Hypothetical One: There's a wallet lying on the ground outside of your office building. It almost certainly contains confidential information. Would you pick it up, open it, determine to whom it belongs, and take steps to return it to them? Many/most people would probably try to be helpful in such a situation.
Hypothetical Two: There's an open box of chocolates lying on the ground outside of your office building. It appears to contain delicious treats. Do you put a piece in your mouth and taste? Most people would probably either ignore the box or put it in a nearby trashcan.
So why did people pick up a USB stick and then insert it into their computer during a security audit as was written about here? Perhaps because USB sticks are so cool…
Or perhaps training often only includes what not to do (a list too long to ever be complete) rather than how to think about the computers within a secure environment. To the non-security minded (regular people), inserting a USB stick is more likely akin to opening a wallet and examining the contents. There is little danger of physical harm. But if training included an analogy that such an action was more like inserting a potentially bacteria covered and unknown flavor of candy into your mouth, well then, you'd probably think twice. You never know what you're going to get. Training needs to put people in the place of the computer, not just teach them what to do with it.
Social engineering, the bypassing of security systems via the manipulation of its human users, is a challenge for any security service provider. Documented examples of failures aren't difficult to find. If you, our weblog readers have any success stories that you'd like to share with the rest, please submit them to the e-mail address listed at the top of our web page. Cheers.