A third of Fortune 500 execs fall for phishing attempts – Canadian Underwriter

A third of Fortune 500 execs fall for phishing attempts Canadian Underwriter Actual simulated phishing attack results show that C-level executives may be most likely to take the bait and fall for simple or sophisticated spear phishing attacks,…

See on www.canadianunderwriter.ca

Hacking Humans, Corporate Espionage and the Spies Amoung Us – Huffington Post

See on Scoop.itSocial Engineering

Hacking Humans, Corporate Espionage and the Spies Amoung Us
Huffington Post
Ira Winkler: I see a lot of attention being paid to spear phishing and APT, which people equate specifically to China.

See on www.huffingtonpost.com

Don’t Let Non-IT Employees Do Pen Testing

An article in SC Magazine caught my eye today. It was on using social engineering techniques to reinforce the importance of security to employees. Article: SC Congress Canada: “Social engineer back” employees

“This could be interesting….” I thought to myself. And it was… And I was right there with them until I read this:

“…challenges with prizes, such as being the first employee to walk over to a co-worker’s unlocked computer to send an email from their account without them knowing.”

Seriously?

So let me get this straight. John Proctor of CGI Group is advocating that employees perform pen testing on each other and for gaining unauthorized access to email.

Again… Seriously?

It should be a violation of security policy, and perhaps state, federal and industry regulations (depending on the industry and the data), for an employee to leave a computer unattended. It is a vulnerability that can be exploited – obviously, not a good thing. In fact, I’ll go so far as to stay it’s a stupid and lazy thing for someone to do.

But…

…To tell untrained employees to exploit vulnerabilities?

…To take that step from identification of a vulnerability to an actual data breach, if the employee does not have the same access as the victim? Or worse, what if they accidentally (or maliciously) send sensitive data outside the company?

That’s negligent at best and criminal at worst.

I’ve got an idea… Let’s leave pen testing to the professionals and not encourage employees to hack into coworkers’ computers, ok?