Endpoint

10/15/2018
10:30 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Ways to Fight the Email Security Threat

It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.

Here we go again. On July 26, Sen. Claire McCaskill, D-Mo., said that Russians unsuccessfully tried to hack her Senate computer network.

McCaskill said the phishing attempt was similar to the one used successfully against John Podesta, Hillary Clinton's campaign chairman in the 2016 presidential election. In an indictment on July 13 by special counsel Robert S. Mueller III, several Russian government hackers were accused of sending emails that tricked Podesta and other Clinton staffers into clicking on links that enabled the attackers to obtain the victims’ login and password credentials.

Nearly three-quarters of phishing, malware, and ransomware attacks enter through email, according to a SANS Institute study. Many are phishing attacks in which seemingly legitimate messages fool victims into clicking on links or attachments that begin downloading malicious software and give the nefarious actors access to confidential information or disable the network entirely. In others, an attacker gains access to an email account and impersonates the owner to target employees who are in a position to share sensitive data or initiate wire transfers.

Organizations are nearly three times more likely to suffer a breach through these social attacks than via actual network vulnerabilities, according to Verizon's 2018 Data Breach Investigation Report.

The approaching midterm elections bring new attention to the need for campaign staffers and election officials around the country to be vigilant against these sneaky attacks. However, the hacking-by-email threat is significant for every government agency every day.

At a January conference of the Armed Forces Communications and Electronics Association, David Bennett, director of operations for the Defense Information Systems Agency, said 13 billion questionable messages flood Pentagon email inboxes every year before they are automatically scanned and deleted.

Most other government agencies also are aware of the threat and have deployed email security technologies to protect themselves. However, a major weakness remains: the human factor.

Thanks to growing cybersecurity awareness, 78% of people never click on a phishing attempt, according to the Verizon study. However, 4% can be expected to do so. Since a criminal needs success with only one victim to penetrate a network, that's a troubling number, and it makes employee behavior the clear top risk to email security.

A 2018 survey by my company and Dimensional Research of 630 email security pros around the world showed that poor employee behavior is a much greater cause for concern than whether organizations have the right defensive tools in place. Poor employee behavior was the top concern in the survey at 84%; inadequate tools came in at 16%.

There's also growing concern today that while email remains the primary vector through which malware gets delivered inside organizations, the threat appears to be moving toward collaboration platforms such as Slack or services such as Google Drive that allow for the sharing of files that previously would have been attached to an email or SMS.

And yet, while everyone thinks employee training is important, only 77% of the respondents to our survey have training programs in place at their organizations.

That's madness. It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem rather than a technical one. Here are four ways in which such a program can be strengthened.

Highly personalized: The email security training programs at many organizations today, if they exist at all, are often generic and rote — say a fairly brief, one-size-fits-all online course administered by the HR department. Instead, programs should be customized to each employee's role, with content geared toward the individual's area of the business. For example, someone with financial responsibilities may have a target on their back for phishing scams in which a hacker poses as a legitimate individual and asks for payment. Training for everyone in such a role should specifically address this type of threat.

More personalization can go a long way toward educating each and every employee.

Carrots, not just sticks: It’s too easy for email security programs to be all about punishing or embarrassing those who fall prey to a scam. There's no reward for good behavior. Employees who, for example, proactively report suspicious correspondence to IT should be recognized in some way, whether in a complimentary memo to all staff or even a material award like a gift card.

Email security programs need to find ways to recognize those who didn't click on a malicious link. Positive reinforcement can be very effective.

Beyond classroom-style training: Stronger tactics are needed than routine, classroom-style courses (whether in person or online). More substantive training using real-world scenarios can be a powerful tool.

For example, agencies could stage a fire drill by having "white hat" specialists hack into the network and stage a simulated attack. In another drill, the account of a recognized senior official could be used to replicate an account takeover attack and gauge how workers respond.

These kinds of in-your-face approaches can help organizations and their employees learn more about their ability to fend off email-borne attacks than they would sitting in a classroom.

More accountability: Department and office-level leaders, not just the central HR or security team, should be held accountable for results of the email security training program. This helps instill a culture of "everyone owns email security" across the organization and also supports the notion that the programs should be tailored to each specific area of the business.

By following these four steps, government agencies and others can better meet the email security threat head-on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jhon91
50%
50%
jhon91,
User Rank: Apprentice
10/22/2018 | 11:24:55 AM
Re: Employees
good article 
CallumLepide
50%
50%
CallumLepide,
User Rank: Apprentice
10/16/2018 | 6:31:06 AM
Employees
Cyber Security training is so important and many companies either overlook it or are using drastically outdated teachings. Employees are the biggest threat to businesses, either maliciously or accidentally. Through research and my own reading, I have found the over 70% of employees understand the risk of clicking on unknown email links, but will click them any way!
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...