Should I Test Employee Security Awareness?

Becoming a Coach

If you’ve ever volunteered to coach youth sports – especially T-ball – you’ve probably learned as much as the kids about how to teach and train someone to perform an activity. First lesson of T-ball: if you give a kid a bat, they will swing the bat no matter who or what is in the area. Second lesson: coaching is repetition. Back when I helped coach a T-ball team, our first day of practice involved running to first base and coaching kids to listen to the first base coach. We spent a lot of time on the fundamentals and basics of baseball. When all is said and done, the purpose of T-ball is to provide the kids with a basic knowledge of the game and awareness of what to do when the ball is hit (run to first base), and above all else: to have fun.

The goal of Security Awareness Training should be similar to coaching T-ball. As information security professionals, we should understand that the audience is not full of security experts, and we need to provide basic knowledge and appropriate action to take when faced with an incident, and we also need to repeatedly test the effectiveness of the training program. Unlike T-ball, however, we need to keep score; not to shame an employee but to measure our coaching.

Give a user technology, and you should expect they will misuse it – intentionally or unintentionally. Security Awareness Training should cover basic information security principles and response steps to social engineering and phishing - the two most common causes of data loss and breaches. Verifying employees have retained this information and will deploy their training in the future is the key to a successful Security Awareness Program.

Common Testing Methodologies

Quizzes

Administering a quiz after a Security Awareness Training session is a common testing approach, but quizzes are ineffective if using a one-and-done approach. Remember, coaching is repetition. Random web-based quizzes throughout the year may provide a better measurement, unless employees share answers. When asked which base to run to, a player can say “first base,” but the coaching can only be measured when the player is standing on first base. Yes, running from home plate to third base is common in T-ball. In audit lingo, this is known as verification by observation, the highest form of audit evidence.

Workplace Security Review

Employees can become desensitized to confidential information in the work area, especially when working with such information every day. A great way to test your clean desk policy and physical security policy is to observe your workplace. It is amazing the amount of information that can be obtained while walking around the workplace. Work area checks may be performed during or after business hours. Are desk drawers and filing cabinets with confidential information locked? Are sticky notes with confidential information in plain sight? Are passwords written down and stored under keyboards or behind monitors? Are desktops left logged on and unattended? Are vault combinations kept in unlocked desk drawers? Can you fish documents from a shred container? Take pictures of any security violations - it is the best form of evidence – and share the results of your physical checks during your next Security Awareness Training session.
 

Dumpster Diving

The old adage goes: “one man’s trash is another man’s treasure.” Dumpster diving can literally be a treasure trove of information for anyone that wants to create a highly successful social engineering campaign. Rather than wait for someone else to find all the information your employees are throwing away, you can perform your own Dumpster Diving tests at any time.
 

A pair of latex gloves is always recommended for this test. One of the best (cleanest) methods to perform this test is to follow the cleaning crew around after business hours and observe what information is being disposed of as ordinary garbage (not in shred bins; that’s where you want employees to put confidential information). Some of the most common ways employees inadvertently dispose of confidential information is via sticky notes or scratch paper with account numbers or social security numbers. Do you like jigsaw puzzles? You may find confidential information that has been hand-shredded (torn, not properly shredded). Does any of the information in the trash identify your organization, your customers, or your vendors? Even mail with customer return addresses can identify specific customers that an attacker can then research and use against your institution.

Pretext Phone Calls

In larger organizations, pretext phone calls may be performed by an internal resource that isn’t well-known or by an outsourced auditor or consultant. The tester can perform the test via the phone (voice/text) or Internet (email/chat). Posing as a customer, vendor or business partner who is requesting confidential information or login credentials. The tester needs to have a good cover story as to why the information or login credentials are needed. Testers will often use popular spoofing tools to display local area codes, phone numbers, and alias name when impersonating a person or company.
 

Do you have procedures for validating a customer’s identity? Do staff follow these procedures? Do you solely rely on caller ID technology for customer verification?

Physical Impersonation

We have all seen physical impersonation attacks in the movies; the correct uniform and identification badge allows easy access into a restricted area. In reality, we have all likely performed this test once in our life without realizing it. As an example, when I go to the gym, the attendant is supposed to swipe my card to grant and track my access. However, if I have my earbuds in and stare at my phone, I’m allowed to walk by unchallenged. I look like I belong at the gym; why inconvenience me?

You wouldn’t intentionally let just anyone into your facility and look the other way as they steal your confidential customer information, right? Be intentional about escorting unknown or unannounced guests around your premises and restrict access to non-customer areas of your business.

If a tester looks like they belong at your organization, will your staff challenge their identity? Do you have challenge procedures?

Flash Drive Drop Attack Test

Another great way to test your Security Awareness Training is to bait users with a “lost” USB (Universal Serial Bus) flash drive. A 2016 Black Hat experiment found that of nearly 300 dropped devices, 45% of the dropped drives were picked up and plugged into a device to see what the drive contained. Will your employees take the bait? How many employees will call IT? How many will plug the device into a company workstation? This test may be performed by capable IT Staff with help from the Internet or performed by an outsourced auditor or consultant.

Phishing Attack Simulation

One of the best ways to determine if your employees are aware of the threat posed by a phishing attack is to perform a controlled test (simulated attack) of employee email. Test emails should provide some clues covered in security awareness training that should tip the recipient of the deception. Directing the recipient to a website link will allow the tester to gather evidence of who opened the email and who followed the link. Such testing may be performed by skilled staff or by a third-party provider. It is recommended that testing be performed throughout the year to maintain employee awareness.

When it comes to Phishing email testing, remember three (3) things:

1. Phishing is the most common way attackers get into networks – it’s cheap, easy, and everyone uses email.
2. The goal is to educate and train your employees, not to be as deceptive as possible or to see how many clicks you can get.
3. If your people are your biggest security weakness, you should test your biggest security weakness most frequently, not least frequently.

Measuring Results

Share the results of testing with the management team by documenting your findings using generic terms such as passwords written down and stored within eyesight, confidential information stored in unlocked desk drawers after hours, etc. Avoid using names of employees in the written reports but be prepared to offer details when asked by management. Keeping in mind the goal is not to demean an employee but improve the organization’s security awareness. The risk of social engineering attacks cannot ever be 100% mitigated, but you should strive to improve the results (fewer violations) each year.

Employees should be informed that such testing may occur at random. Regardless of the method of testing, the results of testing should be shared with employees to emphasize the fundamentals in the test that should have raised a red flag and the actions that users should have taken. To measure the success and limitations of a security awareness training program, consider tracking the following:

• The number and type of security violation found during workplace reviews.
• The number of instances confidential information is found in trash containers.
• The number of employees that provided confidential information to testers via the phone or email.
• The number of employees did not provide confidential information to testers via the phone or email.
• The number of times physical impersonation testers were allowed access to restricted areas.
• The number of times testers are challenged during a physical impersonation test.
• Click rates for phishing tests.
• Number of employees that leak sensitive data (i.e. provide a user/password)
• Number of employees who reported a phishing email

Security awareness and testing methodologies must continue to evolve with attack methods, and the best way to provide evidence of progress is to monitor performance through observation testing