Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Phishing Your Employees for Schooling & Security
Threaded  |  Newest First  |  Oldest First
ALINDERHOLM670
ALINDERHOLM670,
 User Rank: Apprentice
3/23/2017 | 11:23:30 PM
Positive feedback also
You only mentioned situations where people did the wrong thing by clicking the link. Something good needs to happen if the employee deletes the email, moves it to the company spam folder, forwards it to IT or does whatever the company policy is.
CNACHREINER981
CNACHREINER981,
 User Rank: Author
3/23/2017 | 11:32:44 PM
Re: Positive feedback also
That is a very good and interesting point. I agree that it would be very cool for you employees to have "immediate" feedback when the delete a suspect email. Technical, I think it's harder to do. It's much easier to track when they click and interact on things in the email, since you can use HTML script without needing to interact with the email server or client. However, for the administrator to know when the user didn't interact with the email, but simply dragged it to the trash or deleted it would take more interaction with the email server and client itself (at least as far as I know). So I think the only reason you don't see this much is it would be a hard technical thing to do.

That said, the admin can easily keep track of all the folks that didn't click, and later send a follow up saying congratulations. It would be as immediate feedback as the click, but at least it would be the positive feedback, that I agree would be good to validate the behavior for your users. 

 

Great comment. 
DonT183
DonT183,
 User Rank: Black Belt
3/24/2017 | 10:28:28 AM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
3/24/2017 | 1:28:36 PM
Re: Beyond Training: The second part of Anti-Phishing
Yes. The ideal combination is technologies that can block the obviously bad stuff, other technologies that can help "advise" human choice (as you suggest), and training and user awareness. I definitely agree you need technologies to just block as much as you can, irregardless of the human. I do feel that even the best technologies aren't infallible, so training is still important. I do really love the idea of emails being visually flagged then they fail certain checks that could make them "suspicious" this technology assist really could help the user in making a decision with even more info.
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
3/28/2017 | 7:41:01 PM
Re: Beyond Training: The second part of Anti-Phishing
I recently interviewed somebody who discussed this very point in terms of lingering cloud FUD -- and how that FUD has largely (not entirely, but largely) shifted from fears about actual infrastructure issues to fears about stupid users doing stupid things.

But, of course, that can happen in any environment.
DonT183
DonT183,
 User Rank: Black Belt
3/24/2017 | 1:24:00 PM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
3/24/2017 | 1:46:41 PM
Re: 192.168.0.1
Thank you! ^_^
orenfalkowitz
orenfalkowitz,
 User Rank: Strategist
3/24/2017 | 1:46:48 PM
Training is the Fiction
Expecting users to be perfect isn't a solution, we don't have that expectation of surgeons nor would we expect them to have an equal level of training that they receive for cybersecurity. 

We know that training whether traffic school or sex education has a limited impact in changing outcomes. 

95% of data breaches begin with phishing. The solution is technology that preempts attacks and takes advantage of weaknesses in the attackers delivery of phishing campaigns, not solutions that react and don't change the rsults we're seeing today.

 

 

 

 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
3/24/2017 | 1:54:03 PM
Re: Training is the Fiction
I do not agree with this, and for almost the same reason you argue against user training.

I agree that users never are or will be perfect, and we can't expect them to be.... but the same can be said of technologies. I have not seen a technology that perfectly captures all the spear phishing and spam out there. Even the best products, which successfully stop or recognize 99% of the crap, still miss. More importantly, the adversary tunes to this and evades the technologies. 

Driving school doesn't stop all accidents, but you would have MANY more without it. 

To me, you need to combine technology and training to get the best statistical advantage. Neither will catch or stop everything, but combined, you'll statistically reduce misses and failures to a much smaller number. 

No solution is perfect. The real question is how you can minimize your incidents to the bare minumum. I argue that technology alone won't get you there, and I have seen other studies (some linked) showing training does lower incidents to. The best solution is a hybrid of the two, ignoring training will increase your incidents. 
orenfalkowitz
orenfalkowitz,
 User Rank: Strategist
3/24/2017 | 2:01:11 PM
Re: Training is the Fiction
Humans do amazing things, changing their behavior isn't one of them and its not a strategy for cybersecurity. 

Cybersecurity isn't even in the top 100 of things we've already done, with less sophisticated tools, mind you, that are far harder. 
CNACHREINER981
CNACHREINER981,
 User Rank: Author
3/24/2017 | 2:25:48 PM
Re: Training is the Fiction
That seems an overly cynical opinion to me. I absolutely agree that changing behavior is hard... and there are certainly many old adages about old dogs not learning new tricks, etc... but humans can and do change their behaviors. There is scientific evidence for it. Anyway, I think this is an interesting read:

http://www.cognitivepolicyworks.com/blog/2010/08/21/5-things-youll-need-to-know-to-change-human-behavior/
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
3/28/2017 | 7:42:11 PM
Re: Training is the Fiction
Certainly, if humans never change behaviors, then cybersecurity is doomed.

Getting people to change behavior can be hard.  But, often enough, it can be done.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.