Blog: SANS Securing The Human: Category - Social Engineering

Blog: SANS Securing The Human:

Trick for Rewarding Good Behavior

Just finished up SANS MGT433 class this week at SANS 2014 in Orlando. One of the things I love most about teaching is I always learn something new. One of the students had a great idea for rewarding. In general you want to avoid providing purely monetary awards for good behavior, you quickly run out of budget. Instead, recognition is not only cheaper, but often more effective. For example, if someone receives a "Microsoft Tech Support" phone call and stops the attack cold, an organization's first response is to often to reward the person with a gift card. Instead of providing just money make a hero out of the person, post a story about what she did, how she figured out the attack and where she reported it. Not only are you publicly recognizing the individual for their great work, but promoting and reinforcing the good behaviors that secure your organization.

One of our students took the idea one step further. Instead of just


New Security Awareness Poster - Don't Get Hooked

We are excited to announce the new security awareness poster "Don't Get Hacked". This poster is part of the SANS Winter 2014 poster series, if you are on the SANS mailing list and receive SANS course catalogs, you should receive a hard copy of this poster in the mail soon. You can also download a digital copy from our Poster Resources Section and print as many copies as you like.

The poster teaches people how to detect phishing emails by explaining and giving examples of the most common phishing indicators. The poster was developed as a community project. We would like to thank the following people for their invaluable expertise and


1st Three Key Security Awareness Topics

Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine. Today we discuss the first three of those topics and why our Advisory Board selected them.

You Are A Target: If people do not understand they are a target, if they feel they are not at risk, they will never be engaged. Without engagement, your program will fail from the beginning. This topic ensures people understand they are target, at both work and at home. They understand how bad guys can make money from them, use their computer to stage attacks against their employer, hactivism,


Awareness Training for Those Marketing Folks

One of the challenges with awareness training is no single set of training will address all of your organization's needs. While almost all employees share some common human risks (email, social media, passwords, etc) there are specific roles that require additional or specialized training. One example is IT Staff, because of their privileged access they are require additional training, such as secure use of admin accounts, controls for making changes to systems, or how *not* to share sensitive information on public forums.

The more I work at this, the more I feel marketing needs to be added to that list of specialized roles. Think about it, these people are your public facing communicators, the last thing you need is for them to be sending marketing emails or posts that screams 'phish' to millions of your customers. Here are some common lessons for marketing that I think would be great.

  • EMAIL: Any URL's within a marketing email should be under the

Do Phishing Assessments Desensitize Employees?

A question I am commonly asked about Phishing Asssesments is do they desensitize employees? Do employees beging to treat phishing (both real attacks and simulated attacks) as a frivolous game, ultimately exposing the organization to more risk, not less?

Based on my experience I would have to say a resounding no. To be honest, if anything you have the exact opposite problem. If I see any issues, some employees become overly concerned and over emphasize phishing risks. Following such training and assessments, security teams or help desk will get an increase in phishing reports that turn out to legitimate emails. In one case I know of a senior executive sent out an email to the entire organization, announcing an upcoming webcast that all employees were required to attend. Several employees forwarded this to the security team thinking it was a spear phishing attack. In fact, this is why I'm cautious about sending out spear phishing emails pretending to come from senior