Endpoint
7/23/2013
10:04 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Does User Awareness Help? Vendors Begin To Take Sides

Security vendors such as FireEye speak in favor of awareness training -- even without a dog in the fight

"When all you have is a hammer, everything looks like a nail," the old saying goes. In the past, this has been especially true in cybersecurity, where technology vendors have attempted to solve virtually every problem with the one thing they have: more technology. Got a virus? Antivirus software. Data leak? Data leak prevention. If you've got a security problem, there's an app (or an appliance) for that.

Most of these technologies overlook one of the weakest links in the security chain: the human end user. While technology continues to improve, little has been done to make the user smarter and more able to recognize potential threats. End-user awareness, though often talked about and nominally taught in most enterprises, has been largely ignored by most technology vendors -- except those that offer user training and awareness tools.

That's why I found it interesting this week that FireEye -- a vendor that specializes in technology -- stepped forward to partner with PhishMe to promote end-user awareness training.

PhishMe, which offers a service that simulates social-engineering attacks in order to help teach users what to look for, will work with FireEye, which offers technology for spotting targeted attacks and advanced persistent threats (APTs). The idea is to make users smarter in recognizing the signs of spearphishing and social engineering, which are usually the precursor to a more sophisticated attack.

"PhishMe and FireEye hope to create a new organization-wide mindset that cyber security impacts each employee, from the lowest level all the way to the C-level," Tuesday's press release said. "Both companies are committed to creating an open environment where employees are educated and aware of potential security threats, as well as the need for a robust security infrastructure."

This type of initiative is not new for PhishMe or for other vendors that offer end-user awareness-training tools, such as ProofPoint or Wombat. But it is new for technology vendors such as FireEye to make a strong commitment to end-user training.

"Ten or 12 months ago, you wouldn't have seen any technology vendors talking about the human element of security defense, but there's a shift going on," says Rohyt Belani, CEO of PhishMe. "Phishing is so often the start of a more sophisticated attack -- there is real movement towards dealing with it."

There are examples of other technology vendors making a strong commitment to end-user training: Microsoft and Motorola, for example, have programs devoted to it. But until recently, most security technology vendors have stayed fairly neutral in the debate as to whether end-user training is worth the effort.

In the near term, it's likely that end-user training will continue to have its detractors -- particularly penetration testers who know they can fool virtually any user into making a mistake. But if there is a strong push from technology vendors toward solving the human vulnerability, there is a good chance that the average user will be better able to sniff out the average social-engineering attack, and that seems a positive development for enterprise security.

There's still a lot of debate about the effectiveness of security-awareness training, and there are still a lot of enterprises whose training programs are extraordinarily bad. But if technology vendors continue to get on the bandwagon and get involved in end-user awareness, it could make a difference in the way such programs work -- and how they are perceived. The scales may have finally tipped in the direction of those who favor end-user training -- and want to see it done right.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2849
Published: 2015-07-07
SQL injection vulnerability in main.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices, when https is used, allows remote attackers to execute arbitrary SQL commands via the ppli parameter.

CVE-2015-2850
Published: 2015-07-07
Cross-site scripting (XSS) vulnerability in index-login.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

CVE-2015-3216
Published: 2015-07-07
Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establi...

CVE-2014-3653
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

CVE-2014-5406
Published: 2015-07-06
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, ...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report