Endpoint
7/23/2013
10:04 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Does User Awareness Help? Vendors Begin To Take Sides

Security vendors such as FireEye speak in favor of awareness training -- even without a dog in the fight

"When all you have is a hammer, everything looks like a nail," the old saying goes. In the past, this has been especially true in cybersecurity, where technology vendors have attempted to solve virtually every problem with the one thing they have: more technology. Got a virus? Antivirus software. Data leak? Data leak prevention. If you've got a security problem, there's an app (or an appliance) for that.

Most of these technologies overlook one of the weakest links in the security chain: the human end user. While technology continues to improve, little has been done to make the user smarter and more able to recognize potential threats. End-user awareness, though often talked about and nominally taught in most enterprises, has been largely ignored by most technology vendors -- except those that offer user training and awareness tools.

That's why I found it interesting this week that FireEye -- a vendor that specializes in technology -- stepped forward to partner with PhishMe to promote end-user awareness training.

PhishMe, which offers a service that simulates social-engineering attacks in order to help teach users what to look for, will work with FireEye, which offers technology for spotting targeted attacks and advanced persistent threats (APTs). The idea is to make users smarter in recognizing the signs of spearphishing and social engineering, which are usually the precursor to a more sophisticated attack.

"PhishMe and FireEye hope to create a new organization-wide mindset that cyber security impacts each employee, from the lowest level all the way to the C-level," Tuesday's press release said. "Both companies are committed to creating an open environment where employees are educated and aware of potential security threats, as well as the need for a robust security infrastructure."

This type of initiative is not new for PhishMe or for other vendors that offer end-user awareness-training tools, such as ProofPoint or Wombat. But it is new for technology vendors such as FireEye to make a strong commitment to end-user training.

"Ten or 12 months ago, you wouldn't have seen any technology vendors talking about the human element of security defense, but there's a shift going on," says Rohyt Belani, CEO of PhishMe. "Phishing is so often the start of a more sophisticated attack -- there is real movement towards dealing with it."

There are examples of other technology vendors making a strong commitment to end-user training: Microsoft and Motorola, for example, have programs devoted to it. But until recently, most security technology vendors have stayed fairly neutral in the debate as to whether end-user training is worth the effort.

In the near term, it's likely that end-user training will continue to have its detractors -- particularly penetration testers who know they can fool virtually any user into making a mistake. But if there is a strong push from technology vendors toward solving the human vulnerability, there is a good chance that the average user will be better able to sniff out the average social-engineering attack, and that seems a positive development for enterprise security.

There's still a lot of debate about the effectiveness of security-awareness training, and there are still a lot of enterprises whose training programs are extraordinarily bad. But if technology vendors continue to get on the bandwagon and get involved in end-user awareness, it could make a difference in the way such programs work -- and how they are perceived. The scales may have finally tipped in the direction of those who favor end-user training -- and want to see it done right.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0845
Published: 2015-04-17
Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates.

CVE-2015-1318
Published: 2015-04-17
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).

CVE-2015-1852
Published: 2015-04-17
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-mid...

CVE-2015-1856
Published: 2015-04-17
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.

CVE-2013-4866
Published: 2015-04-16
The LIXIL Corporation My SATIS Genius Toilet application for Android has a hardcoded Bluetooth PIN, which allows physically proximate attackers to trigger physical resource consumption (water or heat) or user discomfort.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.