Endpoint
3/22/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Phishing Your Employees for Schooling & Security

Your education program isn't complete until you test your users with fake phishing emails.

Imagine this fictional scenario: A student, hoping to become a surgeon, attends hours of medical courses. She never misses a class, always listens, and takes copious notes. Finally, after receiving the years of training necessary, the student receives her medical degree having never taken a test. Would you let this surgeon operate on you?

I sure hope not! Testing is a crucial part of any form of education, for both teachers and students.

That's why I believe your phishing education program isn't complete until you phish your own company's tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them. There are plenty of tools and services that can do this for you. To me, this is the real test of your phishing and user awareness security training.

I'm assuming those of you reading this already have a security education program that includes a phishing curriculum. Some information security experts don't believe user education works. I'm not one of them. There's significant evidence that the right kind of education does work. In fact, for phishing specifically, the Ponemen Institute found that user education had a staggering 50x return on investment. If you aren't already educating your users through training, that number alone should convince you to start. So, let's talk about how you can improve your general security education program, and why phishing your users is such a valuable piece of the puzzle.

  • Practical tests are the best measure of understanding. Most security awareness training I've seen ends with a basic multiple choice test. These tests are only a partial measurement of whether or not the pupil can put that knowledge to use in the real world. Take a driving test, for instance. Sure, there's a written test, but you wouldn't allow a teenager on the road until after he passed the practical one, too.
  • Practical assessment can reveal training gaps. By sending fake phishing emails, you can learn which ones your users fell for most often. Was there a certain type of email that contained a certain "lure" that tricked your employees? Perhaps that might be a missing piece you can add to your next phishing training, or a concept you haven't covered in enough detail.
  • They help employees recognize their own level of understanding. Your fake phishing emails should immediately inform the user when they clicked on a bad link. The goal isn't to shame the user — that's detrimental to education. Rather, the goal is to let the user know they missed something, so they realize that they have a gap in their practical understanding, and don't overestimate their preparedness.
  • They provide another training opportunity. The best training involves repetition. Besides informing a student they've made a mistake, fake phishing emails allow you to immediately share training with the user that specifically addresses the mistake they just made. For instance, say a user clicked a link that obviously went to a domain having nothing to do with the email. After informing the user of their mistake, your phishing link could forward the user to a training page specifically telling them what to look for in URLs. In fact, these fake phishing exercises provide an easy way to regularly reintroduce training materials to your users (at least the ones making mistakes), without having to repeat a training course.
  • Practical tests are more likely to change behaviors. The true measure of security education is if its recipients change their bad behaviors. One reason some security pundits complain that training is ineffective is because of a certain type of user that knows the right behavior but continues to do the wrong one when it's easier. Failing these internal phishing tests regularly should eventually get even the most stubborn users to change their behavior, simply because they know their boss might be watching.  
  • They help you measure the actual value of your training. I believe that security training is effective, but not all training is equal. Phishing your own tank measures your training's efficacy. Send out fake phishing emails before your trainings and record the results. Then send similar emails out after the training and compare the results. Give your organization at least two cycles of training to really understand the long-term trends. (Education takes some time!) However, if you aren't seeing a change in behavior, then perhaps you should cancel that particular training course and identify one that works better. In any case, you're not going to be able to calculate this risk vs. efficacy vs. cost equation unless you actually measure how well your users do against phishing emails — and the only way to do that is to phish your company's tank. 

[Learn more about using the science of habits to transform user behavior during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. For more on other Interop security tracks, or to register click on the live links.]

Related Content:

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:42:11 PM
Re: Training is the Fiction
Certainly, if humans never change behaviors, then cybersecurity is doomed.

Getting people to change behavior can be hard.  But, often enough, it can be done.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:41:01 PM
Re: Beyond Training: The second part of Anti-Phishing
I recently interviewed somebody who discussed this very point in terms of lingering cloud FUD -- and how that FUD has largely (not entirely, but largely) shifted from fears about actual infrastructure issues to fears about stupid users doing stupid things.

But, of course, that can happen in any environment.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 2:25:48 PM
Re: Training is the Fiction
That seems an overly cynical opinion to me. I absolutely agree that changing behavior is hard... and there are certainly many old adages about old dogs not learning new tricks, etc... but humans can and do change their behaviors. There is scientific evidence for it. Anyway, I think this is an interesting read:

http://www.cognitivepolicyworks.com/blog/2010/08/21/5-things-youll-need-to-know-to-change-human-behavior/
orenfalkowitz
100%
0%
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 2:01:11 PM
Re: Training is the Fiction
Humans do amazing things, changing their behavior isn't one of them and its not a strategy for cybersecurity. 

Cybersecurity isn't even in the top 100 of things we've already done, with less sophisticated tools, mind you, that are far harder. 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:54:03 PM
Re: Training is the Fiction
I do not agree with this, and for almost the same reason you argue against user training.

I agree that users never are or will be perfect, and we can't expect them to be.... but the same can be said of technologies. I have not seen a technology that perfectly captures all the spear phishing and spam out there. Even the best products, which successfully stop or recognize 99% of the crap, still miss. More importantly, the adversary tunes to this and evades the technologies. 

Driving school doesn't stop all accidents, but you would have MANY more without it. 

To me, you need to combine technology and training to get the best statistical advantage. Neither will catch or stop everything, but combined, you'll statistically reduce misses and failures to a much smaller number. 

No solution is perfect. The real question is how you can minimize your incidents to the bare minumum. I argue that technology alone won't get you there, and I have seen other studies (some linked) showing training does lower incidents to. The best solution is a hybrid of the two, ignoring training will increase your incidents. 
orenfalkowitz
100%
0%
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 1:46:48 PM
Training is the Fiction
Expecting users to be perfect isn't a solution, we don't have that expectation of surgeons nor would we expect them to have an equal level of training that they receive for cybersecurity. 

We know that training whether traffic school or sex education has a limited impact in changing outcomes. 

95% of data breaches begin with phishing. The solution is technology that preempts attacks and takes advantage of weaknesses in the attackers delivery of phishing campaigns, not solutions that react and don't change the rsults we're seeing today.

 

 

 

 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:46:41 PM
Re: 192.168.0.1
Thank you! ^_^
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:28:36 PM
Re: Beyond Training: The second part of Anti-Phishing
Yes. The ideal combination is technologies that can block the obviously bad stuff, other technologies that can help "advise" human choice (as you suggest), and training and user awareness. I definitely agree you need technologies to just block as much as you can, irregardless of the human. I do feel that even the best technologies aren't infallible, so training is still important. I do really love the idea of emails being visually flagged then they fail certain checks that could make them "suspicious" this technology assist really could help the user in making a decision with even more info.
DonT183
50%
50%
DonT183,
User Rank: Apprentice
3/24/2017 | 1:24:00 PM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
3/24/2017 | 12:13:41 PM
Re: 192.168.0.1
Thanks, article is very detailed and intersting written!
Page 1 / 2   >   >>
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.