Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 32

This section is personal for me. I started working in the awareness field as a result of my performing social engineering simulations, and then companies inviting me to come in and present awareness programs that told people exactly how I messed over the company — so that people would know what to look for in the future. I entertained people with my stories that the Wall Street Journal referred to as “… alternating between hilarious and harrowing.” The stories were definitely memorable. When I would later go back to my targets to measure improvements, however, they were small at best.

Consider that just because you can stab a person doesn’t mean that you can perform the surgery to repair the damage you caused. It’s unfortunately easy to physically harm a person with a knife; it takes infinitely more knowledge and skills to use a knife to save the person’s life. It’s a completely different skillset. Having performed social engineering for decades, I can state that it’s easy to trick a user into giving up information. It’s infinitely harder to train an entire population of users not to divulge information on a consistent basis. It’s likewise a completely different skillset.

Social engineering is a broad term for nontechnical attacks to achieve, or support, attacks to access or otherwise target computers or information. Phishing is the most common example, but dumpster diving, shoulder surfing, and telephone pretext calling are also common social engineering attacks. The most iconic attacks are those where someone calls up a user and pretends to be from technical support to solicit their password.

To be good at what they do, social engineers essentially know how to be good liars. They know how to perform transactional influence. They manipulate a user to do a one-time act that they should not otherwise do.

Social engineering requires a skillset that’s completely different from the one for awareness. A social engineer has to find one trick of influence at one given point in time to succeed. An awareness professional, however, has to create consistent behaviors on the part of users with whom they may never have a personal interaction. A social engineer might find holes that need to be fixed, but using an analogy, fixing a hole in a dam doesn’t strengthen the dam as a whole.

Providing information showing that the threat is possible makes the information a bit more memorable, so users can remember it for a few more weeks. This can be valuable to increasing the Forgetting Curve, which is discussed in Chapter 3.

Though social engineers don’t necessarily have transferrable skills for designing an awareness program, social engineering tests can be a useful way to gather metrics. Social engineering, when performed properly, can determine how people will actually perform when faced with a potential attack. However, don’t fall into the trap of believing that social engineers are competent awareness professionals by default. Awareness is much more than telling people what tricks not to fall for. It’s telling people how to behave properly on a consistent basis.