|
|
 |
|
 |
|
Archive for the ‘Spear Phishing’ Category
|
|
 |
|
 |
|
|
|
|
Tuesday, May 7th, 2013
Spring. For some it signals rejuvenation, rebirth, everything blooming… but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.
 This email sent to Kansas State students attempts to elicit login and password information. In the higher-education arena, hackers want to infiltrate universities for the purpose of stealing credentials, to gain access to user accounts to send spam from the accounts or use university resources. (Here is a recap of the phishing problems higher education faces: http://blog.phishme.com/2012/05/educause-2012-spc-quick-review/ ) Take this recent attack on the University of Illinois as an example. Consequently, the most common phishing tactics college students face is a simple solicitation of login credentials in the body of the email. Kansas State provides examples of phishing attacks sent to its users (see the image to the left). Slightly more capable attackers may provide a URL taking recipients to a phony landing page that appears to be from the IT department.
University-focused spear phishing attacks typically don’t employ a high level of sophistication. Attackers are not packing malware or setting up masked command and control to go after students and faculty. (At least we should say the incidents that are publicized. That doesn’t mean that there are not advanced threat actors targeting university grant based R&D, hospitals, fundraising and endowment investments.)
Enterprises face much more varied and dangerous risks, as cyber criminals, nation-states, and hacktivists are all targeting their intellectual property and sensitive information. In addition to the data entry tactics, employees at large organizations receive highly targeted and customized spear phishing emails containing malicious links and attachments. Adversaries use a variety of continually evolving social engineering techniques, such as conversational phishing, to trick recipients. A young employee who has never received a targeted phishing email may not realize how adversaries gather details to write emails tailored to the recipient and organization, nor understand the implications of clicking on a malicious link or attachment. They may think they know what spear phishing is based on university security awareness campaigns. Furthermore, this generation of new workers is extremely connected through social media, providing attackers with ample information to use in targeted emails.
Graduating students may think they know what spear phishing is based on university security awareness campaigns.
New employees – whether young or experienced – may also think their role is not significant enough to merit receiving a targeted email, or that security isn’t their responsibility. Last fall, PhishMe commissioned a poll that revealed almost half of all respondents were more concerned about being phished at home than at work. There is definitely a prevailing notion in the workforce that security is the IT department’s concern, a view some in our industry recklessly share. As they begin their jobs, this year’s graduating seniors will undergo a great deal of training, both formal and informal, so why shouldn’t security be part of that?
This post isn’t intended to pick on graduating seniors, as they are no different than any new employee in many respects. For instance, if you are defense contractor that is constantly bombarded with phishing emails, any new employee may require training, regardless of experience. This is why it’s important for security awareness to be a continuous process throughout the year. When security awareness is part of your organization’s culture, the security risk posed by new employees can be more easily mitigated.
One of the many pre-built training modules included in PhishMe focuses on educating new employees about the differences between the consumer focused phishing they are used to receiving, and the enterprise-focused spear phishes targeting employees. Typically this content is reserved for PhishMe customers, but we wanted to share an example in this case:
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Tuesday, April 23rd, 2013
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):
For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account.
This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem?
The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers.
–Aaron @higbee
|
|
|
|
|
|
|
|
|
Monday, March 18th, 2013
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
All of this has created the impression that we are constantly under attack by some spooky, mysterious, sophisticated adversary. And while everyone seems to agree that the attacks are sophisticated, we still don’t have a real definition of what it actually means to be sophisticated.
The recent APT1 report from Mandiant® provided us with a wealth of information to process (discussed in our blog post here) and it could help us pin a definition on the elusive meaning of sophisticated.
According to the report, APT1 is a well-organized group that has most likely operated with significant financial backing from the Chinese government. The scale of APT1’s operations, Mandiant said, would require the backing of a sophisticated organization. Suffice it to say that being backed by the government of the most populous country in the world means there is a pretty high level of sophistication in the organization of APT1, but when it comes to their tactics, their level of sophistication is more cheap yellow mustard than Grey Poupon. (Anybody else notice that APT1 was using tools right out of Hacking Exposed books? You have to wonder…) Mandiant has been clear on this position, APT1 wasn’t the most capable in terms of technical showmanship. And they didn’t have to be.
First, as the Mandiant report noted, APT1 (and most cyber criminals and nation states) uses spear phishing as its preferred method of entry. Carrying out the phishing tactics described in the report doesn’t require a CS degree from MIT. Packed executable malware in zip files? Not Sriracha, but total Weak Sauce. Would anyone consider registering a free webmail account under the name of a company’s executive and sending out fake emails to be sophisticated? Furthermore, this has been a common tactic for years, so even if it were highly sophisticated, users should be made aware of it.
