Yesterday at Black Hat a couple of the presenters, Shawn Moyer and Nathan Hamiel, reportedly discussed their experiment that revealed how easily they got some prominent Chief Information Security Officers (CISOs) to fall for a social engineering scam played out using social networking sites.
Here’s a short excerpt…
“A relatively simple ruse persuaded dozens of prominent security analysts to connect on their social networking Web pages with people who weren’t friends at all. They were fake profiles, purportedly of other well-known security pros. The scam was designed to expose the trust that even some of the most skeptical Internet users display on some of the most insecure sites on the Web.”
and another…
“Moyer and Hamiel said they did it three times, each time impersonating a different person. Each time they lured in more than 50 new friends within 24 hours. Some of those people were chief security officers for major corporations and defense industry workers, they said.”
More reason why everyone, including security pros, need regular training and ongoing awareness communications to help them from becoming sucked into social engineering tricks.
Everyone within a business needs to have social engineering training; all are potential targets.
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social engineering