Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2018
10:30 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Fight the Email Security Threat

It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.

Here we go again. On July 26, Sen. Claire McCaskill, D-Mo., said that Russians unsuccessfully tried to hack her Senate computer network.

McCaskill said the phishing attempt was similar to the one used successfully against John Podesta, Hillary Clinton's campaign chairman in the 2016 presidential election. In an indictment on July 13 by special counsel Robert S. Mueller III, several Russian government hackers were accused of sending emails that tricked Podesta and other Clinton staffers into clicking on links that enabled the attackers to obtain the victims’ login and password credentials.

Nearly three-quarters of phishing, malware, and ransomware attacks enter through email, according to a SANS Institute study. Many are phishing attacks in which seemingly legitimate messages fool victims into clicking on links or attachments that begin downloading malicious software and give the nefarious actors access to confidential information or disable the network entirely. In others, an attacker gains access to an email account and impersonates the owner to target employees who are in a position to share sensitive data or initiate wire transfers.

Organizations are nearly three times more likely to suffer a breach through these social attacks than via actual network vulnerabilities, according to Verizon's 2018 Data Breach Investigation Report.

The approaching midterm elections bring new attention to the need for campaign staffers and election officials around the country to be vigilant against these sneaky attacks. However, the hacking-by-email threat is significant for every government agency every day.

At a January conference of the Armed Forces Communications and Electronics Association, David Bennett, director of operations for the Defense Information Systems Agency, said 13 billion questionable messages flood Pentagon email inboxes every year before they are automatically scanned and deleted.

Most other government agencies also are aware of the threat and have deployed email security technologies to protect themselves. However, a major weakness remains: the human factor.

Thanks to growing cybersecurity awareness, 78% of people never click on a phishing attempt, according to the Verizon study. However, 4% can be expected to do so. Since a criminal needs success with only one victim to penetrate a network, that's a troubling number, and it makes employee behavior the clear top risk to email security.

A 2018 survey by my company and Dimensional Research of 630 email security pros around the world showed that poor employee behavior is a much greater cause for concern than whether organizations have the right defensive tools in place. Poor employee behavior was the top concern in the survey at 84%; inadequate tools came in at 16%.

There's also growing concern today that while email remains the primary vector through which malware gets delivered inside organizations, the threat appears to be moving toward collaboration platforms such as Slack or services such as Google Drive that allow for the sharing of files that previously would have been attached to an email or SMS.

And yet, while everyone thinks employee training is important, only 77% of the respondents to our survey have training programs in place at their organizations.

That's madness. It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem rather than a technical one. Here are four ways in which such a program can be strengthened.

Highly personalized: The email security training programs at many organizations today, if they exist at all, are often generic and rote — say a fairly brief, one-size-fits-all online course administered by the HR department. Instead, programs should be customized to each employee's role, with content geared toward the individual's area of the business. For example, someone with financial responsibilities may have a target on their back for phishing scams in which a hacker poses as a legitimate individual and asks for payment. Training for everyone in such a role should specifically address this type of threat.

More personalization can go a long way toward educating each and every employee.

Carrots, not just sticks: It’s too easy for email security programs to be all about punishing or embarrassing those who fall prey to a scam. There's no reward for good behavior. Employees who, for example, proactively report suspicious correspondence to IT should be recognized in some way, whether in a complimentary memo to all staff or even a material award like a gift card.

Email security programs need to find ways to recognize those who didn't click on a malicious link. Positive reinforcement can be very effective.

Beyond classroom-style training: Stronger tactics are needed than routine, classroom-style courses (whether in person or online). More substantive training using real-world scenarios can be a powerful tool.

For example, agencies could stage a fire drill by having "white hat" specialists hack into the network and stage a simulated attack. In another drill, the account of a recognized senior official could be used to replicate an account takeover attack and gauge how workers respond.

These kinds of in-your-face approaches can help organizations and their employees learn more about their ability to fend off email-borne attacks than they would sitting in a classroom.

More accountability: Department and office-level leaders, not just the central HR or security team, should be held accountable for results of the email security training program. This helps instill a culture of "everyone owns email security" across the organization and also supports the notion that the programs should be tailored to each specific area of the business.

By following these four steps, government agencies and others can better meet the email security threat head-on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jhon91
50%
50%
jhon91,
User Rank: Apprentice
10/22/2018 | 11:24:55 AM
Re: Employees
good article 
CallumLepide
50%
50%
CallumLepide,
User Rank: Apprentice
10/16/2018 | 6:31:06 AM
Employees
Cyber Security training is so important and many companies either overlook it or are using drastically outdated teachings. Employees are the biggest threat to businesses, either maliciously or accidentally. Through research and my own reading, I have found the over 70% of employees understand the risk of clicking on unknown email links, but will click them any way!
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...