WEBVTT

00:00:00.930 --> 00:00:04.240
One of the most important topics to be covered in any security

00:00:04.240 --> 00:00:06.770
awareness program is social engineering.

00:00:08.250 --> 00:00:12.860
Social engineering can be defined as the manipulation of people

00:00:13.050 --> 00:00:15.880
to perform actions that they should not do.

00:00:17.830 --> 00:00:21.170
There are four main types of social engineering that we

00:00:21.170 --> 00:00:24.310
need to warn people about, intimidation,

00:00:24.840 --> 00:00:25.860
name dropping,

00:00:26.330 --> 00:00:29.370
appealing for assistance, and, of course, the

00:00:29.370 --> 00:00:32.500
technical type such as phishing attacks.

00:00:33.690 --> 00:00:37.560
The thing is that intimidation is where a person tries to threaten,

00:00:37.560 --> 00:00:42.930
I'll talk to your boss, I'll report you, and tries to convince someone

00:00:42.930 --> 00:00:45.270
to do something so they don't make a fuss.

00:00:46.460 --> 00:00:50.450
Name dropping is, oh, I was talking to, and they mentioned maybe a

00:00:50.450 --> 00:00:53.470
senior manager, and he said you could do this for me.

00:00:53.790 --> 00:00:58.230
Yeah, you bring in a little bit of flattery with it as well. And people think,

00:00:58.240 --> 00:01:03.100
oh, well, if he or she approved it. The next is, of course,

00:01:03.100 --> 00:01:05.349
appealing‑‑‑ I'm really having a problem with this.

00:01:05.349 --> 00:01:08.450
And could you help me get this done? And I need to get

00:01:08.450 --> 00:01:12.330
this for the boss right away. And maybe somebody provides

00:01:12.330 --> 00:01:13.780
access they shouldn't have had.

00:01:14.060 --> 00:01:18.030
And of course, we need to warn people about things like phishing attacks

00:01:18.030 --> 00:01:22.430
and how prevalent these are and how dangerous as well.

00:01:24.050 --> 00:01:28.340
Some of the symptoms that we can warn people to watch for that

00:01:28.340 --> 00:01:32.170
would probably indicate some type of social engineering is

00:01:32.170 --> 00:01:35.090
pressure. We need to do this right away.

00:01:35.100 --> 00:01:36.050
We can't wait.

00:01:36.590 --> 00:01:41.460
Or of course, there's this urgency here that requires someone to do

00:01:41.460 --> 00:01:44.720
something without checking or verifying with anybody else.

00:01:45.650 --> 00:01:49.300
The idea of flattery where someone turns and says yes,

00:01:49.300 --> 00:01:53.480
you're the best one, or I was told you could help with this. Or of

00:01:53.480 --> 00:01:56.130
course threats. I'll have your job for this.

00:01:56.740 --> 00:01:59.630
These are things that we need to warn people about.

00:01:59.640 --> 00:02:01.750
And when it comes to social engineering,

00:02:02.170 --> 00:02:09.610
the best thing is to give people an awareness of it so they know how to

00:02:09.610 --> 00:02:13.470
recognize it and then of course resist it as well.

00:02:14.220 --> 00:02:18.750
So preventing social engineering is a lot about developing a culture.

00:02:19.450 --> 00:02:21.080
It's okay to say no.

00:02:21.640 --> 00:02:24.550
If you've been told that this is how it's supposed to be done,

00:02:24.730 --> 00:02:27.470
even if someone tries to convince you no,

00:02:27.600 --> 00:02:28.230
no, no,

00:02:28.240 --> 00:02:32.290
I've been told that this is the way we do it, and

00:02:32.290 --> 00:02:33.700
I'm not allowed to change that.

00:02:33.900 --> 00:02:36.350
It's management that wrote this policy.

00:02:36.790 --> 00:02:42.470
I don't have the authority to overrule management. But this means that

00:02:42.470 --> 00:02:46.590
management has to support the employee who follows the policy.

00:02:47.240 --> 00:02:49.290
It could be that management comes and says,

00:02:49.290 --> 00:02:49.680
okay,

00:02:49.680 --> 00:02:52.280
we're going to grant an exception. But then they

00:02:52.280 --> 00:02:53.890
should turn the employee and say,

00:02:53.900 --> 00:02:57.530
but you did the right thing in not just going along

00:02:57.530 --> 00:02:59.350
with what this person asked for.

00:03:00.340 --> 00:03:04.560
We often hear that, you know, the customer is always right. And in many cases,

00:03:04.560 --> 00:03:06.360
actually, the customer is wrong.

00:03:06.370 --> 00:03:14.410
So it's good for us to know that we, as employees. have the support of

00:03:14.410 --> 00:03:20.290
management at all times when we follow the policies. It is good to have the

00:03:20.290 --> 00:03:25.580
policy so people know, and it's not vague or misunderstood how to do

00:03:25.580 --> 00:03:28.900
something. And of course, have procedures.

00:03:29.120 --> 00:03:35.050
If somebody asked for something, maybe they say, well, name dropping,

00:03:35.240 --> 00:03:37.040
this person said you could help me.

00:03:37.130 --> 00:03:37.870
Okay, thanks.

00:03:37.870 --> 00:03:40.290
I'll go and independently verify that.

00:03:40.360 --> 00:03:41.900
Oh, they're not available today.

00:03:41.910 --> 00:03:43.740
Well, then I'm sorry I can't do it.

00:03:43.770 --> 00:03:48.550
If I can't independently verify that that person said it, it

00:03:48.550 --> 00:03:51.330
could well be that the reason I use that person's name is they

00:03:51.330 --> 00:03:53.120
know that person is not in that day.

00:03:53.840 --> 00:03:59.130
So it's good to have these policies, procedures, and certainly a

00:03:59.130 --> 00:04:02.440
culture that the employees know that if they follow the

00:04:02.440 --> 00:04:05.030
procedures, they won't get in trouble for that.