By /

Back to: Data Center Physical Security Professional

0

Lesson 5.2: Security Awareness Training

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Define Social Engineering and identify its common forms (Phishing, Vishing, Pretexting, Tailgating).
  • Design a “Culture of Challenge” where employees feel safe stopping strangers.
  • Explain the risks associated with “Found Media” (USB drops).
  • Develop a training schedule that moves beyond “Death by PowerPoint.”

2. Social Engineering: Hacking the Human

Social engineering is the art of manipulating people into giving up confidential information or access.

A. Tailgating (The Physical Hack)

  • The Tactic: An attacker walks confidently behind an employee, perhaps carrying a box or pretending to be on a call. They rely on the employee’s natural desire to be polite.
  • The Counter-measure:“One Badge, One Entry.”
    • Training Slogan: “Politeness stops at the door.” Teach staff that closing the door in someone’s face is not rude; it is a requirement of their job.

B. Pretexting (The Story)

  • The Tactic: The attacker creates a scenario to steal credentials.
    • Example: An attacker dresses as a pest control worker. “I’m here for the rat problem in the server room. The manager sent me.”
  • The Counter-measure: Verify, then Trust. Call the manager to confirm before letting them in.

3. The “See Something, Say Something” Culture

Training is useless if staff are afraid to speak up.

  • The Problem: Junior employees are often afraid to challenge someone who looks important (a person in a suit) or aggressive.
  • The Solution:The “Challenge” Protocol.
    • Teach the script: “Excuse me, I don’t see your badge. Can I help you find the reception?”
    • This is a polite but firm way to confront a stranger.
    • Reward Reporting: If an employee challenges a stranger (even if it turns out to be the CEO), they should be praised, not punished.

4. “Found Media” Attacks (USB Drops)

  • The Scenario: An attacker drops a USB drive labeled “Payroll 2026” or “Layoff Plan” in the employee parking lot or lobby.
  • The Instinct: Curiosity. The employee picks it up and plugs it into a work computer to see what’s on it.
  • The Result: The USB installs malware immediately.
  • The Training: “If you didn’t buy it, don’t plug it.” Treat found USBs like biological waste—take them straight to the Security Team, never to a PC.

5. Training Methods: Beyond PowerPoint

People forget 90% of what they hear in a lecture within a week. To change behavior, training must be active.

A. Phishing Simulations

Send fake phishing emails to staff.

  • If they click: They get a pop-up training window explaining what they missed.
  • If they report it: They get a positive score.

B. Physical Red Teaming (The “Pen Test”)

Hire a professional (or use the internal security team) to try to break the rules.

  • Attempt to tailgate.
  • Attempt to talk their way past the receptionist.
  • Drop dummy USB drives to see who plugs them in.
  • Debrief: Share the results (anonymously) in the next town hall to show how easy it was.

6. Practical Application: The “Coffee Shop” Test

Scenario: You observe two employees at a local coffee shop wearing their company badges and discussing a client’s server migration loudly.

The Risk:

  1. Badge Visibility: Wearing a badge in public tells criminals exactly where you work and what your role is (e.g., “Network Admin”). It allows them to clone the badge visually.
  2. OpSec (Operational Security): Discussing sensitive projects in public allows eavesdropping.

The Rule: “Badges off when you leave the turnstile.”