Security awareness versus social engineering
The thumbnail shows the first of a series of 6 posters in November's security awareness module on social engineering. It's a particularly important topic for us because security awareness is by far the most important control against social engineering. Alert employees who appreciate the threat and know what to do if they feel they are being targeted stand a much better chance of resisting attacks than those who remain blissfully unaware throughout.
As always, the newsletter sets the scene for the topic and outlines the risks associated with exploiting people rather than technologies.
The social engineering capture-the-flag competition at this year's DefCon hacker conference was a real eye-opener for many: we couldn't help but notice a number of prominent organizations hastily sending out warning notices to their employees ahead of the CTF competition, even though the rules of the game were strictly limited to keep the event ethical and educational. What's more, not all the competitors were experienced social engineers - many were beginners - yet ALL of the targets were successfully compromised. If management feels so worried about a mere game, how come they seem to be ignoring the real-world social engineering attacks from accomplished and determined social engineers who don't care about rules? How bizarre!