Endpoint
7/23/2013
10:04 PM
Tim Wilson
Tim Wilson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Does User Awareness Help? Vendors Begin To Take Sides

Security vendors such as FireEye speak in favor of awareness training -- even without a dog in the fight

"When all you have is a hammer, everything looks like a nail," the old saying goes. In the past, this has been especially true in cybersecurity, where technology vendors have attempted to solve virtually every problem with the one thing they have: more technology. Got a virus? Antivirus software. Data leak? Data leak prevention. If you've got a security problem, there's an app (or an appliance) for that.

Most of these technologies overlook one of the weakest links in the security chain: the human end user. While technology continues to improve, little has been done to make the user smarter and more able to recognize potential threats. End-user awareness, though often talked about and nominally taught in most enterprises, has been largely ignored by most technology vendors -- except those that offer user training and awareness tools.

That's why I found it interesting this week that FireEye -- a vendor that specializes in technology -- stepped forward to partner with PhishMe to promote end-user awareness training.

PhishMe, which offers a service that simulates social-engineering attacks in order to help teach users what to look for, will work with FireEye, which offers technology for spotting targeted attacks and advanced persistent threats (APTs). The idea is to make users smarter in recognizing the signs of spearphishing and social engineering, which are usually the precursor to a more sophisticated attack.

"PhishMe and FireEye hope to create a new organization-wide mindset that cyber security impacts each employee, from the lowest level all the way to the C-level," Tuesday's press release said. "Both companies are committed to creating an open environment where employees are educated and aware of potential security threats, as well as the need for a robust security infrastructure."

This type of initiative is not new for PhishMe or for other vendors that offer end-user awareness-training tools, such as ProofPoint or Wombat. But it is new for technology vendors such as FireEye to make a strong commitment to end-user training.

"Ten or 12 months ago, you wouldn't have seen any technology vendors talking about the human element of security defense, but there's a shift going on," says Rohyt Belani, CEO of PhishMe. "Phishing is so often the start of a more sophisticated attack -- there is real movement towards dealing with it."

There are examples of other technology vendors making a strong commitment to end-user training: Microsoft and Motorola, for example, have programs devoted to it. But until recently, most security technology vendors have stayed fairly neutral in the debate as to whether end-user training is worth the effort.

In the near term, it's likely that end-user training will continue to have its detractors -- particularly penetration testers who know they can fool virtually any user into making a mistake. But if there is a strong push from technology vendors toward solving the human vulnerability, there is a good chance that the average user will be better able to sniff out the average social-engineering attack, and that seems a positive development for enterprise security.

There's still a lot of debate about the effectiveness of security-awareness training, and there are still a lot of enterprises whose training programs are extraordinarily bad. But if technology vendors continue to get on the bandwagon and get involved in end-user awareness, it could make a difference in the way such programs work -- and how they are perceived. The scales may have finally tipped in the direction of those who favor end-user training -- and want to see it done right.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.