Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Phishing Your Employees for Schooling & Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:42:11 PM
Re: Training is the Fiction
Certainly, if humans never change behaviors, then cybersecurity is doomed.

Getting people to change behavior can be hard.  But, often enough, it can be done.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:41:01 PM
Re: Beyond Training: The second part of Anti-Phishing
I recently interviewed somebody who discussed this very point in terms of lingering cloud FUD -- and how that FUD has largely (not entirely, but largely) shifted from fears about actual infrastructure issues to fears about stupid users doing stupid things.

But, of course, that can happen in any environment.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 2:25:48 PM
Re: Training is the Fiction
That seems an overly cynical opinion to me. I absolutely agree that changing behavior is hard... and there are certainly many old adages about old dogs not learning new tricks, etc... but humans can and do change their behaviors. There is scientific evidence for it. Anyway, I think this is an interesting read:

http://www.cognitivepolicyworks.com/blog/2010/08/21/5-things-youll-need-to-know-to-change-human-behavior/
orenfalkowitz
100%
0%
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 2:01:11 PM
Re: Training is the Fiction
Humans do amazing things, changing their behavior isn't one of them and its not a strategy for cybersecurity. 

Cybersecurity isn't even in the top 100 of things we've already done, with less sophisticated tools, mind you, that are far harder. 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:54:03 PM
Re: Training is the Fiction
I do not agree with this, and for almost the same reason you argue against user training.

I agree that users never are or will be perfect, and we can't expect them to be.... but the same can be said of technologies. I have not seen a technology that perfectly captures all the spear phishing and spam out there. Even the best products, which successfully stop or recognize 99% of the crap, still miss. More importantly, the adversary tunes to this and evades the technologies. 

Driving school doesn't stop all accidents, but you would have MANY more without it. 

To me, you need to combine technology and training to get the best statistical advantage. Neither will catch or stop everything, but combined, you'll statistically reduce misses and failures to a much smaller number. 

No solution is perfect. The real question is how you can minimize your incidents to the bare minumum. I argue that technology alone won't get you there, and I have seen other studies (some linked) showing training does lower incidents to. The best solution is a hybrid of the two, ignoring training will increase your incidents. 
orenfalkowitz
100%
0%
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 1:46:48 PM
Training is the Fiction
Expecting users to be perfect isn't a solution, we don't have that expectation of surgeons nor would we expect them to have an equal level of training that they receive for cybersecurity. 

We know that training whether traffic school or sex education has a limited impact in changing outcomes. 

95% of data breaches begin with phishing. The solution is technology that preempts attacks and takes advantage of weaknesses in the attackers delivery of phishing campaigns, not solutions that react and don't change the rsults we're seeing today.

 

 

 

 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:46:41 PM
Re: 192.168.0.1
Thank you! ^_^
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:28:36 PM
Re: Beyond Training: The second part of Anti-Phishing
Yes. The ideal combination is technologies that can block the obviously bad stuff, other technologies that can help "advise" human choice (as you suggest), and training and user awareness. I definitely agree you need technologies to just block as much as you can, irregardless of the human. I do feel that even the best technologies aren't infallible, so training is still important. I do really love the idea of emails being visually flagged then they fail certain checks that could make them "suspicious" this technology assist really could help the user in making a decision with even more info.
DonT183
50%
50%
DonT183,
User Rank: Black Belt
3/24/2017 | 1:24:00 PM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
3/24/2017 | 12:13:41 PM
Re: 192.168.0.1
Thanks, article is very detailed and intersting written!
Page 1 / 2   >   >>


7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...