Social Engineering: Awareness and Defence



Overview

In this course, managers and employees learn to understand, identify and respond to social engineering attacks. The program provides with the knowledge necessary to recognize the most typical and frequently used types of attacks, and explains how to respond. During the course, attendees learn why security should supersede convenience at all times, and why policy needs to be diligently followed. Defense mechanisms and countermeasures are included in each section. We can tailor the course to meet specific requirements. No previous knowledge is required.


Target Audience

The program is beneficial to managers and employees working in companies and organizations of the public and the private sector.


Duration

Half day to 2 days. We tailor the program to meet specific requirements.


Instructor

Christina Lekati, psychologist, social engineering expert. To learn about her you may visit: https://www.cyber-risk-gmbh.com/About_Christina_Lekati.html



Course Synopsis:

Introduction.

1. Security is not a technical issue alone.

2. The importance of cultivating and maintaining security habits.

3. Non-technical means that protect your infrastructure.

4. Having multiple layers of security.


Social Engineering.

1. What is social engineering.

2. Why social engineering is a primary attack vector – and why it is likely you will encounter it, too.

3. How does social engineering work?

4. What do attackers prey upon?

5. The numbers game vs. highly tailored and targeted attacks.


Who is the attacker?

1. Possible adversaries: competitors, employees, individuals, small groups, insiders, service providers, criminal organizations, nation states.

2. Social engineering is a business, and a full-time profession.


The Social Engineering Kill-chain.

1. Reconnaissance: The research phase used to identify and select targets.

2. Targeting: Who is the most vulnerable person to attack? What is the biggest vulnerability of the target?

3. Pretexting: The attacker’s cover story.

4. Establishing trust with the target.

5. Manipulating, exploiting and victimizing.

6. Case studies.


Typical Social Engineering Attacks from a Distance.

1. Phishing Emails.

2. Spear Phishing.

3. Vishing.

4. Smishing.

5. Watering Holes.

6. Spoofing.

7. Baiting.

8. Whaling phishing.

9. Emotional triggers that will make you want to respond - but you shouldn’t.

10. Case studies.

11. Defence.


Is your social media content making you a target?

1. Social media is a primary source of information for attackers.

2. How your social media content can be used against you.

3. Cybersecurity hygiene advice for social media.

4. Attacks through social media.

5. Examples.

6. Defense.


In- Person attacks and manipulation techniques.

1. USB traps.

2. Emotional elicitation & exploitation.

3. Time pressure.

4. Authority.

5. Likeability.

6. Intimidation.

7. Reciprocity.

8. Impersonation.

9. Pity & Helpfulness.

10. Commitment & Consistency.

11. Reverse Social Engineering.

12. Examples & Case Studies.

13. Defence.


Physical security.

1. Why social engineers will try to enter your establishment.

2. What assets can be stolen/ compromised?

3. Gaining unauthorized access to physical spaces.

4. Tailgating and bypassing physical security measures.

5. Locked does NOT mean secure - lockpicking capabilities.

6. Defence.


Identifying a social engineering attack.

1. Identifying manipulation and deceit.

2. Emotional triggers, emotional exploitation & what to do about it.

3. Verifying intentions - subtly.

4. Case studies.

5. Responding to and deterring a social engineering attack.


Policies & Procedures.

1. Convenience vs security.

2. What policies? What procedures? Why?

3. Using & applying policy to your advantage: escaping manipulation and uncomfortable situations.

4. Visitor policy best practices.

5. Disgruntled employees.

6. Best practices for third party vendors entering the establishment.


Developing information security habits.

1. Developing and internalizing everyday security habits.

2. Maintaining helpfulness without compromising security.

3. Establishing healthy boundaries in communication.


Concluding Remarks.

Our ultimate goal is to develop and strengthen an essential layer of organizational security, the human one (or as commonly called “the human firewall”), that will support and protect the assets of a company or organization.




Our Services

Cyber security is ofter boring for employees. We can make it exciting.


Online Training

Recorded on-demand training and live webinars.

In-house Training

Engaging training classes and workshops.

Social Engineering

Developing the human perimeter to deal with cyber threats.


For the Board

Short and comprehensive briefings for the board of directors.


Assessments

Open source intelligence (OSINT) reports and recommendations.


High Value Targets

They have the most skilled adversaries. We can help.





Which is the next step?

1

You contact us

2

We meet and discuss

3

Our proposal

4

Changes and approval

5

We deliver







Cyber Risk GmbH, Cyber Risk Awareness and Training in Switzerland, Germany, Liechtenstein