The conversational phishing tactics discussed by APT1 and in our previous blog posts is another effective, yet minimally sophisticated tactic. Is it highly sophisticated to respond, “It’s legit” when a recipient questions the email’s authenticity? It would be pretty difficult to craft a more simplistic response than that. In this case, it’s not difficult to educate employees to verify an email via phone or in-person rather than through email if they question the authenticity.
Phishing tactics are constantly evolving, but there are ever-present characteristics that identify them. A user base that questions unexpected emails, verifies suspicious emails through alternate means, is wary of attachments and links in emails, and knows to avoid giving out login credentials is going to be resilient to the attack vector preferred by the “sophisticated” adversaries we keep hearing about.
All phishing emails, regardless of the techniques they employ, are trying to exploit human nature, meaning a continually educating a user base that is vigilant can prevent a majority of attacks from succeeding. Technology may change, but human nature has remained constant. This is why so many phishing emails appeal to greed or fear.
So maybe phishing itself isn’t highly sophisticated, but shouldn’t anti-virus protect against the simple threats? Not necessarily. With the current state of AV, a hacker merely needs to mildly tweak their code packer to avoid detection. These aren’t ultra-complicated techniques, as AV will only protect you against yesterday’s threat.
One thing I have always wondered is why is the “sophisticated” malware linked to a public breach isn’t released to the public? If this stuff is indeed so complex and difficult to defend against, shouldn’t we share it with the best and brightest in the industry, so they can analyze the malware? Could the payloads be less sophisticated than we’ve all been made to believe? It would be very instructive for the security community if we could have access to the malware and decide for ourselves what constitutes a sophisticated capability.
In summary, these sophisticated threats are sophisticated in the sense that they are highly organized and have significant resources at their disposal, but the tactics they employ to breach networks are not anything mysterious or too hard for us to defend against. Sure, a zero day exploit might be scary, but, even the best zero day in an email or booby trapped URL can be avoided by an educated user base.
I’m not sure how long organizations are going to be able to wave the “way-too-Sophisticated” flag and get a pass. Maybe one day we will have an open review and create a Sophistication Rating System.
I propose a Sophistication Rating System… the SRS
 Scale from 1 to 10:
10: New,-custom stuff with zero days
5-6: Average well known Trojan packed with new packing method
3: Just your average Zeus Trojan packed easily or with known packing tools
1: a simple unpacked Trojan…
I wasn’t sure if I even wanted to blog about this. Shouldn’t I just be grateful that these breached organizations are brave enough to publicly disclose? Am I nitpicking about the use of the word sophisticated or are others feeling the same way?
–Aaron Higbee @higbee
p.s. I’m a big fan of the Contgio Malware Dump. Thank you for the good work you do.
|
|
|
|
|
|
|
|
|
Thursday, March 7th, 2013
 “It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.
This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.
One important thing to note about this feature is that it is intended for our veteran customers who already have mature PhishMe programs in place. This is for a user base that is already resilient to basic phishing tactics. At PhishMe, we’re proud to not only provide our customers with new features, but to have a customer base mature enough to demand them. Just as the “P” in APT stands for persistent, our customers need to be persistent in training their user base, and the Double Barrel will allow our customers to enhance their already successful programs in a meaningful way that addresses a real world problem.
Just as the name suggests, the Double Barrel allows our customers to send not one but two phishing emails in each campaign. A Double Barrel scenario sends one benign email (the lure) that contains nothing harmful and doesn’t solicit any response from the recipient. It could be a friendly introduction such as, “Hello, we met at XX Conference last week, I have a report I’d like you to review, I will send it over shortly.” An hour or so later, the aforementioned report arrives, just as promised.
Double Barrel scenarios can be customized to swap delivery order (sending the lure after the malicious email), stagger the delay between emails, and flag one or both emails as “Urgent.”
As with all other PhishMe scenarios, Double Barrel features a bevy of content developed by our team and based on our real world experience:
– Aaron Higbee
|
|
|
|
|
|
|
|
|
Thursday, February 21st, 2013
There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.
First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.
Prior to co-founding PhishMe®, I served as the Managing Director of Mandiant’s New York office; and our Executive Vice President, Jim Hansen, served as the Chief Operating Officer at Mandiant. The trends we observed during our time at Mandiant and in the field helped form the basis for PhishMe, and have positioned us to offer numerous features that address many of the tactics discussed in Mandiant’s report.
