Danny Ocean, played by George Clooney in Ocean’s 11 shows the complexity, timing, and sometimes ease of leveraging social engineering for an attack. This film provides a compelling look into the art of deception and manipulation, showcasing strategies that are surprisingly relevant to cybersecurity training.
In "Ocean's Eleven," Danny Ocean and his team use sophisticated social engineering tactics to rob a casino. They employ pretexting when posing as technicians or officials to access restricted areas or gather critical information from unsuspecting employees. This mirrors real-world scenarios where attackers might pose as IT staff to ask for your password or as executives requesting urgent wire transfers.
The movie also demonstrates tailgating during the scene where characters bypass security checkpoints by closely following authorized personnel into restricted areas. This scene vividly illustrates the need for vigilance and strict access controls in sensitive environments.
Cybercrime tactics are evolving, moving beyond technical exploits to exploit the weakest link in security: people. That's why CIS Safeguard 14.2 emphasizes training your staff to detect social engineering attacks like phishing, pretexting, and baiting.
What is Social Engineering?
Social engineering manipulates individuals to divulge sensitive information or undertake actions that compromise security. These attacks often exploit emotions such as fear, urgency, greed, or the desire to assist.
Recognizing Social Engineering Red Flags
- Suspicious Emails: Unusual sender addresses, typos, unusual requests for information, or misleading links
- Urgent Requests: Pressure tactics to prompt immediate action without careful consideration
- Offers Too Good to be True: Unexpected prizes, offers, or warnings about account issues may be bait
- Impersonation: Attackers posing as IT support, bank representatives, or company executives
Transforming Training into a Defensive Strategy
- Real-world Examples: Illustrate concepts with recent phishing attacks or scams to enhance relevance
- Simulated Phishing Tests: Conduct safe simulations to help staff recognize red flags in a controlled environment
- Gamification: Engage employees with quizzes and incentives for identifying social engineering attempts
- Reporting Protocols: Clearly outline procedures for reporting any suspected attacks encountered by employees
Here’s a link to the Security Awareness Skills Training Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/security-awareness-skills-training-policy-template-for-cis-control-14
Here are some details on this specific Control/Safeguard. If you want more info, DM me.
CIS Control 14 – Security Skills Awareness & Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Implementation Group 1
CIS Safeguard 14.2 - Train Workforce Members to Recognize Social Engineering Attacks
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.