Social engineering is all about blending in, getting potential victims to not notice and just go along with a situation without challenge. That’s a situation that the UK Ministry of Defence (MoD) is looking to change.
In a session at the Black Hat USA 2022 security conference, Simon Pavitt, head cyber awareness, behaviours and culture at the UK MMoD, and Stephen Dewsnip, behavioural scientist at Atkins outlined what the so-called fail-to challenge vulnerability is all about and what can be done to mitigate the risk.
Pavitt explained that fail-to-challenge occurs when an employee potentially notices something, someone out of place or an employee doing an action that they should not be doing, and then does nothing about it.
“There are only a few things that we really need people to do and that’s if they see something risky and identify it , they can try and intervene and if they can’t, they need to communicate the issue to someone who’s more equipped than they they are,” Pavitt said. “We need people to challenge and report.”
Doing the Right Thing Requires Training
As part of a UK Government effort, Dewsnip said that there was an initiative to try and reduce the prevalence of people taking portable electronic devices into certain protected areas.
Dewsnip noted that while UK government staff knew what the policy was, few people were willing to stand up to it and point out offenders, telling them they can’t bring their smartphone into a given area. He commented that by default few individuals want to go to their colleagues and tell them that the thing that they’re doing is risky for their organization.
That said, the same approach of failing to challenge would never work with actual technology.
“Imagine a firewall that was afraid to query a request because it felt self conscious or was scared about being judged, would it be much use as a form of protection?” Dewsnip said. “The human network is exactly the same, we have to empower our people to feel confident and able to challenge, because that’s what keeps an organization safe.”
The UK MoD has developed a set of training exercises to help individual properly challenge those that are not acting within the bounds of security policies. To date, the initiative has engaged with over 850 people across multiple sites across the UK. According to Pavitt, the outcomes thus far have been overwhelmingly positive.