(OUO)-Independent Evaluation of NRC’s Potential Compromise of Systems (Social Engineering)
Report Information
Recommendations
Verify or update training for all staff to include awareness for:
A. Observing the incoming caller ID.
B. Questioning the caller’s intent, (e.g., why they are asking for personal information, such as, PIV card information).
Inform NRC staff that they will be tested periodically for their awareness.
Within the next year, perform follow-on telephone tests to gauge the efficacy of the updated training.
Verify or update training for all staff to include awareness and response protocol for:
A. Common email “red flag” issues, such as, misspellings from domains that are outside of the .gov environment.
B. Emails that ask for personal information, such as, a username or password.
C. Unsolicited emails from unknown senders that include embedded links.
Verify or update training on Social Engineering techniques including:
A. Influencing techniques.
B. Emails that attempt to trigger an immediate response.
C. Emails that attempt to project power or authority.
D. Emails from “like” groups (e.g., a common user group, car club, church, etc.).