Vulnerabilities / Threats
01:00 AM

Four Ways To Turn Insiders Into Assets

Stop thinking about employees as threats and train them to make your company harder to attack

Jayson Street has few problems walking into businesses and getting access to sensitive company data.

A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail. At the CyberCrime Symposium in Portsmouth, N.H., earlier this month, Street illustrated all the ways that attackers can gain physical and network access to corporate computers, from tailgating to get physical access to custom USB drives to infect workers' systems, to phishing employees to gain network credentials. He stresses that his success is not due to his skill in social-engineering workers, but the employees' lack of preparedness to handle the strategies used by the bad guys.

"This is stuff that anybody can do with any kind of skill level," Street said.

Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning workers from liabilities into assets.

"A determined attacker is going to get into your network. Who is going to report it, how are they going to respond -- those are the questions that you need to ask," Street said. "It's time to think of your employees as the biggest human intrusion-detection system."

Companies looking to take advantage of that human IDS should start focusing on training their employees. Here are four steps to get you started.

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.

Yet rather than buy a one-size-fits-all series of training videos, companies should focus on changing behaviors, Cohen says.

"The status quo doesn't work," he says. "People look at buying hundreds of firewalls, but not spending the appropriate amount of money training their employees or making sure their employees know how to protect their assets."

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employees phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.

"Immersing a user in that experience can help immensely," says Scott Greaux, vice president of product management for PhishMe. "Thirty seconds is enough time for someone to learn from a single event like that."

[Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. See Report: Four Out Of Five Phishing Attacks Use Security Scams.]

Both PhishMe and MAD Security have similar data on the improvement seen after regular education and training. At initial testing, about half of all employees will fall for a phishing attack targeted at the company. After a few training sessions, the number typically falls below 10 percent.

"Organizations that commit to the success of a security awareness program can see hard data on its success and a return on their investment," MAD Security's Cohen says.

3. Teach the individual
Periodic testing and video training are not the only ways to solve the training problem, Cohen says. The training should be tailored to the company and the individuals who work there.

For one client, for example, MAD Security decided to create a viral video of a cat being electrocuted by a USB memory stick, ending with the tagline, "USB devices can be dangerous."

"In an organization, the people in a military uniform learn very differently than those in accounting," says Cohen says. "So you can't get everyone a one-size-fits-all type of training."

4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting his credentials to a phishing site, or holding a door to allow him in the building, a properly trained employee can still act on his suspicions and correctly respond to the threat. An employee who reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened.

"You are reducing what your attack potential is, and users that are susceptible to social engineering will still know what to do to report a potential attacker," Greaux says. "We've seen companies where it's a three-month cycle to detect an attack through technology, where a properly trained employee who voices [his] suspicions can lead to detection in about 10 minutes."

Fostering an environment where employees can make mistakes and still use their training to help protect the company is critically important, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/29/2012 | 2:02:14 PM
re: Four Ways To Turn Insiders Into Assets
Great article, and very interesting perspectives! I personally enjoyed the statement about a failure that can be a success, and your opinion about teaching the individual: GǣThe training should be tailored to the company and the individuals who work thereGǥ. Thank you so much for sharing this article, and keep up the good work!
Deirdre Blake
Deirdre Blake,
User Rank: Apprentice
11/21/2012 | 2:39:53 PM
re: Four Ways To Turn Insiders Into Assets
wise advice.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report