Endpoint
7/23/2013
10:04 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Does User Awareness Help? Vendors Begin To Take Sides

Security vendors such as FireEye speak in favor of awareness training -- even without a dog in the fight

"When all you have is a hammer, everything looks like a nail," the old saying goes. In the past, this has been especially true in cybersecurity, where technology vendors have attempted to solve virtually every problem with the one thing they have: more technology. Got a virus? Antivirus software. Data leak? Data leak prevention. If you've got a security problem, there's an app (or an appliance) for that.

Most of these technologies overlook one of the weakest links in the security chain: the human end user. While technology continues to improve, little has been done to make the user smarter and more able to recognize potential threats. End-user awareness, though often talked about and nominally taught in most enterprises, has been largely ignored by most technology vendors -- except those that offer user training and awareness tools.

That's why I found it interesting this week that FireEye -- a vendor that specializes in technology -- stepped forward to partner with PhishMe to promote end-user awareness training.

PhishMe, which offers a service that simulates social-engineering attacks in order to help teach users what to look for, will work with FireEye, which offers technology for spotting targeted attacks and advanced persistent threats (APTs). The idea is to make users smarter in recognizing the signs of spearphishing and social engineering, which are usually the precursor to a more sophisticated attack.

"PhishMe and FireEye hope to create a new organization-wide mindset that cyber security impacts each employee, from the lowest level all the way to the C-level," Tuesday's press release said. "Both companies are committed to creating an open environment where employees are educated and aware of potential security threats, as well as the need for a robust security infrastructure."

This type of initiative is not new for PhishMe or for other vendors that offer end-user awareness-training tools, such as ProofPoint or Wombat. But it is new for technology vendors such as FireEye to make a strong commitment to end-user training.

"Ten or 12 months ago, you wouldn't have seen any technology vendors talking about the human element of security defense, but there's a shift going on," says Rohyt Belani, CEO of PhishMe. "Phishing is so often the start of a more sophisticated attack -- there is real movement towards dealing with it."

There are examples of other technology vendors making a strong commitment to end-user training: Microsoft and Motorola, for example, have programs devoted to it. But until recently, most security technology vendors have stayed fairly neutral in the debate as to whether end-user training is worth the effort.

In the near term, it's likely that end-user training will continue to have its detractors -- particularly penetration testers who know they can fool virtually any user into making a mistake. But if there is a strong push from technology vendors toward solving the human vulnerability, there is a good chance that the average user will be better able to sniff out the average social-engineering attack, and that seems a positive development for enterprise security.

There's still a lot of debate about the effectiveness of security-awareness training, and there are still a lot of enterprises whose training programs are extraordinarily bad. But if technology vendors continue to get on the bandwagon and get involved in end-user awareness, it could make a difference in the way such programs work -- and how they are perceived. The scales may have finally tipped in the direction of those who favor end-user training -- and want to see it done right.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.