Staff Training

The popular image of hacking centres around elaborate technical exploits enabling hackers to instantly enter systems. While it's true that many cyberattacks do involve sophisticated technical methods of breaching a system's defences, at least as dangerous an attack vector is manipulating the staff of an organisation into granting attackers access. Addressing this attack vector - social engineering - must be placed among the highest priorities for any organisation seeking to improve its security. Moreover, an increasing number of attacks today combine technical methods with social engineering.

Shellhex's Social Engineering service offers security testing for an organisation's susceptibility to social engineering, but what about remediation? A very simple, yet critical, means of protecting organisations from social engineering is simply to train staff to better notice social engineering attempts rather than fall for them.

An Example Attack Scenario

To illustrate that social engineering and technical exploitation are not exclusive of each other, consider the following scenario. An attacker researches an organisation and its leaders and uses that information to draft a highly convincing phishing email. The attacker then spoofs email credentials to make it appear that the message is coming from an executive within the organisation, and sends it to employees. An employee then clicks a link within the email, which takes them to a website the attacker has set up that steals a session token stored as a cookie on the employee's machine. Session management issues in the company's portal enable this session token to be used by the attacker to access the employee's user account, bypassing passwords and multi-factor authentication. Vulnerabilities in the company's software enable the attacker to obtain remote-code execution on the company's server running the portal, e.g. through PHP injection. The attacker then uses fairly standard methods to escalate privileges, bypassing user permissions on the server. This compromised system can then be used as a proxy for attacking other systems inside the organisation, bypassing firewalls since it is already within the company's network. Many steps in this hypothetical attack are purely technical in nature, and rested on vulnerabilities that could have been addressed at a technical level. However, the step where the attacker tricked an employee into clicking on a malicious link was nonetheless a critical step in the attack process.

Staff Training Beyond Social Engineering

While social engineering is one of the greatest dangers that staff training can help address, there are many others. Consider the following scenarios:

Pick your scenario:

An employee needs to set up an account on a new company service, and uses a weak password with no multi-factor authentication. An attacker is then able to use standard password-cracking tools to gain access to the user account. If the employee understood the importance of following company processes on passwords and authentication, this attack could have been prevented.

Recurring Training Workshops

Our Staff Training service is based around a model of multiple on-premises interactive workshops for training staff. We believe staff training is most effective when we can conduct simplified live demonstrations of the security risks bad practices can introduce, as this makes the dangers clearer to employees. We can offer a free consultation to discuss your organisation's needs and schedule, and then draft a list of dates to conduct workshops for your organisation. We are happy to offer a single workshop, a series of workshops, or a recurring programme of workshops. Each workshop is priced at £1,200 exclusive of VAT. We typically aim for each workshop to last 1-2 hours depending on the complexity of the topic, but are flexible with the schedule of your organisation and depth of coverage.