door-supervision

Get Your SIA Licence With Clinton Training Liverpool

Clinton Training is an established training provider of many years and a Business Excellence Award Winning company; we deliver a wide range of training courses in various subjects and qualification levels from entry level training courses to train the trainer courses.

Our teams of trainers have a wealth of knowledge and experience in their subjects and will deliver the training courses to you in an enjoyable and friendly way providing a positive learning experience.

Clinton Training receives a lot of repeat business and recommendations off learners who have already been on one of our training courses and we have a wide range of clients from the corporate sector, commercial sector, retail & leisure sector and local authority who have completed staff training courses.

Our experienced friendly customer service team will be able to help you reserve a place on any of our training courses and answer any questions you may have.

If you require more information on our training needs analysis our team will be able to assist you in identifying a suitable training program to meet your company needs and current legislation requirements.

Make Clinton Training, an Award Winning training company your first choice for your training courses.

Trust nothing, question everything: Social engineering and the insider threat

Social engineering (in the context of information security): The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The greatest concern for the 580 information security professionals that responded to the 2017 Black Hat USA survey was the threat around phishing and social engineering (50%, up from 46% in 2016) . Coupled with the fact that the same respondents felt the weakest link in defences was end users being easily fooled by social engineering attacks (38%, up from 28%) this should come as little surprise to security professionals.

But these figures may help them to gain that C-suite-level buy-in when trying to develop an efficient and, more importantly, relevant security education and awareness package for their organisation s personnel. Social Engineering became a familiar information security term to me when I was reading The Art of Deception by Kevin Mitnick. However, Social Engineering had been exploiting weaknesses in human nature for many years prior. In fact, the phrase Trojan , which many security professionals identify as a nefarious way to disguise malware as legitimate software, was in fact coined after one of the most famous social engineering attacks ever carried out: when the Greeks duped the Trojan people to enter the city of Troy. People generally want to trust people A large wooden horse was offered as a gift that the unsuspecting inhabitants too quickly accepted at face value, which as we know was to be there undoing. Yet for all our familiarity over millennia with this type of attack, society is still so often helpless to combat it why? Well the short answer is that people generally want to trust people. When provided with a little background or familiar information, or seeing the well-known logo of that large brand you have confidence in, all too readily let their guard down and relax. It s at this point that you are more than likely to acquiesce to requests for personal or sensitive information, or to click on a link or change your password on that well-constructed, official-looking email or web page.

Meanwhile, the social engineer themselves can mount attacks that are low cost, low tech easy to implement via mass mailing lists or as we are now seeing (evidenced by Symantec research), a more targeted, spear phishing style attack. The insider threat I see as incredibly relevant to social engineering. Should a disgruntled employee wish to conduct an internal engineering attack against the enterprise, then there is already an established level of trust with numerous familiar colleagues or employees in the wider organisation who see a company email address and are therefore more likely to click on the link that John from HR has sent to them. Alternatively, a member of staff is conned by an external source that has carried out a discovery exercise in order to conduct an attack against that specific employee or a more generic attack against any employee. The remedy So what is the remedy? How to do we even attempt to change the mindset of employees? How do we begin to change our trusting human nature? I recall on a counter intelligence course being told by the instructor to trust nothing, question everything and that has stuck with me over the few short years I have been employed in the information security field. I m sure most security professionals are of the same mindset (although I m also in no doubt that some would also be forgetful enough to click on the innocent looking link at times).

But what about the average employee? The average everyday person? A couple of years ago a member of my extended family, of an older generation less exposed to technology, received a popup on their home computer telling them that their PC had been infected by malware. They were instructed to call a Microsoft number, which they dutifully did and allowed some thoroughly pleasant, yet unknown chap to remote into their desktop. Make it about the staff member and how it will impact their lifestyle and you can bet your mortgage they will probably sit up and take notice A thorough discussion on the risk of allowing someone to access your computer followed and they ensured that this would never happen again, now they had been forewarned. Fast forward 18 months and they received a call from the nation s leading ISP (with whom they have no custom). The ISP required access to account details for their current ISP as your computer has been infected by a virus again. They duly provide said details as well as bank details so they could look into their account. A further strong word was quickly had and all account details were very quickly changed (followed by much tutting and shaking of the head).

