Page 59 - Cyber Defense eMagazine September 2018
P. 59
59
FIGURE 1. JETTON’S RAMPART DE TROIKA.
Awareness
Awareness is the first step in confronting social engineering threats. Here, a user is introduced to the tactics
of the social engineer, such as vishing (telephone), phishing (email), and smishing (text) exploits. Within
this step users must learn the value of information as well as sources of exploitation used by social
engineers.
Training
Training is the next step. Once awareness is created, users learn what to do and what not to do. Users learn
to not only protect their valuable company information but to also actively defend against engaged social
engineers.
Training Musts:
Whether conducted in a classroom or online, training must be as hands-on and realistic as possible.
Training must be consistent, which means everyone at the company must have the same information and
guidance.
Regardless of whether training is internally or externally sourced, it must reinforce what the company
values and deems important while teaching users how they can avoid and/or mitigate social engineering
techniques.
The training should cover, at a minimum, disclosure of personal information, policy review, effective
destruction of old data, credentials, challenging individuals, physical security and techniques/motivations
of the social engineer.
The standard should be no less than quarterly training, so that skills and vigilance do not diminish over time.