If you follow the news on information security, you see superlative after superlative. Millions of passwords were stolen. Hundreds of thousands of cameras suddenly became tools for blackmail. Countless data got copied unauthorized. Often, after a few paragraphs, your read about technical solutions that should put a stop to these burglaries. Therefore one forgets that nowadays hermetically locked doors can be easily opened just by a telephone call or an e-mail message. According to a publication of the British Federation of Small Businesses, almost 50% of attacks are social engineering attacks, which means attacks through social manipulation.Thus, investments in technical defense measures remain completely ineffective.
Mere security awareness does not help anymore
In the past approaches to defend against attacks on the weak spot human being have focused on awareness trainings. But in our modern business world awareness is not enough. The knowledge of the dangers of social engineering aka social manipulation is already available. Countermeasures must now become much more concrete. Employees must be able to understand, recognize and independently avert the methods of their adversaries. This competency can not be achieved only through security awareness. Let’s use the analogy of fire-fighting to underline this point:
The knowledge about a possible fire in the workplace is of little help if nobody is able or allowed to use a fire extinguisher in the event of a crisis. All classic trainings focusing on the defense against social engineering only deal with the topic up to a certain point. Unfortunately, what has to be done after the fire spot has been discovered is often no matter of discussion. But exactly at this point, training has to become tangible, otherwise it does not contribute to the protection of a company.
Social engineering, the poor relation of information security
The serious implications of attacks against the psyche of employees are strongly underestimated. While technical solutions, due to their inscrutable complexity, seem to be highly effective, the studies of habits, communication styles, absences, internal company celebrations, daily lunches or after-work activities seem almost banal. But each piece of seemingly banal information is a building block in the attacker’s plan. This is easier said than done, but you must build counter-measures as a complete campaign. Many companies have guidelines for dealing with strangers and sensitive information. Their IT departments are also inaugurated.
But one has to connect the individual parts to form a network to protect the weak points of human communication in office life, otherwise the best fire protection system will not suffice. Do not consider your personnel as a potential risk, but as an vital part of your security architecture. Everyone can fall victim to social engineering attacks; there is no shame in that. It is therefore crucial to offer ways to your employees to report weaknesses anonymously. If all shall pull together, the threshold for co-operation must be as low as possible, especially when it comes to security.
Hands-on workshop with practical exercises, based on examples from the real world
One of the focus points of the 10th DeepSec In-Depth Security Conference will be social engineering and how to defend yourself against it. The conference program includes not only lectures on the subject but also a training conducted by two experts in this field. In a two-day workshop, Cyni Winegard and Bethany Ward will present real-world scenarios and enact them with their participants. The course aims not only to create awareness, but to use practical examples and role playing for participants to gain experiences that can be incorporated into their own habits. All examples will be tailored to the abilities of the participants – and to the weaknesses of their professional environment.
When it comes to defense, it has to acknowledge and withstand the ability of your opponents. The workshops Penetration Testing Humans helps to create a real defense of the human psyche. The trainers bring their experiences from many years of safety tests and confront the participants with real dialogues and actions from successful attacks.
The complete program of the DeepSec Conference is available at
The workshops will be held on the 8/9 November 2016.
The conference takes place on 10/11. November.
Workshop & Conference Venue: The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.