The report notes that spear phishing emails often deliver malware in the form of zip files attached to the email. This echoes the TrendMicro® report from late 2012, which concluded that 94% of targeted emails use malicious file attachments. Applying our experience in the field, PhishMe has provided our customers the ability to send employees mock phishing emails with zip attachments for years.
Another phishing tactic PhishMe simulates is luring users to enter sensitive data through seemingly genuine webpages. The bottom of page 48 of Mandiant’s report described an example of APT1 creating a false domain designed to mimic a Yahoo! site, with the goal of collecting user login credentials. Traditionally, this type of phishing has been more of a problem for colleges and universities, but clearly the use of stolen credentials is part of the APT game plan and remains a threat to enterprise security. It took our development team quite a bit of engineering to safely simulate this attack vector without executing code and ensuring that we don’t collect the sensitive data.
While PhishMe has offered the above-mentioned features to our customers for some time, we continue to roll out new features based on patent-pending technologies to address tactics used by groups such as APT1. Page 29 of the Mandiant report cited an example of the recipient of a phishing email interacting with APT1 in a conversational manner, with the APT1 attackers establishing both authenticity and trustworthiness by sending a benign email encouraging the recipient to interact with another email containing the malware. PhishMe recently rolled out a feature, called Double Barrel, which allows our customers to immerse their employees in this experience; something we’ll discuss in greater detail in an upcoming blog post.
In describing the nature of phishing emails, Mandiant noted that they often contain information relevant to the recipient found via Internet searches, such as a name of a colleague (the report described an email sent to Mandiant employees under CEO Kevin Mandia’s name, but from a free webmail account, a tactic we discussed in a previous blog). TrendMicro’s report echoed this finding. With PhishMe’s new Highly Visible Target Identifier, customers can scour such data with the click of a few buttons to find which of their employees have highly visible online presences, and are thus more likely to be sent targeted phishing emails.
Mandiant’s report also described the high costs of launching a phishing campaign, noting that APT1 controlled a large infrastructure of physical systems and hundreds of domains. The large investment required to carry out attacks means that attackers are trying to maximize the use of those resources by sending large batches of emails rather than targeting 1 or 2 users. This is consistent with trends our customers have reported to us, and underscores the need to train your entire user base, as hundreds of employees may receive a phishing email at once.
Mandiant’s findings are fascinating, and can’t be addressed in one blog post. However, from the spear phishing standpoint, the report provides confirmation of what PhishMe has known for a while: APT will try to gain a foothold in enterprise systems through the employees. By focusing on improving employee resilience to spear phishing attacks, enterprises can greatly reduce susceptibility to a breach. In fact, attack detection windows can be reduced when trained employees call these attacks in. Our history in this space helped make PhishMe an industry-leading, world-class product; and we will continue to rely on our industry connections and reports from our customers to make sure we stay ahead of the curve.
–Rohyt Belani
|
|
|
|
|
|
|
|
|
Friday, February 1st, 2013
Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.
The headlines roll in… The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations. In that same interview he says that the attack (spear-phishing) is not unique.
This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right? Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.
Well, brace yourselves. Abandoning technical controls and substituting it with just awareness training isn’t our message. Organizations shouldn’t and can’t give up security technologies. In fact, based on some of the good work security technology vendors have been doing, we have witnessed firsthand spearphishers changing their methods to cope with the ever-improving technologies that are doing their best to prevent breaches. (More about this later).
The NY Times had AV and it failed to prevent the breach. Does this mean that technical controls are worthless? Absolutely not. Technical controls like anti-virus, firewalls and intrusion prevention/detection all help tune out the noise we see with known problems. If the network defender spends their entire day chasing down nuisance attacks by lesser adversaries, how can they begin to focus on the more sophisticated problems?
To be clear, the PhishMe message isn’t to abandon traditional network defense and security technology. Our message is that even the best tech will have gaps, and the role your human assets play in defending the network cannot be dismissed. An educated user base is the best choice you can make when it comes to filling these gaps. With consistent and relevant training, the vulnerabilities that technical controls cannot patch will be protected by another layer of security. The real problem is that too many programs are designed to only rely on technical controls and feed useless information to users. Holistic information security is a balance between technical controls (both tried and true and bleeding edge) and IT consumers who understand their role in security. The latter has either been neglected for too long or inundated with information that is too technical or focused on items that don’t matter.
