Vulnerabilities / Threats
01:00 AM
Connect Directly

Four Ways To Turn Insiders Into Assets

Stop thinking about employees as threats and train them to make your company harder to attack

Jayson Street has few problems walking into businesses and getting access to sensitive company data.

A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail. At the CyberCrime Symposium in Portsmouth, N.H., earlier this month, Street illustrated all the ways that attackers can gain physical and network access to corporate computers, from tailgating to get physical access to custom USB drives to infect workers' systems, to phishing employees to gain network credentials. He stresses that his success is not due to his skill in social-engineering workers, but the employees' lack of preparedness to handle the strategies used by the bad guys.

"This is stuff that anybody can do with any kind of skill level," Street said.

Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning workers from liabilities into assets.

"A determined attacker is going to get into your network. Who is going to report it, how are they going to respond -- those are the questions that you need to ask," Street said. "It's time to think of your employees as the biggest human intrusion-detection system."

Companies looking to take advantage of that human IDS should start focusing on training their employees. Here are four steps to get you started.

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.

Yet rather than buy a one-size-fits-all series of training videos, companies should focus on changing behaviors, Cohen says.

"The status quo doesn't work," he says. "People look at buying hundreds of firewalls, but not spending the appropriate amount of money training their employees or making sure their employees know how to protect their assets."

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employees phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.

"Immersing a user in that experience can help immensely," says Scott Greaux, vice president of product management for PhishMe. "Thirty seconds is enough time for someone to learn from a single event like that."

[Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. See Report: Four Out Of Five Phishing Attacks Use Security Scams.]

Both PhishMe and MAD Security have similar data on the improvement seen after regular education and training. At initial testing, about half of all employees will fall for a phishing attack targeted at the company. After a few training sessions, the number typically falls below 10 percent.

"Organizations that commit to the success of a security awareness program can see hard data on its success and a return on their investment," MAD Security's Cohen says.

3. Teach the individual
Periodic testing and video training are not the only ways to solve the training problem, Cohen says. The training should be tailored to the company and the individuals who work there.

For one client, for example, MAD Security decided to create a viral video of a cat being electrocuted by a USB memory stick, ending with the tagline, "USB devices can be dangerous."

"In an organization, the people in a military uniform learn very differently than those in accounting," says Cohen says. "So you can't get everyone a one-size-fits-all type of training."

4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting his credentials to a phishing site, or holding a door to allow him in the building, a properly trained employee can still act on his suspicions and correctly respond to the threat. An employee who reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened.

"You are reducing what your attack potential is, and users that are susceptible to social engineering will still know what to do to report a potential attacker," Greaux says. "We've seen companies where it's a three-month cycle to detect an attack through technology, where a properly trained employee who voices [his] suspicions can lead to detection in about 10 minutes."

Fostering an environment where employees can make mistakes and still use their training to help protect the company is critically important, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/29/2012 | 2:02:14 PM
re: Four Ways To Turn Insiders Into Assets
Great article, and very interesting perspectives! I personally enjoyed the statement about a failure that can be a success, and your opinion about teaching the individual: GǣThe training should be tailored to the company and the individuals who work thereGǥ. Thank you so much for sharing this article, and keep up the good work!
Deirdre Blake
Deirdre Blake,
User Rank: Apprentice
11/21/2012 | 2:39:53 PM
re: Four Ways To Turn Insiders Into Assets
wise advice.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the security connected approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.