If you want to beat the phishers, start with your users

Last month Bruce Schneier made an interesting comment:

I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere… If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in.
On Security Awareness Training

My favourite riposte comes from Ira Winkler:

That argument basically says that if the bad guy gets in, all security countermeasures are irrelevant. By that measure, we should abandon security as a whole, since all countermeasures have and will fail.
Arguments Against Security Awareness Are Shortsighted

But Schneier has a point – training clearly isn’t working since (according to Trend Micro) more than 90% of successful APT attacks start from a spear-phishing success. But Winkler also has a point  - all [technical and human] countermeasures have and will fail. Does that mean we should just give up on security in general and awareness training in particular?

Clearly not. Surely the solution is not to abandon what isn’t good enough, but to improve it until it is good enough. The question then becomes how do we make security training more efficient? Since the majority of breaches start from a phishing or spear-phishing attack, then phishing is where we should start. But if traditional awareness training isn’t working, perhaps we need to think of something new.

a discussion about simulated attack training

Wombat Security Technologies thinks it has the answer: simulated attack training. In a nutshell, this involves phishing your own staff. This has two huge advantages: it is teaching through experience rather than teaching through lectures (and practical always sticks better than theoretical); and it is measurable. If somebody falls for a phish, and gets sent to a benign destination with a company ‘gotcha’ message, he or she won’t want it to happen again. Secondly, however, it allows the company to measure the success of its training scheme.

If 20% (it will likely be more than 80% to start with) fall to the first phish, and then 25% fall to the next one, then clearly there is something wrong with the overall training package, and it needs to be re-evaluated. More likely, however, the number of victims will steadily decrease over time. Repetitive victims can then be pulled out for more targeted training; and super-repetitive victims can be assigned the gardening detail.

Wombat has published a new report based on the practical experience of several CSOs from major companies:A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training? It is well worth reading to see how simulated attack training works in practice; and what steps you need to take to get it started.

PS. Note that these are CSOs. Schneier is a CTO.

see also: Joe User is the weakest link – a presentation at the Infosecurity Virtual Conference

Spear-phishing is the single biggest threat to cyber security today

Arguably, there is no security incident without end-user involvement; either by the user actively doing something he shouldn’t, or passively not doing something he should. The criminals’ usual route is to socially engineer the target into doing something he shouldn’t (see The art of social engineering); like click a dubious link or open a malicious attachment. This is basic phishing. The original mass phishing campaigns, sending the same email to hundreds of thousands of targets, have an increasingly lower return for the criminals: users have become adept at spotting them. So today criminals are choosing higher value targets and sending personalized emails to an individual or small group of individuals. This is spear-phishing.

Spear-phishing malicious attachments: source Trend Micro

Criminals – whether individuals, organized criminal gangs or state-sponsored groups – are all selecting spear-phishing as the attack method of choice. A recent study by Trend Micro has shown that 91% of all successful APT attacks start via a spear-phishing attack; and 94% of those are emails carrying a malicious attachment. To put this into perspective, many (not all) security experts believe that any organization targeted by an APT will fall to the APT. The corollary, and one that I accept, is that anybody targeted by a well-crafted and researched spear attack will succumb to that attack, or the next one, or the one after that.

This is because there is no guaranteed defence against spear-phishing. It is man versus man – technology won’t work. You can filter incoming emails, but you might miss one. You can filter the target URLs, provided you know about all of them, but that misses the disguised malicious attachments.

This all begs the question of why spear-phishing is so successful; and it’s because the criminals do their homework. They treat the internet as their own big data playground, and harvest little snippets of information from different places to combine into a remarkably detailed profile of potential targets. There are huge criminal databases of stolen data. Just this week it emerged that the Nationwide insurance group in the US had personal details of 1.1 million Americans stolen, including “Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer.” A couple of months ago, 3.6 million South Carolina tax payers had details stolen (itself via a spear-phishing attack) from the Department of Revenue.

What they don’t already have they get from the social networks and indeed the target’s company website. Email, personal interests, friends, position in company, age and location can all be found. From this profile it becomes relatively easy to compile a compelling email that looks 100% genuine and irresistible.

Indeed, the very way in which we do computing makes phishing very effective. A fascinating PhD study thesis by Michele Daryanani (Desensitizing the User: A Study of the Efficacy of Warning Messages) made available this summer draws a connection between hyperactive operating system warnings and desensitizing the user – including to phishing attacks.

So what can we do? The main defence is user education. There are specialist training companies; and PhishMe in particular specialises in teaching how to avoid being phished.

now with social engineering

Yesterday, Metasploit  announced it is joining the battle with a new release of Metasploit Pro 4.5, introducing ‘advanced capabilities to simulate social engineering attacks’. HD Moore, the originator of Metasploit and chief security officer at Rapid7, describes it thus: “Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things. Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.” In other words, it allows you to test your users and see which of them fall to phishing under what circumstances – spear-training against spear-phishing as it were.

But I’d like to add my own recommendation: that governments should understand that more often than not, education is better than legislation. If government would spend a fraction of its security budget, and a fraction of their energy, on educating users rather than legislating against choice, then we would all be a lot safer. And happier.

Recent stories on Infosecurity, featuring Trend Micro, phishing for Apples, NullCrew and more…

A few of my recent stories on Infosecurity Magazine over the last couple of days…

Peter the Great beats Sun Tzu in cybercrime
Despite the hoohaa about the ‘Chinese cyberthreat’ (in reality, read east Asia), Russia’s Peter the Great (in reality, read east Europe) is beating Sun Tzu in modern cyber wargames. Eastern Europe has better cybercriminals than eastern Asia.

Beware of iPhone delivery phishes
iPhone pre-orders are now showing a 3-4 week shipping estimate. Since Apple announced that 2 million pre-orders were sold for the iPhone 5 in just 24 hours, delivery delays are not likely to disappear quickly.

NullCrew: the principled hacker group?
In a wide-ranging interview broadcast over online Spreaker radio but conducted probably via IRC, UK Anon Winston Smith has been talking to Null, the leader of the NullCrew hacking group.

Quantum Key Distribution takes to the air
An aircraft in flight has successfully transmitted quantum encryption keys to a ground station, bringing closer the time when satellites can be used to provide a theoretically (allegedly) secure communications network.

YouTube declines to remove Mohammad video clip
Asked by the White House to reconsider whether the infamous Mohammad video clip is in violation of its terms of service, Google has replied that it is not. Although it is blocking the clip in Egypt, Libya, Indonesia and India, this, says Google, is in keeping with local laws.

AlienVault doxes the man behind the PlugX RAT
AlienVault has been tracking the PlugX remote access trojan for some months, and following extensive detective work has now uncovered enough information to name the person behind it.