Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Phishing Your Employees for Schooling & Security
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
ALINDERHOLM670
ALINDERHOLM670,
User Rank: Apprentice
3/23/2017 | 11:23:30 PM
Positive feedback also
You only mentioned situations where people did the wrong thing by clicking the link. Something good needs to happen if the employee deletes the email, moves it to the company spam folder, forwards it to IT or does whatever the company policy is.
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/23/2017 | 11:32:44 PM
Re: Positive feedback also
That is a very good and interesting point. I agree that it would be very cool for you employees to have "immediate" feedback when the delete a suspect email. Technical, I think it's harder to do. It's much easier to track when they click and interact on things in the email, since you can use HTML script without needing to interact with the email server or client. However, for the administrator to know when the user didn't interact with the email, but simply dragged it to the trash or deleted it would take more interaction with the email server and client itself (at least as far as I know). So I think the only reason you don't see this much is it would be a hard technical thing to do.

That said, the admin can easily keep track of all the folks that didn't click, and later send a follow up saying congratulations. It would be as immediate feedback as the click, but at least it would be the positive feedback, that I agree would be good to validate the behavior for your users. 

 

Great comment. 
DonT183
DonT183,
User Rank: Black Belt
3/24/2017 | 10:28:28 AM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
DonT183
DonT183,
User Rank: Black Belt
3/24/2017 | 1:24:00 PM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:28:36 PM
Re: Beyond Training: The second part of Anti-Phishing
Yes. The ideal combination is technologies that can block the obviously bad stuff, other technologies that can help "advise" human choice (as you suggest), and training and user awareness. I definitely agree you need technologies to just block as much as you can, irregardless of the human. I do feel that even the best technologies aren't infallible, so training is still important. I do really love the idea of emails being visually flagged then they fail certain checks that could make them "suspicious" this technology assist really could help the user in making a decision with even more info.
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:46:41 PM
Re: 192.168.0.1
Thank you! ^_^
orenfalkowitz
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 1:46:48 PM
Training is the Fiction
Expecting users to be perfect isn't a solution, we don't have that expectation of surgeons nor would we expect them to have an equal level of training that they receive for cybersecurity. 

We know that training whether traffic school or sex education has a limited impact in changing outcomes. 

95% of data breaches begin with phishing. The solution is technology that preempts attacks and takes advantage of weaknesses in the attackers delivery of phishing campaigns, not solutions that react and don't change the rsults we're seeing today.

 

 

 

 
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:54:03 PM
Re: Training is the Fiction
I do not agree with this, and for almost the same reason you argue against user training.

I agree that users never are or will be perfect, and we can't expect them to be.... but the same can be said of technologies. I have not seen a technology that perfectly captures all the spear phishing and spam out there. Even the best products, which successfully stop or recognize 99% of the crap, still miss. More importantly, the adversary tunes to this and evades the technologies. 

Driving school doesn't stop all accidents, but you would have MANY more without it. 

To me, you need to combine technology and training to get the best statistical advantage. Neither will catch or stop everything, but combined, you'll statistically reduce misses and failures to a much smaller number. 

No solution is perfect. The real question is how you can minimize your incidents to the bare minumum. I argue that technology alone won't get you there, and I have seen other studies (some linked) showing training does lower incidents to. The best solution is a hybrid of the two, ignoring training will increase your incidents. 
orenfalkowitz
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 2:01:11 PM
Re: Training is the Fiction
Humans do amazing things, changing their behavior isn't one of them and its not a strategy for cybersecurity. 

Cybersecurity isn't even in the top 100 of things we've already done, with less sophisticated tools, mind you, that are far harder. 
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 2:25:48 PM
Re: Training is the Fiction
That seems an overly cynical opinion to me. I absolutely agree that changing behavior is hard... and there are certainly many old adages about old dogs not learning new tricks, etc... but humans can and do change their behaviors. There is scientific evidence for it. Anyway, I think this is an interesting read:

http://www.cognitivepolicyworks.com/blog/2010/08/21/5-things-youll-need-to-know-to-change-human-behavior/
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-29376
PUBLISHED: 2022-05-23
Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
CVE-2022-30015
PUBLISHED: 2022-05-23
In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.
CVE-2022-28999
PUBLISHED: 2022-05-23
Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
CVE-2022-29002
PUBLISHED: 2022-05-23
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
CVE-2022-31489
PUBLISHED: 2022-05-23
Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.