Application: Designing an Awareness Training Plan
Imagine you are a mid-level manager in a busy company. One day, you have a few minutes between meetings and decide to answer e-mails. You notice that one of your e-mails is from your boss. The e-mail indicates you and the other mid-level managers are to provide the name of a subordinate that is worthy of promotion (for a publicly posted job). The name must be submitted by clicking a link embedded in the e-mail. You click the link and enter a name. You are able to answer only a few more e-mails before rushing into your next meeting. A few days later, you are called into an office where your boss and the Chief Security Officer (CSO) are waiting for you. They have lots of questions for you—starting with why you have been accessing employee files. You have been socially engineered.
In the IT space, some fairly sophisticated technologies and controls exist for protecting IT assets. As you have learned in this course, the idea of an impregnable system is a myth. Determined attackers can always find a way in. Often, the quickest and easiest way to compromise systems is by tricking employees via social engineering—the ability to use social skills to gain access to a host, system, or sensitive information.
For this Assignment, design a presentation that consists of 6–12 slides for an awareness training plan that addresses social engineering threats stemming from employees using social networking sites in the workplace. Address how hackers might use personal information available on these sites (e.g., relationships, pictures, degrees, and travel information) to social engineer employees.