A Stronger Security Posture: Building Your Program

In the first part In this two-part blog series, we covered understanding your security posture, training your employees, and gaining knowledge of policies and procedures. This month, let’s look at creating a vulnerability management program and implementing a defensive strategy.

DevOps Connect: DevSecOps @ RSAC 2022

Vulnerability management program

The fact that you are reading this indicates that you probably have some background in information security and network security. Based on this, you’ve probably also seen common network vulnerability management programs. These programs include important topics such as updating asset inventory, frequent testing and scanning, and a reliable patch management program. When it comes to keeping your employees safe, the same ideas apply.

Asset Management

First, let’s be clear, employees are not “assets,” but we need to be aware of how employees interact with the world. Are they required to respond to emails? Are they required to click on links or open attachments? Do they take phone calls? By nature, people want to be helpful. This is exactly what a malicious actor seeks to take advantage of. Employees want to do the right thing, but they also want to do their job and achieve their goals. It is important that you find ways to match them.

Once you know which employees are responsible for which interactions, create specific guidelines and policies for them. For example, do they need to download files? If so, make sure they are using a computer with very limited network access and no other sensitive data. Educate employees about the risk of running macros or enabling any other executable code. This is in addition to other network protections that should already be in place.

If employees answer the phone to provide customer support, let them know what information they shouldn’t share. Questions may seem innocuous, such as “What kind of computer do you use?” Is it Windows? or a colleague asking for the WiFi name. Make sure your employees know how to properly verify all callers and provide support when ending calls that cannot be verified.

Frequent tests

Once you know which employees face which potential threats and you’ve provided training, it’s time to see what they’ve learned. At Social-Engineer, we encourage a positive testing environment. When we perform phishing missions, we often inform people immediately that it is a phishing test and point out the different clues that should be detected in a phishing. We also have the IVES™ (Instant Vishing Education Service) option for our vishing commitments. If an employee reveals sensitive information during a phone call, they are immediately informed that it is a phishing test and given suggestions on what to look for.

Patch management

Performing these types of tests frequently allows you to get an idea of ​​the vulnerabilities in your business. Now from this point you can directly address the vulnerabilities. If there are specific groups or departments that are at the bottom of the scale, that’s where you can best direct resources for training.

One group that we very often see struggling with testing is new hires. They’ll even say the magic words that social engineers love to hear “I’m new here so I don’t know what to do.” When a social engineer hears this, they will support and encourage the employee, while trying to extract as much information as possible. If new hires consistently have the lowest success rates, this indicates that they may need more training when onboarding. There is a lot of information for newly hired employees, and information security must be an important part of it.

If your help desk is targeted with phone calls, help them understand the range of issues they can solve. If they help the general public, ask them to stick to the product issues people are calling about and not reveal any personal or corporate information. When an internal employee calls, make sure they go through a proper validation process. It can be as simple as a one-time password (OTP) that is only available internally. When the caller cannot be validated, end the call.


Reporting is an area of ​​the vulnerability management program that employees often overlook. Employees should report both attempted and successful social engineering attacks. Management must be extremely supportive of employees who report these attacks, even when they have been successful. It is easier to stop ten successful attacks that have been reported than one unreported attack. Make sure employees have an easy way to report phishing emails. Some clients make it as easy as a click of a button. You can also have an internal form or number that people can call if they get a vishing call. When it is determined that they have malicious intent, spread the word around the business. When employees are made aware of these attacks, ask them not to share this information with new calls, as the caller will simply adjust their tactics.


A social engineering vulnerability management program follows the same steps as a network program. First, know what you need to protect. Second, put policies in place to protect them. Third, frequent testing, updates if necessary, and proper reporting methodology. When you stay on top of these stages in a positive and supportive environment, you add another layer of defense in depth.

Picture link:

*** This is a syndicated blog from the Security Bloggers Network of Social Engineer, LLC written by Social-Engineer. Read the original post at: https://www.social-engineer.com/stronger-security-posture-building-your-program/

Ryan H. Bowman