wombatsecurity | November 12, 2013

Wombat Security Technologies Discusses Social Engineering “Capture the Flag” Results Proving Security Awareness and Training Neglect

DEF CON 21 SECTF report shows security education is sorely lacking, as companies are still highly vulnerable to social engineering

Pittsburgh, PA, November 12, 2013 – Wombat Security Technologies leading provider of cyber security awareness and training solutions and sponsor of the DEF CON 21 “Capture the Flag” social engineering contest (SECTF), engineering contest (SECTF), today commented on report results which showed security education is still a missing element in many U.S. companies. The SECTF is conducted to raise awareness of the ongoing threat posed by social engineering and to provide a live demonstration of the techniques and tactics used by the malicious attacker.

"We sponsor the contest because we believe all companies should understand the threat posed by social engineers and create a plan of action for educating their employees to identify and avoid social engineering,” said Joe Ferrara, President and CEO of Wombat. “Technology solutions cannot prevent the sharing of data that occurred during this competition, only knowledgeable employees can defend against social engineering.”

Despite numerous high-profile security breaches in the commercial sector, the report highlights that the human layer in security still represents a large vulnerability. “Social engineering has played some role in nearly every major hack you have read about over the last few years, yet this year’s competition clearly illustrates how poorly prepared companies are to defend against socially engineered attacks,” said Chris Hadnagy, Chief Human Hacker, Social-Engineer, Inc. “While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer.”

In response to the results, the report suggests three key risk mitigation recommendations.

  1. Corporate Information Handling and Social Media Policies – Companies should create clear guidelines about what is and is not allowed with regard to posting company information publicly, especially on social media sites.
  2. Consistent Real World Education –Businesses need to make security education a priority to ensure quality and relevance to the end user.
  3. Regular Risk Assessment and Employee Penetration Tests – Companies need to learn where their employee vulnerabilities exist so that they can remove sensitive public information and provide educational tools to prevent further data leakage.

Wombat can help companies mitigate risk with their suite of security education products which leverage progressive training techniques to effectively improve human response against cyber-attacks over 80%.

These results are achieved by implementing Wombat’s Continuous Training Methodology. Using this methodology security officers use broad assessments and simulated attacks to assess user knowledge and susceptibility to attack. This assessment data is then used to prioritize critical training topics and assign interactive software training modules. Once this training is completed the security officers assess employees again with simulated attacks. This continuous process assesses, trains, and assesses again to reinforce the education provided and keep the employees ever vigilant in their defense against cyber-attacks, such as social engineering.

To download a copy of the 2013 DEF CON SECTF report, please visit: /def-con-21-social-engineering-capture-the-flag-contest-results

About Wombat Security Technologies

Wombat Security Technologies helps organizations combat cyber security threats with uniquely effective software-based training solutions for employees. Wombat offers fully automated, highly scalable solutions, built on learning science principles. They offer mock attacks with brief embedded training, as well as a full complement of 10-minute software training modules. Wombat's training solutions have been shown to reduce employee susceptibility to attack over 80%. Wombat is helping Fortune 1000 customers, large government agencies and small to medium businesses in segments such as finance, banking, higher education, retail, technology, energy, insurance, and consumer packaged goods strengthen their cyber security defenses. For more information visit www.wombatsecurity.com or contact Lorraine Kauffman-Hall at 704-882-0443 or lhall@attainmarketing.com.