Tech Insight: Building The Right Defense Against Social Engineering

Defcon capture-the-flag contest shows humans are still the enterprise's weakest link
Defending against social engineering comes down to awareness and training. There is no patch for human awareness. Enterprises should mandate training so that users are educated and aware of the dangers posed by social engineering.

The most effective training includes role-playing to demonstrate how social engineering attacks are carried out. The Social Engineering Framework has many good examples to draw from, and history has shown us plenty of skilled social engineers we can point to, including Frank Abagnale and Kevin Mitnick.

Modern-day experts, such as Chris Nickerson and Jayson Street, also serve as excellent examples. Nickerson starred in the TV show "Tiger Team," which followed his team through a series of technical and social engineering attacks to gain access to an exotic car dealership and custom jeweler.

Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering" provides numerous real-world examples of social engineering attacks -- all of which can be used to help educate your employees.

You can augment your training program by sending out newsletters with current examples of social engineering or recent phishing attempts in the news. Some IT organizations test their employees by conducting internal social engineering attacks against a different department each month. Employees who catch the attack receive a positive report to their supervisor, while those who are tricked receive additional training and awareness recommendations.

As technical defenses get better, social engineering attacks are becoming more targeted and sophisticated. It's critical to educate users about the attacks that may be used against them. Instill in them a sense of responsibility to question strangers in the halls and be suspicious of phone calls asking for a password.

As the Defcon contest proved, people are the No. 1 vulnerability in your network. Be sure you're taking proper steps to "secure" them.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.