing the entire production), I will provide notice (at the beginning of the video) of a short questionnaire that will be given at the end of the video, which will be merely an attempt to raise the levels of engagement, take a brief survey of the skill-level of employees, and allow them to rate the presentation (for future work). The questionnaire, when completed, will be sent to their supervisors, which in turn, will send them to me; this will create a sense of urgency and requirement to watch the video in its entirety, pay attention, and complete the survey.

After the end of the presentation, I will be notifying the audience of additional training videos and emails in the coming days, all with the purpose of educating Zill, Inc. employees of proper social engineering defenses and security awareness. I will also mention the use of test emails I will send to employees (at random), which don’t contain anything malicious but have obvious content that shouldn’t be downloaded (phishing examples). Also, I will inform them of random attempts to break common security procedures, such as phone calls trying to obtain information that should not be given, trying to access buildings and room that I shouldn’t be able to access, and leaving USB’s around the office to see if anyone plugs one in. I will inform them that this is not a test/fail experiment, and no risk comes to the employee if they fall victim to one of my attempts to bypass security, but merely an educational exercise.

Speech:

Social engineering, defined as the art of manipulating or influencing people to obtain or bypass their confidential information, is one of the leading causes of the various types of cyberattacks. While it may seem, in the world we live in today, that technology plays such as a significant role in our lives that we have little to no impact on the security of our company’s security systems, this can’t be farther from the truth. The human element in cybersecurity is the building block of each additional layer in our security system. While it may seem that hackers, those individuals that we often imagine as a sweaty teenager furiously typing away in their parent’s basement, are our greatest threat, the greatest threat we actually face is ourselves.

Now, I will begin first to outline the dangers of social engineering for the everyday citizen; this will then evolve into what hazards can occur to Zill Inc. From the study, “The public and cybersecurity practices and knowledge,” Lee Rainie explores the public’s tendencies to become affected by cybercrime and their knowledge of best-practice security procedures; this information was accumulated through a survey. Of the participants, 64% of individuals have reported that they have been impacted by a form of cyberattacks, such as a hacked email or social media account, fraudulent credit/debit charges, and even stolen tax refunds (Rainie, 2017).

As we all know, most of the accounts we use online are protected by a username and password authentication, but think for a second how secure is your password? How do you remember the magnitude of passwords we need on a daily basis? Per the participants in Rainie’s survey, the vast majority memorize them in their heads; while you may be thinking that this is a good thing, we should take a deeper look into this practice. While remembering a password is a great way to prevent hackers from being able to steal your login information, the fact that it can be easily remembered is a trait of a non-complicated password, which would be easy to social engineer (scan through your social media posts, websites you work on or own, scan using search engines). For example, let’s say your password is your pet’s name, a favorite vacation spot during your honeymoon, and your favorite flower. You may be thinking, this actually sounds pretty complicated, especially since some of the most common passwords in the world are 12345, password, 111111, and qwerty. Before you gain false confidence in the password you use, let me show you how a social engineer could crack yours with ease.

So, as I previously mentioned the contents of the example password, let’s first find the pet’s name. Using social media, I can probably easily find some posts the user made of their cat (probably more than there should be); in these images, how often do you think they used their cat’s name? Even if the user’s Facebook profile is set to private, how often do you think family members or friends might have taken a picture of the cat as well with their name in the post? Next, we have the honeymoon vacation spot; this gives me several avenues of possible data retrieval, both the user in question and their spouse. Furthermore, both the user and their spouse’s family members might have posted about their vacation in the Bahamas. But, how would I find a date to look at, especially if they vacation often. I could merely use the Facebook user’s About info to see the date they got married, or if the profile is set to private, search for marriage records on the Internet (which is quite simple). Then, by cross-referencing the marriage date with vacation posts, I can find the location that the user used for the second section of the password. Finally, we need to figure out the user’s favorite type of flower. Let’s say that we can’t find this information on any of the user’s social media sites, blog posts, or anywhere on the Internet. Since I would at this point know where the user works (through Facebook, LinkedIn, Google search, or by performing a reverse image search on a photo of her at a company event), by some methods of both social media and influence, I could theoretically go to the user’s place of business, walk to the front desk, and while dressing nicely and being friendly, strike up a conversation with the receptionist. Doing this on a Friday afternoon would work best, as generally, people are more friendly since they are looking forward to the weekend. I could utilize a well-researched pretext and say that the user had helped them jump-start my car; due to this random act of kindness, I wanted to send her flowers but didn’t know what she would like. There is a good chance (depending on company size, length of time the user had been there, and the skill and memory of the receptionist) that she might remember flowers that the user’s spouse had sent. The information the receptionist would provide would be seemingly worthless in the eyes of cybersecurity; however, it would be the final piece of the puzzle I would need to compile a brute-force password attack using a random generator to attempt to guess the password. I realize this may have been a lengthy example, but this is what social engineering is, using the information you willingly post or discuss against you.

Going back to Rainie’s survey, 49% of participants wrote their passwords on a piece of paper, 24% saved them on a computer, and only 12% used a secure password management program (Rainie, 2017). You may be thinking, how can a cybercriminal hack paper, something that isn’t on the computer? I won’t get too detailed, but often, I find merely looking into a window of a business can produce an image of a poorly-placed Post-It note containing a password or even in a random social media post of an employee taking a selfie at their desk. The point is that these things happen, often without our knowledge. My mission is to combat this.