Would the NY Times be making headlines today if one of their staffers reported suspicious email based on training they received? We’ll never know.
-Aaron Higbee
|
|
|
|
|
|
|
|
|
Tuesday, January 8th, 2013
With 2013 upon us, it will be a busy year at PhishMe, as we are already scheduled to appear at around 70 events. That means another year of heavy traveling for our sales and marketing team. While it’s definitely exciting to visit new places and introduce new people to PhishMe, as with anything else in life, there are risks involved. Does your organization have employees that travel frequently? If so, they are probably being targeted by phishers.
Employees that are constantly on-the-go receive a slew of emails confirming reservations and itineraries (we speak from experience), and are thus easy targets for phishers. For example, a busy employee has an upcoming flight and receives an email warning of a schedule change. A change could throw off the schedule for a critical meeting, so this email has appealed to emotion by threatening to disrupt important plans. From reading Twitter posts, the criminal knows what airline an employee is traveling on, and that the flight leaves early in the morning. From the airline’s website, the criminal can deduce the exact number of the flight the employee is taking. Perhaps this criminal even knows which conferences your employees are traveling to and which hotel chains your company uses, and can tweak an email to be very specific and accurate.
This threat is real, and major airlines have been warning customers. Delta Air Lines issued a warning to customers about a new phishing attack that claims the recipient has purchased a Delta ticket, a credit card has been charged, an invoice/receipt is attached to an email, or a website may offer free flights for following or liking an account.
US Airways has issued similar warnings, and American Airlines maintains a page with phishing warnings and tips for its customers, including examples of recent phishing emails (many of them appearing quite genuine) that customers had received. American’s page in particular, offers a great resource, but is skimming that page as effective as an immersive training exercise delivered to your employees’ inboxes?
By implementing a PhishMe program at your organization, you’ll empower your employees to recognize the signs of a phishing email, giving them the knowledge to properly react to those emails without slowing down their travel schedule or compromising your organization’s network.
|
|
|
|
|
|
|
|
|
Thursday, November 29th, 2012
Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.
One interesting point made in the report was that of the users Trend Micro monitored, nearly half of the recipients of spear phishing emails had email addresses easily accessible through Google. While it may be impossible to keep your employees’ email addresses secret, it’s not impossible to identify the most vulnerable users in your enterprise and deliver training targeted to them. PhishMe recently added a feature that allows administrators to search the Internet to find which users’ email addresses are easily discovered through a search engine, and develop a distribution list of those users. This allows our customers to pinpoint which of their users is most likely to receive a phishing email, and provide targeted training as appropriate.
The report also found that 94% of all targeted emails use malicious attachments, in a variety of file formats. PhishMe’s functionality allows customers to send users emails with attachments in formats such as .XLS, .DOC, and .ZIP. Trend Micro notes that, “Spear-phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment,” but using PhishMe allows enterprises to train users to recognize a bogus attachment, as well as raise general awareness about the threat of malicious attachments.
The reality of these findings is that technology alone won’t prevent spear phishing; it’s up to an organization to ensure its employees are prepared when a phishing email arrives.
|
|
|
|
|
|
|
|
|
Wednesday, November 21st, 2012
If you’re like me, then the idea of fighting the midnight crowds on Black Friday holds limited appeal, even if it means getting an 80% discount on a big screen TV. But thanks to Cyber Monday, people can get ridiculous deals without peeling themselves away from their computers – or offices.
The convenience of scoring a deal from your desk has made the Monday after Thanksgiving the biggest online shopping day of the year, with sales expected to top $2 billion. However, just because we no longer have to risk being trampled, shouted at, or otherwise sacrifice our dignity to get a hot deal, it doesn’t mean that Cyber Monday is entirely safe, and enterprise networks are not immune from the dangers.
Unlike Black Friday, Cyber Monday occurs during the workweek, which means much of the bargain hunting will occur during work hours, and across enterprise networks. These scams may be targeting consumers, but criminals are still trying to use them to gain access to corporate networks and the sensitive information they contain.
Cyber Monday’s proximity to the Thanksgiving holiday makes it even more dangerous for enterprises. Thanksgiving is one of the heaviest phishing days of the year, as phishers take advantage of understaffed operation centers to send out phishing attacks at a rate 336% greater than average, meaning that when employees are sifting through their emails on Cyber Monday, there’s a much greater chance a phish will be waiting for them.
