Optimizing your awareness campaign with social engineering
Security frameworks, notably the ISO 27002 standard, recommend raising user awareness of common security issues (even though the subject does not seem to be unanimously agreed upon within the communityBut how do we do it?
Faced with the resurgence of more or less targeted attacks based on sending emails that encourage employees of a specific company to click on a malicious link or request their credentials, social engineering tests can help identify user populations that need awareness training with a real-life case.
Methodology
- An email is sent to users informing them of an IT system outage and the need to fill out a form to ensure service restoration.
- The user clicks on the link and is presented with an authentication screen displaying their company's colors.
- If the user fills out and submits the form, a non-judgmental awareness page outlines the various points that might have raised their suspicions.
- The sending email address uses a non-existent domain name derived from the official domain name.
- The email should remain very generic (no logo, no forged signature…)
- The form is hosted on a domain external to the company.
- The form does not send data over a secure HTTPS channel.
Prerequisites
- Define the scenario and its limitations with human resources managers
- Taking the time to explain the approach to the trade unions may prove necessary depending on the company's context.
- A list of representative and well-distributed users must be identified (it is necessary to strictly adhere to this defined scope)
- Classifying these populations by occupation, location, age, etc., allows for more precise statistics.
- User support should be notified, as it's useful to have visibility into the number of users who have contacted them.
- Where possible, it is recommended to geographically distribute the representative panel of users in order to limit communication from one user to another, which could skew the tests.
Results
The following results are from a test carried out on a panel of 320 users out of a total of 1800. They are representative of what Intrinsec regularly observes during this type of service.
- that 26% collaborators have gave their password
- that 89% some of them did it in less than a minute
- that 90% results are obtained during the first 48 hours
- that 46% users clicked on the link received by email
Examples of information obtained:
Evolution of the number of clicks and form submissions during the first 35 hours of testing.
Reactions from the tested population
Conclusion
While it is difficult to protect against this type of targeted attack, faster detection (via reporting to support for example) allows for a more effective response (changing user passwords, monitoring connections of compromised accounts, post-incident communications, etc.).
This type of test helps identify priority awareness campaigns and target populations. It can also be used to verify the effectiveness of a campaign. Finally, when conducted regularly, such as a fire drill, it allows users to train to react appropriately.
