Testing A Security Awareness Program

The following is my outline on how to test out a Security Awareness Program. As well, I have included parts of what I would share in that program in regards to physical and cyber security best practices.

Quick Overview of Program

Physical Security Lessons/Best Practices.

  1. Do not keep doors propped open at any time.
  2. Be aware of who you are holding the door open for.
  3. Do not leave computers unlocked and unattended at anytime.

Cyber Security Lessons/Best Practices

  1. Do not share passwords with anyone.
  2. Do not click on links in emails that look suspicious.
  3. Create passwords that are longer in length and include numbers and symbols.

Overview of Test

I will test the effectiveness of the security awareness training XYZ Company has offered their employees in two separate phases. Phase one is aimed to test the lessons learned by the employees from the Physical Security Training and Phase two is aimed to test the Cyber Security lessons learned by the employees. These tests will happen at least one month apart on a random day in order to catch employees off-guard. The tests are not aim to trick the employees, but rather guage their honest responses to the situations they will be placed into.

Phase 1

During Phase One of the test, certain employees will be sent a phishing email and members of management will be sent a spear-phishing email.

The employees that are selected for the phishing email will be chosen at random from various departments. No more than 2 employees per department will be selected so as to create the feeling of originality from the email. As well, this is designed in this fashion to maximize the integrity of the test. If too many people in the same department receive the same email they are more likely to warn each other and skew the results.

In similar fashion, random members of the executive team will be elected to receive a spear-phishing email. The email will be a spoof from the CEO making a specific request to the executive to send him proprietary information/assets that belong to the department that he leads.

Example of Phishing Email to Select Employees

Subject Line:

We could not deliver your parcel, #00556030”

Body of Email:

Greetings, 

We were unable to deliver your parcel, ##00556028. Please click the link below to confirm the missing details needed for this delivery. 

LINK SHOWN HERE

Best, 

The UPS TEaM

Example of Spear-Phishing to CFO

Subject Line:

Need Your Immediate Assistance!”

Body of Email:

[Name of CFO], 

Got off the phone with our legal team. They just informed me about an incoming lawsuit and need to look over my financial records to prepare a defense. Can you hurry and upload my statement of earnings to this link? 

LINK SHOWN HERE

They need it ASAP and I am currently stuck in traffic. Do it now and I will come and answer your questions when I get in. 

Thanks, 

John 

Methods Behind Phishing/Spear-Phishing Emails

The regular phishing email is crafted to make use of a popular UPS email that is currently being sent around the internet. Working with the Threat Intelligence team, this email template was purposely chosen to help prepare employees for phishing attempts that are most likely happen to them today. The number of the package in the email body was purposely made a different number from the one located on the Subject Header. As well, the link was made short. Lastly, an informal email signature with a lowercase “a” in it, was left deliberately. These are clues that the employees will hopefully use to determine that the email they received is a phishing email.

The spear-phishing email is crafted to be more difficult to solve in order to reflect the level of sophistication attackers use to target executive team members. In this email an unlikely scenario to bait the executive to upload information to a link was used. As well, the link was made into a short one. Hopefully, the executive team will notice the informal nature of the email and question the commands made in them.
Phase 2

During Phase 2 of the test, a random person is sent to the company with a laptop to try and gain physical access to facilities and to proprietary data. The person is dressed in strict business casual attire and is well groomed. Additionally, this person is instructed to carry out three specific tasks. The tasks and instructions for this person are listed below:

  1. Gain access to the employee restricted area.
  2. Trail an employee as he/she is walking in.
  3. Politely ask an employee to let you in as it is your “first week” and you “forgot your badge”.
  4. Gain access to an employee’s computer.
  5. Walk up to an employee, claim to be IT and ask him if you can check something on his computer.
  6. As you leave, let them know that you need to run tests on your computer and will be needing his password later. Record whether he agreed to send it to you later.
  7. Walk around and count the number of computers that are left unlocked and alone around the facility.

Methods Behind Intruder Test

By designing this test, the habits that the employees have, and how they impact security measures are evaluated. Specifically, I am looking at the tendency, which allow anyone to come in after them at a door and the frequency in which laptops are left unlocked and alone. As well, their knowledge in best security practices are tested by asking them if they will share their passwords.  Moreover, if they would hand over their laptop to a complete stranger without asking questions.

Lessons to Be Learned

I hope that the lessons learned from these tests are coincide with the ones from the security awareness training outlined above. These tests are meant to be a real- world example of the threats that each employee can face day to day. As well, I hope that the employees reinforce the importance of information security and highlights the fact that anyone can be a victim of an attack.

Benefits to the Security Governance

These tests will help employees start thinking about security as part of their everyday operations. The employees that fail will hopefully be inspired to start taking security very personally.  This will make enforcing security policies and communicating their importance around the organization much easier. By targeting executives, it will show that all members of the organization are vulnerable. This will hopefully encourage our executives to start using a top down approach in terms of information security awareness. If employees see that management is starting to take security seriously, they will be more inclined to do so themselves.