Endpoint
7/23/2013
10:04 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Does User Awareness Help? Vendors Begin To Take Sides

Security vendors such as FireEye speak in favor of awareness training -- even without a dog in the fight

"When all you have is a hammer, everything looks like a nail," the old saying goes. In the past, this has been especially true in cybersecurity, where technology vendors have attempted to solve virtually every problem with the one thing they have: more technology. Got a virus? Antivirus software. Data leak? Data leak prevention. If you've got a security problem, there's an app (or an appliance) for that.

Most of these technologies overlook one of the weakest links in the security chain: the human end user. While technology continues to improve, little has been done to make the user smarter and more able to recognize potential threats. End-user awareness, though often talked about and nominally taught in most enterprises, has been largely ignored by most technology vendors -- except those that offer user training and awareness tools.

That's why I found it interesting this week that FireEye -- a vendor that specializes in technology -- stepped forward to partner with PhishMe to promote end-user awareness training.

PhishMe, which offers a service that simulates social-engineering attacks in order to help teach users what to look for, will work with FireEye, which offers technology for spotting targeted attacks and advanced persistent threats (APTs). The idea is to make users smarter in recognizing the signs of spearphishing and social engineering, which are usually the precursor to a more sophisticated attack.

"PhishMe and FireEye hope to create a new organization-wide mindset that cyber security impacts each employee, from the lowest level all the way to the C-level," Tuesday's press release said. "Both companies are committed to creating an open environment where employees are educated and aware of potential security threats, as well as the need for a robust security infrastructure."

This type of initiative is not new for PhishMe or for other vendors that offer end-user awareness-training tools, such as ProofPoint or Wombat. But it is new for technology vendors such as FireEye to make a strong commitment to end-user training.

"Ten or 12 months ago, you wouldn't have seen any technology vendors talking about the human element of security defense, but there's a shift going on," says Rohyt Belani, CEO of PhishMe. "Phishing is so often the start of a more sophisticated attack -- there is real movement towards dealing with it."

There are examples of other technology vendors making a strong commitment to end-user training: Microsoft and Motorola, for example, have programs devoted to it. But until recently, most security technology vendors have stayed fairly neutral in the debate as to whether end-user training is worth the effort.

In the near term, it's likely that end-user training will continue to have its detractors -- particularly penetration testers who know they can fool virtually any user into making a mistake. But if there is a strong push from technology vendors toward solving the human vulnerability, there is a good chance that the average user will be better able to sniff out the average social-engineering attack, and that seems a positive development for enterprise security.

There's still a lot of debate about the effectiveness of security-awareness training, and there are still a lot of enterprises whose training programs are extraordinarily bad. But if technology vendors continue to get on the bandwagon and get involved in end-user awareness, it could make a difference in the way such programs work -- and how they are perceived. The scales may have finally tipped in the direction of those who favor end-user training -- and want to see it done right.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.