If Black Friday has taught us anything, it’s that people will do crazy, unruly, outlandish, unspeakable things to score a sweet deal on a pair of Ugg boots or a set of new power tools. An online deal is no different, and many normally rational people will abandon caution when an email with a link to a deal for a $99 Xbox crosses their inbox.
The danger in online shopping is also no longer confined to computers. According to McAfee, Americans are using mobile devices for shopping in ever-increasing numbers, with 1 in 4 Americans planning to shop using a mobile phone or tablet this holiday season. With many organizations adopting Bring Your Own Device (BYOD) policies, mobile phishing scams pose a great risk to companies as well, as that text offering a coupon by clicking a link could open the door to the company’s network. In fact, the FBI issued a warning about mobile malware just a few weeks ago. Add to that the growing number of malicious links and scams being sent over social media, and employees are never far from a phishing scam.
In an ideal world, employees would never use a corporate machine or network to conduct personal shopping. In the real world, however, the best defense is an educated workforce that can properly recognize and react to a phishing scam. The good news is that whether it’s Cyber Monday or any other major event that attracts phishing scams, the same rules for staying safe apply. Will your workforce be ready?
|
|
|
|
|
|
|
|
|
Monday, October 1st, 2012
Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.
First, there is a very common misperception (promulgated by the article) that the only goal of spear phishing is to deliver a payload of malware to a specific employee of an organization. While malware delivery is still a frequent tactic in spear phishing campaigns, as we saw with the RSA breach and others, today’s spear phishers do continue using low-tech social engineering techniques to solicit user credentials through sophisticated imitations of their corporate web pages. In fact, they are using what we call a data entry phishing attack, where malware isn’t even involved, thus making them very difficult to detect.
Second, and even more importantly, there is a common misconception that simply making employees more aware of potential phishing attacks will lead to their prevention. In many enterprises, employees must complete annual security awareness programs – but they still go on to do all of the things they have been told not to do, including opening attachments from those whom they don’t know and clicking on links from untrusted sources. This type of passive awareness – doing a once a year security training seminar, putting a poster up in the break room, or giving employees screensaver reminders to change their passwords – simply will not work. My company, PhishMe, has trained more than 3.5 million employees at universities, government agencies, and large enterprises, and we have found that many user awareness programs are largely ineffective in preventing spear phishing attacks. To be successful in user training, you have to be proactive and immerse employees in a true-to-life experience that will stick and actually change user behavior.
Penetration testing kits, which also are described at length in the article, do little to change this behavior. Pen testing, usually conducted by a benign white hat hacker, may expose vulnerabilities in enterprise infrastructure or demonstrate weaknesses in cyber defense. But, most users never see the penetration test, nor are its results shared with them. Penetration tests are designed to help the IT organization find the flaws in its defenses – they do nothing to educate the end user. In fact they have the opposite effect of generating employee backlash and mistrust, with no positive behavior modification.
In the end, there is only one proven way to affect change in end user behavior: hit them with a benign version of the actual phishing attack that they might see in their email. If a user sees a particular attack, and takes the wrong action by clicking on an attachment or a link, there is no more effective way of teaching them a lesson than to warn them, on screen, that they have made a wrong move. It’s that very moment that makes the most impact.
We have found that immersing people in the experience through mock phishing exercises, and presenting immediate, bite-sized education to those who are susceptible has had the desired effect of reducing employee vulnerability to these attacks. PhishMe’s training has proven to modify employee behavior over time and allow organizations not just to be aware of their employee’s behavior, but to help them take a safer and more positive course of action when it comes to phishing attacks.
The Washington Post article does a service to its audience by raising the importance of spear phishing and social engineering attacks. It rightly points out that humans are the weak spot in any enterprise defense, and that even the most well-schooled employees may be fooled by a new, convincing form of attack.
However, the Post article does not offer enough information on the tools and methods that can be used to prevent users from making these sorts of “human” mistakes. PhishMe’s methods have increased human resiliency by reducing the frequency that employees fall prey to phishing attempts – from more than 75 percent to fewer than 5 percent in some cases. While the Post article seems to indicate that social engineering is a human flaw and cannot be stopped, PhishMe has proven – repeatedly – that the right type of training and behavior modification can make a huge impact on the incidence of phishing infections in the enterprise.
Yes, social engineering takes advantage of human flaws, and humans are invariably flawed. But the article fails to add that humans can learn not to behave in ways that put enterprise data at risk. The weak link in the chain can be significantly strengthened – effectively making the whole chain much stronger.
|
|
|
|
|
|
