The problem with awareness…

January 22, 2008

Andy blogged this morning about social engineering and trust. While I loved the post, and I think he made some good points about social engineering, something that he said struck me while reading:

The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.

This is an incredibly normal line of thinking, and it is the traditional way of dealing with social engineering. The main issue with it is two-fold: first, an even half-way prepared social engineer will have prepared a strong enough frame to verify most of the simple checks that a normal user is going to have.

But the bigger issue is that, when we talk about things like “not blindly giving out information”, what we’re really saying is that we need to teach our users not to trust each other.

The problem with this is simple: an agile, responsive and successful business is built on a lack of boundaries and a healthy set of organizational trust. The kind of mistrust that most infosec people would engender intentionally in their users would cause significant inefficiencies within most organizations.

So, if we’re not teaching our users to not blindly give out information, or to verify everything, what do I think we should be teaching them?

Instinct. Most who are in infosec have developed an instinct for when things “don’t smell right”. When an email just seems a little bit “phishy” (pun intended).

I believe that can be taught (well, indoctrinated) into our users, with about the same effort as it takes to teach them not to trust each other.

Technorati Tags: , ,

Posted by mmurray | Filed Under Security 

Comments

5 Responses to “The problem with awareness…”

  1. Social Engineering and Employee Engagement « melina murray on January 22nd, 2008 9:45 am

    [...] Engineering and Employee Engagement I was reading a post by Mike Murray today about Social Engineering and awareness in business. (full disclosure: Mike is my husband, in [...]

  2. spylogic.net on January 22nd, 2008 7:46 pm

    Awareness and Social Engineering…

    Good blog posts over at Episteme and Andy’s blog about employee awareness and social engineering. Teaching your employees not to trust people is a tall request that’s for sure! Most businesses……

  3. dtabone on January 28th, 2008 1:49 am

    Well said Mike — well said…a topic well covered by Bruce is also perception towards security. You could say that it ties in with instinct.

  4. » Social Engineering and Employee Engagement Melina Murray on January 29th, 2008 3:27 pm

    [...] was reading a post by Mike Murray today about Social Engineering and awareness in business. (full disclosure: Mike is my husband, in [...]

  5. Betting systems on July 9th, 2008 10:04 am

    Nice blog,i will come back here everyday, greetings

Got something to say?