When Will End Users Stop Being Fooled By Online Scams?

On a chaotic workday, a top executive scans hastily through dozens of emails that have arrived in the past 10 minutes. There is one from an IT staffer whose name he doesn't know -- he doesn’t know most of the people in IT -- and it states that he needs to do a password reset or he will lose access to his applications. Without thinking, he clicks on the link provided in the email -- and malware is introduced to the entire corporate network.

Every day, employees in enterprises large and small are faced with attacks similar to this one. Fake emails -- or website messages, phone calls, or texts -- that appear to be legitimate elude anti-spam software and Web content filters to arrive at the employee's desk. These fraudulent messages -- collectively known as social-engineering attacks -- are quickly becoming the entre of choice for cybercriminals, both for the most sophisticated attacks and for everyday spam.

"The social-engineering attacks out there have become more sophisticated than ever," says Dan Waddell, senior director of IT security at eGlobal Technology and a member of the board at (ISC)2, the world's largest association of security professionals. "Cold calls, social-engineering emails, Facebook attacks -- they're getting better all the time, and it's not unusual to see a major breach starting with a targeted spear-phishing attack."

Researchers confirm that phishing -- those fraudulent emails that deliver malware or lead users to the wrong websites -- is on the rise again. According to RSA's May 2012 Online Fraud Report (PDF), instances of phishing were up 86 percent in April, reaching their highest level since September 2011.

The driver behind this growth is simple: People are much easier to fool than computers. While software vulnerabilities or weaknesses in security systems are becoming more difficult for cybercriminals to find and exploit, a single gullible user can introduce a world of trouble into an organization with a single mouse click. Major breaches at RSA, Zappos.com, Sony, and many other organizations have been launched with a single successful targeting phishing attack.

"Social engineering has reached pandemic proportions, yet it’s one of the most ignored attack vectors in security strategies today," says Rohyt Belani, CEO of PhishMe, a service that enables companies to train and test their employees about phishing through simulated attacks. "Both cybercriminals and penetration testers are now saying the same thing: The human element is the weak point in any sort of cyberdefense."

"We have spent the past decade deploying a large number of security controls and investing in protecting servers and applications -- for right now, the user is the easiest target," says Mike Murray, managing partner at MAD Security, a security firm that focuses on modifying the behavior of end users to make client organizations more secure.

While software can be scanned for vulnerabilities, and cyberdefenses can be penetration tested, there are no technological ways to test and patch end users for security weaknesses, experts observe. For many enterprises, then, the question becomes: How can users become smarter and more savvy to potential social-engineering attacks? Is there a way to make a better user?

A growing number of security companies and consultancies are focusing on that very question. Chris Hadnagy, a professional social engineer who has spoken on the topic at the annual Black Hat USA conference, says that organizations need to move security awareness out of the classroom and into users' minds and desktops.

"Almost every company has a security awareness program, but we see more and more of them being compromised all the time, sometimes with the same exploits that have been used for years," says Hadnagy, who also helps run a social-engineering "capture the flag" contest at the Def Con conference every year.

"Why is security awareness training so ineffective? A lot of it is because the training programs themselves are ineffective," Hadnagy explains. "They're impersonal, boring videos or [computer-based training] given mandatorily in classrooms where people spend the whole time texting or IMing. The [employees] are not engaged. They’re not learning anything. And so they make the same mistakes over and over."

Tim Rohrbaugh, vice president of information security at identity theft protection company Intersections, agrees. "Despite a lot of talk about security and breaches, the typical user is as unaware and unconcerned as they’ve always been," he says. "There are user education programs, but the incentives aren't there to get users to really change their behavior. People are still not very good at filtering what’s real and what isn't."

While many security departments try to treat the human problem with technology -- through spam and content filters, as well as tools that simply prevent users from accessing data -- there is a growing wave of experts that are attacking the problem from a human perspective. The key, they say, is to change both the environment that employees work in -- their corporate culture -- and the way they learn about security.

"When we do social-engineering testing, one of the things we find is that employees behave better in companies that really care about security," Hadnagy says. "In a lot of cases, there is a direct correlation between the amount of money the organization spends on security and how their users fare in social-engineering tests. When the organization cares about security and is willing to invest in it, then their employees usually do, too."

