Executive Management Need Social Engineering Training
Each and every day, there are various factors and risks that security managers and departments face. Everything from spam e-mail that is inadvertently answered to various scams that request money to be sent to a certain location to various overseas lawyers and princes who want to share their wealth. Spear phishing is also rampant with seemingly trusted sources such as banks or lawyers who have found a long-lost distant relative of yours who want to give you the inheritance you so richly deserve. Through all of this, very effective training programs have become more important for employees to be aware of the various dangers that can occur. A security consultant and Chief Information Officer of Stratagem 1 Solutions, Jayson Street believes the largest threat of social engineering is in the area of the top executives and senior management of an organization, and are individuals who require the most training. Jayson frequently runs penetration testing and provides advice on his findings. Because executives and senior management have access to very sensitive and confidential information, these executives are prime target for cyber criminals. These areas of concern should be addressed as everyone should understand the need for strong security from the very bottom of an enterprise or organization right up to the very upper layers. Street says, “We need to have executive buy-in of these risks. Executives need to understand what can happen and how to avoid it.”
Street believes executives are vulnerable because they are the ones most important to an organization with positions that are very demanding and they may feel they are exempt from the many rules and compliances security personnel have put into motion. “They are the ones who expect they don't need the firewall blocks as much, or that they can go to the websites others can't. They don't want to be filtered, logged or monitored, so they don't want to go through the web proxies that also protect them from compromise.” The inherent problem is that senior management and executives possess no more security information or awareness than their average employees and have the ability to be compromised with a variety of social engineering scams that exists. Due to the fact that they are executives and senior management, anyone practicing social engineering would be more likely to make their attacks and breaches more personal, sending e-mails, spam, and attachments that appear to have arrived from a legitimate source but in actuality is malware.
If an executive or someone from senior management has infected their computer system due to a bad attachment, they will wonder why security did not protect them. “When executive is compromised and causes a loss for the company, he is not going to say ‘oops, my bad.’ He is going to say ‘why didn't you protect me from myself?’” Street ran various penetration tests for a couple of hotels and was able to achieve access to their server room by delivering a fake e-mail to the employees of the hotel claiming he was the chief executive officer of their tech support supplier. “Afterward, I asked them ‘why did you let me in?’ And they said ‘this is how the owner does things. He sends e-mails like this all the time!’” The point to emphasize is, senior management and executives do not realize their actions pose serious security risks because they live in the assumptions that their security team is more informed and will always support them.
Chief information officers are prime victims for social engineers because they are the individuals who utilize the newest technology. “Who is going to be using the newest iPhone before it's approved in the company? Who will have the iPad working on the internal network, getting their e-mail? It's going to be those executives. They are getting a laptop that aren't standard. They want the ultralight or the one that can do a certain thing.” The newness of these advancements means they have not improperly been approved or vetted for security risks and problems and have not been properly configured securely into the network. The situation is compounded when executive management assumes their information-technology department has already put the proper security in place when in fact they have not. “They might actually think because it's newer it's more secure, which it's not. And then they still want to log their laptop into their home network and then the trust model changes completely.”
The cyber criminal wants to locate the easiest path in. Because the administrator of the network probably has various restrictions and monitoring in place, the path of least resistance would be the executive's wife, children, or husband on social networks such as Facebook. Various family members are known to utilize home computer systems that are shared by the executive once they are home. “Why not compromise the wife's computer system and then, when the executor brings his laptop home, he is now on the internal network. The home network is more of a private network, which is more trusted. And that means the firewall lets more stuff in. It makes more sense to compromise the executive that way.” Social engineering and security awareness must extend to all family members because they too can become an unwitting participant or victim. “If you've got millions of dollars at stake, and you are doing corporate espionage and want to steal secrets or money, you don't go after your target only, you go after everyone in your targets network, too.”
CISSP training brings new awareness in the area of social engineering and information security. With the growing concern of information theft and the global climate, everyone within an organization benefits from a solid, quality, certification training in data security. K Alliance is a premier source of information security certification training.
About Us: Expert Training contains a variety of training courses including enterprise learning systems, business soft skills, IT certification training, and many online training courses. Employees need to be well informed and well trained in order to perform at a high level, and Expert Training provides the many training courses necessary to accomplish the task. Windows 7 training courses make it very easy for employees to make the transition for Windows XP to Microsoft's latest operating system. Come to Expert Training and discover how our professional training courses will assist your organization.