This story reconciles with another finding of Black Hat USA s survey in that the most significant threat to consumers is that there is a lack of security awareness about fishing and other social engineering attacks (56%) . Any security education and awareness package should be geared for relevance to the individual. It s all very well and good showing the impact to the company itself, but if you can also make it about the staff member and how it will impact their lifestyle, you can bet your mortgage they will probably sit up and take notice. Refresh and revise these packages constantly, including stories from the media that drive home the personal impact on the everyday person. I believe that making training about your staff and arming them with knowledge on how to avoid being targeted by social engineering both personally and while employed on company business can only promote a positive culture among staff. It should also empower them to be more mindful when opening that email, or fielding that unsolicited phone call. Also, these training packages should be conducted frequently but not at great length. This remind and revise approach will hopefully keep the topic in their mind look at my relative s forgetfulness as evidence that once a year or fewer is insufficient to achieve this. I have stated in a previous article that nothing more soul-destroying for the presenter or attendee than an hour or two sat in a room with someone droning on, repeating the same content time after time.

Now is the time for companies to bear the aforementioned statistics in mind and be more proactive in combating the social engineering problem. Seize the opportunity to empower your staff with the knowledge on how to trust nothing, question everything. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach?

This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics Watch: The skills crisis in fire and security engineering laid bare Fire detection and alarms qualification now open for booking E-learning and counter-terror training are increasingly popular, survey reveals

How to protect your business from cyber-attack: The insurance claims perspective

The Petya-Wannacry ransomware crippled parts of the NHS and a number of major companies across the world. Nearer home, Saint Gobain and its subsidiary Glass Solutions, a major supplier to the insurance industry, suffered information downtime, supply chain disruption and a ‘ 220m dent in first-half year sales as a result of a cyber-attack. It is reasonable to suppose that insurers undertook robust enquiries into the IT security of all their approved suppliers.

In a recently published article, just 2% of UK businesses think that a large-scale attack will affect their operations for more than 10 days. In reality, a separate report reveals that actual recovery time could take months or years. One of the main problems highlighted is that companies are using older versions of systems that are either not supported or not regularly updated with patches to secure against vulnerabilities that have been identified. Lack of resource It is these vulnerabilities, which it could be argued have been caused by a lack of resource and investment in IT, that the criminal s malware exploits. In view of the complexities of the insurance industry s requirements, new IT platforms are a significant multimillion pound investment involving many years of planning to implement. Hence, insurers are justifiably starting to lose sleep over an issue that will simply not go away. Migrating to a private cloud-based platform that is centrally managed vastly reduces the risk of falling victim to attacks such as Petya Many insurers have a long way to catch up with their supplier. At Auger, for example, we recognised this some time ago, and as one of the insurance industry s leading drainage and water claims specialists, we have ensured we are protected in terms of IT security. Migrating to a private cloud-based platform that is centrally managed vastly reduces the risk of falling victim to attacks such as Petya.

Using desktop terminals which simply connect to a network and don t even have an operating system eliminates the need to maintain security on a PC, allowing the focus to be primarily on the network. Centrally managed networks enable IT service providers to deploy updates in a simple and efficient manner and remove the risk of individual devices being overlooked. Having robust systems with regular backups, honeytraps and penetration tests is only one part of the solution. It is essential to look at non-technical points of failure as well. What processes are in place to install updates, do you have clearly defined roles and responsibilities for testing and launching enhancements? Does every member of staff understand their responsibility for protecting the network? We all need to be vigilant, and we need to commit to investing not just in technology but in training for everyone. Unknown senders We ve undertaken training with all of our staff to understand basic information security principles, the risk of opening emails with links and attachments from unknown senders and, more recently, phishing attacks (malicious and often targeted attacks to obtain sensitive information via electronic communication). The idea that IT is solely responsible for cyber-security is a myth.

Every one of us has a role to play. The other concern for insurers is the approved supplier s delivery model. Although many insurers and adjusters look at the governance surrounding sub-contractors, few have fully considered the implications of the IT platforms and security of smaller local or regional suppliers employed by the main contractor.

Unfortunately, it is most unlikely that this is the last we ll hear about cyber-security in the insurance industry. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now