Next Page: Instilling a healthy suspicion of the unknown. Affecting change in corporate culture means more than putting up signs in the break rooms and holding classes once a year, experts say. There needs to be a healthy suspicion of the unknown -- whether it's email coming from an unknown user or a stranger tailgating his way through a locked door -- and that suspicion needs to be reinforced from the boardroom to the mailroom.

"Every organization has cultural norms, and if you hope to change the way users behave, you have to look closely at yours before you can hope to achieve anything," said Perry Carpenter, research director at Gartner’s secure business enablement group, in a session at last week's Gartner Security & Risk Management Summit in Washington, D.C. "By 2015, we predict that about a quarter of organizations will have people dedicated to using social networks and other means to do explicit culture management -- to drive cultural and behavioral change -- and this will be a key element in driving change in security behavior."

The key, experts say, is to make security awareness part of everyday business operations, rather than something that is done in a classroom. Just as employees are rewarded or punished for appropriate handling of company funds or personal files, they can also be indoctrinated into a corporate culture that rewards and punishes for appropriate use of computers and data.

Education and security awareness play a significant role in changing corporate culture, experts note, but most companies are misguided or sloppy in their training efforts. The first problem is sometimes the person who develops the training program.

"The problem with a lot of security awareness programs is that they’re developed by security professionals," Gartner’s Carpenter said. "[Security pros] say, 'Hey, I know everything about security. We would do better if everybody knew what I know and behaved like me.' But in the end, it's not what employees know that matters -- it's what they do. Any education program should focus not on increasing awareness, per se, but on changing the way employees behave."

Julie Peeler, foundation director at (ISC)2, agrees. "As security professionals, we eat, sleep, and breathe security, but users don't," she observes. "When we teach users and try to change their behavior, we often skip steps in our own minds because they seem obvious to us. But developing a good end user security program means looking at it from the user’s perspective."

"We fail repeatedly to work with our users to actually modify their behavior," Murray says. "We try to 'train' them by giving them information and hoping that it will change behavior -- unfortunately, humans don't work that way."

MAD Security works with companies to change not what users know, but what they do. "The issue isn’t how to get more people thinking about security -- it's about intervening in their behavior to ensure that they do the right things without thinking about security," Murray explains. "The problem is that we think that education and more knowledge will make behavior change, and it doesn't. We may know that McDonald's is going to make us fat, but that doesn't stop most people from super-sizing their meal."

Like MAD, both Hadnagy’s social-engineering testing and PhishMe’s phishing education service are designed to take security education out of the classroom and into everyday operations. Hadnagy performs actual social-engineering tests on corporate employees to see how they will behave -- and how likely they are to fall for a scam -- as a means of improving security awareness. PhishMe's service is even more rigorous. It enables companies to "phish themselves" on a regular basis, all year long, using the same scams and techniques that are being used by cybercriminals in the wild. In fact, corporations could use the PhishMe service to test employees on their ability to recognize infections arriving in zip-wrapped PDF files -- the exact method that was used in the attacks on defense contractors revealed by Digital Bond last week, Belani says.

"The important thing to recognize is that these scams can happen to anyone -- companies of any size, employees of any level," Belani says. "A lot of people don't think they will get phished -- a lot of people don't think they’ll be the one who gets mugged, either, until it happens. It's not about being stupid -- it happened to Steve Jobs. It has happened to a lot of very smart and savvy people. But people have to be educated about what the phishers are doing."

The key, says Andrew Jaquith, CTO at Perimeter E-Security, is to have a strategy for changing user behavior.

"The first part, of course, is perennial security awareness," Jaquith says. "Teach your employees what they need to know, what they need to look out for, what's good, what's bad. Phishing resistance is the second thing. So run your own fake email campaigns. Try and spoof yourself. You can use any of the marketing tools, like Constant Contact. We use something called Hubspot, really good for blasting things out for customer communication.

"You should also do it with your employees," Jaquith continues. "There are plenty of toolkits out there like PhishMe that allow you to try to build a phishing campaign. See who falls for it. How many help desk tickets do you get? The third thing is custodianship. You need to have reporting -- encouraging a culture where your employees report weaknesses and breaches to IT -- and you act on them."

Ericka Chickowski contributed to this story.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.