As mentioned, user education can go a long way to keeping outsiders off the network, but it isn't a silver bullet.
In the past, prior to implementing the awareness program, Berlin's organization had to deal with various socially-based attacks. Yet, those were mostly random phone calls and faxes (fake domain renewal bills for example), so need for a scaled awareness program wasn't made abundantly clear until the company had a penetration test performed.
"We had a [penetration test] with some Phishing included, and that was what got them domain admin access. Right away, within fifteen minutes, somebody clicked and gave out their credentials, and they [the red team] were in from the outside."
It was an eye-opening experience. Other than the expected security training, related to HIPAA and other regulatory requirements, nobody in her organization had given a thought to implementing user awareness training against Phishing or similar attacks.
However, the main takeaway from that initial penetration test was that if the human element had been hardened, or at least better prepared, then the other defenses on the network would have had a better chance of keeping the attackers out.
Training out of thin air and OSINT:
For Berlin, the process of building an awareness program from scratch started with a series of conversations with her boss and the organization's education department.
The idea was to develop materials that would benefit any user. However, they had to keep the materials basic, so that the information was easily understood and the technical aspects were obtainable to anyone, no matter their personal skill set.
"[We used] things that would be really helpful for any end user, like 'Don't click on stuff' emails. We didn't get too far into it, but we used that and put it out there," Berlin explained.
After the material was shared during formal and informal staff meetings, it was time to test the employees and see what they've learned.
The first month her program ran, the targets were selected by way of available OSINT, or open source intelligence. By targeting company email addresses that were already publicly available, Berlin was starting with the same pool of potential victims that an actual criminal could, which helped her set the tone for the program's development.
Using the Social Engineer Toolkit, or SET, she created an initial campaign that consisted of an obviously suspicious email, and a simple link to a webpage she created to collect credentials.
"It was just a plain two, three line, HTML email. I wanted to try and make it as blatantly obvious that I wasn't a legitimate source. I wanted to see how good their [personal] filter was," Berlin, recalling the first email that was sent to users, explained.
Sign up for CIO Asia eNewsletters.