Threat Intelligence
1/9/2017
11:00 AM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Limitations Of Phishing Education

Human nature means that education will only go so far. Technology needs to take up the slack.

In the past 12 months, millions of organizations, spanning all industries and sizes, became targets of cyberattacks. According to a recent report, 400,000 phishing sites were detected per month in 2016, and the Anti-Phishing Working Group concluded that phishing attacks reached an "all-time high" in the second quarter. Not only are attacks proliferating, but the perpetrators have evolved into professional cybercriminals with plenty of time and resources. For these reasons, it's unrealistic to entrust the workforce with the massive responsibility of stopping phishing.

While this many sound ironic coming from someone involved in phishing mitigation, I recognize that phishing education has proved beneficial only to a certain extent. The reality is that the imperfection of humans makes it all but impossible for us to teach everyone how to spot and avoid phishing — and if phishing efforts aren't detected and eliminated fast enough, someone eventually will click, and then it's game over.

When it comes to employee expectations, the digital-native millennial generation, now the largest workforce demographic, is perhaps the most careless when it comes to cybersecurity, opting for expedience over security. Other workforce demographics, such as Generation X and baby boomers, are forced to learn new "detective" skills for identifying and reporting suspicious emails, despite being unfamiliar with technically advanced processes.

Frankly, it's very hard to change behavior. In fact, it's proven that users, regardless of training and awareness, will still click on phishing links or download attachments because of a variety of factors, including curiosity, greediness, distraction, well-crafted impersonations, and/or simply failing to learn from past mistakes. For example:

  • A culture of distraction: People are easily distracted by their daily tasks, especially under stressful environments, making them likely to click on a malicious link or download a suspicious file. According to a study from Microsoft, people generally lose concentration after eight seconds, a shorter attention span than a goldfish. With an abundance of smart devices available, and an increasingly digital lifestyle, it's easy to see how so many stimuli could make it difficult to identify a suspicious email, particularly if the email intentionally includes multiple streams of media for the purpose of distracting the receiver.
  • Spearphishing can be almost undetectable: Some attacks are just so good that it's impossible to spot them by the naked eye. What happened to Snapchat and the Clinton campaign are two examples of how sophisticated phishing attacks can trick employees through highly targeted campaigns that impersonate internal executives or well-recognized vendors. Seagate also fell victim to a similar phishing scam, and its staff has since filed a lawsuit against the company after personal information was exposed. Phishing attacks have become so realistic that even the most cyber-aware recipient can be fooled into providing sensitive information. 
  • Curiosity is king:  Sometimes, curiosity is stronger than the sense of security, especially when it comes to an employer's computer. According to a recent study by FAU researchers in Germany, 56% of email recipients clicked on a link from an unknown sender despite knowing the risks. Why? Most reasoned that they were curious about the content of the photos or the identity of the sender. According FAU, curiosity and interest are natural human traits and, with the right timing and context, people will click on a link despite their security awareness.

Though employee training will always play a role in phishing mitigation, and it should, recent events prove it's not effective on its own. With increasingly clever and deceptive scams, matched with the massive amount of phishing emails sent daily, employees don't stand a chance in successfully defeating the phishing epidemic on their own.

Instead, organizations should turn to next-generation technologies to fill the gap and empower employees. While some argue encryption, multifactor authentication, and database security can be effective in deterring phishers, they're outdated techniques with risks and shortcomings. Today, forward-thinking organizations are implementing newer strategies to aid in phishing support such as sender reputation and email verification programs, including DomainKeys Identified Mail, Sender Policy Framework, and Domain Message Authentication & Reporting Conformance. They're not perfect, however. they won't identify suspicious links and attachments or stop a determined attacker who buys a domain and installs Domain Name System records to tell servers which IP address each domain is associated with.

In the future, the use of artificial intelligence and machine learning to identify phishing emails, learn from reported attacks, and create real-time signatures will help companies prepare for and prevent attacks that have been attempted around the world, without the need for human interaction.  

Related Content:

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:36:35 AM
office
Thanks for sharing the limitations of phishing education.it is very helpful to me.once again thanks
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.