To: Boss
From: Tiffany Valdes
Date: August 1, 2014
Subject: Recent Security Breach
Our company has recently been the victim of a social engineering attack that has resulted in a virus spreading through the corporate system. I believe this was accomplished by an advanced social engineering technique known as voice phishing or phishing, which usually utilizes email. An attacker contacted our offices in an attempt to gain sensitive data; this was done either by phone or email. However since company email is not known to the public it was more than likely done by phone. After contacting someone in our offices the attacker convinced that person to divulge one of our supervisors’ email addresses.
After the attacker gained this knowledge he or she had all the information needed to launch this attack. After creating a virus and injecting it into the email using a seemingly harmless looking link, to our corporate website no less. The attacker sent this to the supervisors email address. Once the supervisor opened the email and clicked on the link a virus was unleashed on the computer and spread through our system. This virus is causing all of our devices on the network to run terribly slow and has also recorded administrative usernames and passwords and passed this information on to the attacker. This information was used by the attacker to access confidential files on our system.
Furthermore, the email was sent from a fabricated address. So if we were to try to reply to the email to trace the email back to the owner to prosecute the offender it would be unsuccessful.
Ultimately I have concluded the following has taken place:
· An attacker mislead an employee and convinced him or her to release a supervisor’s email address.
· Using that address the attacker sent a malicious virus as an email attachment to said supervisor.
· After which the supervisor innocently clicked the link containing the virus.
· The virus then spread through our system accessing administrative usernames and passwords.
· The virus then somehow sent this information back to the attacker.
· The attacker then used this information to access sensitive files on our network.

Security Measures
After careful consideration I recommend the following security measures be implemented to prevent this from happening in the future. As a company we must initiate company wide security and awareness training for all of our employees, this will be paramount in preventing an attack such as this one in the future. This training must include how to handle situations that involve people trying to retrieve information about our company. Whether this is done by phone, email or in person we need to train our employees to be on guard for this and educate them on how to properly handle these situations without divulging company information. We also need to include training on physical security, this will involve educating our employees to be mindful when they are entering and exiting the building or secure areas. We need to all be aware of our surrounding and make sure we are not allowing unauthorized access to our company. Additionally, we must instruct our employees to not clink links or open attachments contained in emails unless they trust the source the email came from.
After properly training our staff we must also install antivirus on all of the devices on the network. These also must be set to auto-update, this way patches will be installed in a timely manner. This will also save the time of our I.T. department, as they would have to manually update each device every time a patch was released, wasting company resources. After cleaning these devices and installing the antivirus we will force all users, up to and including all administrators and upper management, to change their passwords
Lastly, we should audit our system in order to ensure our firewalls are properly configured and our users are granted privileges based on the rule of least privilege. Basically this will ensure no user has more rights to the system then they need to perform their duties.

Testing the Vulnerabilities
Subsequently we would need to test the effectiveness of the training regularly and randomly. This will involve many different social engineering techniques; I would recommend hiring an outside firm to complete this task. This way we would have an impartial assessment of how our employees handle the situations they are tested with. We would require this firm to test our employees in the following ways:
For the security guards/janitors:
· These employees would be tested mostly on the physical security of the business; we need to ensure these individuals are not susceptible to allowing unauthorized individuals into the building. This would involve in person social engineering techniques.
· Also we will ask them the following questions to determine if they would give out confidential information. o How often do you perform a security sweep? o What is the (insert department here) managers’ name, schedule, etc? o Is this building monitored 24/7?
For any employee that answers phone calls:
· For these employees we will perform a social engineering attack similar in nature to the one that breached our system. These employees will be tested by someone calling in and asking for confidential information.
· These questions are a sampling of what should be asked o What is (insert department here) managers’ email address? o Pretend to be from the internal I.T. department and ask for usernames, passwords, etc.
For all employee email accounts:
· In this attack phishing will be used to test the employees.
· Send a fake email containing fake malicious code, looking like a harmless link or attachment
· Send an email requesting confidential company information
This outside company will also conduct the following in order to test to see if they can obtain any corporate information.
· Dumpster diving
· Shoulder surfing
· Tailgating
After completing all of these tests we will have a better picture of where we stand, how effective our training is and also how we can improve upon on training techniques. As this will be an ongoing process, we must constantly learn and develop better techniques to protect our company.