Social engineering attacks can come in many forms, such as an email from a friend or trusted source, baiting scenarios, response to a question you never asked, and creating distrust and conflict. If you receive an email from a coworker or business who you often communicate with, ask yourself, how often do you verify the email came from the correct email address? Criminals take advantage of spoofed email addresses and domains by sending emails with the headline, for example, <Apple Support> Your Account will get deactivated Shortly. The message was sent from http://www.applle.com. Upon first glance, the email seemed to originate from the correct Apple domain, and the contents of the email are seemingly authentic. However, let’s take a second glance. If you notice, the email’s headline seems odd, as Apple would first never send an email in that format using < >, and deactivated isn’t capitalized (while everything else that should be capitalized is). Furthermore, do you think a company as large as Apple would use the phrase “will get deactivated?” An account can be deactivated and possible, become deactivated, sure, but get deactivated just doesn’t sound right. Next, let’s look at the web address that it was sent from. Did you notice the second l? If you didn’t immediately recognize all these inconsistencies, you are not alone. Even the most capable cybersecurity professionals can fall victim to this type of phishing attack.

What are some common reasons the human element is the greatest threat to Zill Inc.’s security? Well, without seemingly coming off like I am degrading your skills in any way, I will quickly summarize some main character traits of one who is more likely to be a security risk. A social engineer’s best friend in their attempts to bypass our security measures is improper Internet etiquette, laziness, fallibility, and lack of education on cybersecurity principles. Those who post a picture of before every bite they eat of their food or tweet about a new show they are watching are potentially opening up avenues to obtaining the information they would not wish to share (and much of this information can damage the company). Can I see a show of hands if you have ever taken one of those Facebook quizzes that ask several questions about yourself and then post it to social media? Well, not to insult you, but those questions seem quite similar to password security questions, don’t they? Have you ever taken a picture or screenshot of your computer at home’s screen? If I saw that, I would look for any icons visible showing me what (if any) antivirus software you utilize, which can help me build a situation-specific attack, created just for you. How many of you feel comfortable with your knowledge of the security practices we follow at work? Do you know the type of encryption we use for emails? What about our regulations for two-factor authentication? Don’t let the many questions I have asked and material I presented about how the human factor significantly lowers our defense against cyberattacks negatively impact you, this is merely a wake-up call on how you can stay one step ahead of the many threats there are out there, actively looking for one small gap in security. So, the next time you post that selfie at lunch of you eating a bagel with the hashtag, “Girl, I deserve this,” take a quick look at your surroundings for other material you are showing.

Survey:

  • Choose the answer that most represents you.
  • Security is a part of my daily routine at work, and I feel confident in my abilities.
  • Security is a part of my daily routine at work, but I don’t feel confident in my abilities.
  • Security isn’t a part of my daily routine at work due to a lack of knowledge on the subject.
  • Security isn’t a part of my daily routine at work due to a lack of instruction by the company and its managers.
  • Choose the answer that most represents you.
  • Following security policies at our company inhibits me from doing my job.
  • Following security policies at our company allows me to do my job better.
  • Our company’s customers should be confident in our level of security.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I know where to access internal/external resources to benefit my security decisions.
  •  Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I have had proper security training at our company.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I can and do apply the same security training I learn at my job in my personal life (at home).
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am confident in who to talk to in my company to get security help.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am confident in who to inform in my company of a security concern.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am confident in my ability to recognize a security concern.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am confident in my ability to formally report a security concern.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I feel relaxed reporting security concerns (even if unsure of their authenticity).
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • Our company’s security policies are simple to follow.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am interested in improving my security knowledge and abilities.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I am a frequent social media user (whether posting or viewing).
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I use the following type of password storage.
  • Memorize in my head
  • Write down on paper/Post-It note
  • Digitally save on computer/mobile device
  • Save in Internet browser (Chrome, Edge, etc.)
  • Use password management program
  • Other
  • I have been the victim of the following cyberattacks (Can choose more than one).
  • Credit/debit card fraud
  • Email, Social Media, or other online account compromised
  • Social security number compromised
  • Fraudulent loan or credit line taken in name
  • Received and opened malicious email, file, message, etc.
  • Other
  • I know our company’s privacy concerns with working from home, sharing account info, using personal devices at work (BYOD: Bring your own device), etc.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I frequently receive information from the security team involving new threats, rising concerns, best practices, and general assistance.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • 19. I feel that I learned how to improve my security awareness (both personal/business) by watching the video.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree
  • I feel that I want to work on my security awareness (both personal/business) in the coming weeks using the material provided in the next phases of the security awareness campaign.
  • Strongly agree
  • Agree
  • Neither agree nor disagree
  • Disagree
  • Strongly disagree

References

Rainie, L. (2017, May 22). The public and cybersecurity practices and knowledge. Retrieved May 27, 2020, from https://www.pewresearch.org/internet/2017/05/22/the-public-and-cybersecurity-practices-and-knowledge/.

Hadnagy, C., & Wozniak, S. (2018). Social Engineering; The Science of Human Hacking (2nd ed.). Newark: John Wiley & Sons, Incorporated.

Rainie, L. (2017, May 22). The public and cybersecurity practices and knowledge. Retrieved May 27, 2020, from https://www.pewresearch.org/internet/2017/05/22/the-public-and-cybersecurity-practices-and-knowledge/

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s