Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Phishing Your Employees for Schooling & Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:42:11 PM
Re: Training is the Fiction
Certainly, if humans never change behaviors, then cybersecurity is doomed.

Getting people to change behavior can be hard.  But, often enough, it can be done.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/28/2017 | 7:41:01 PM
Re: Beyond Training: The second part of Anti-Phishing
I recently interviewed somebody who discussed this very point in terms of lingering cloud FUD -- and how that FUD has largely (not entirely, but largely) shifted from fears about actual infrastructure issues to fears about stupid users doing stupid things.

But, of course, that can happen in any environment.
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 2:25:48 PM
Re: Training is the Fiction
That seems an overly cynical opinion to me. I absolutely agree that changing behavior is hard... and there are certainly many old adages about old dogs not learning new tricks, etc... but humans can and do change their behaviors. There is scientific evidence for it. Anyway, I think this is an interesting read:

http://www.cognitivepolicyworks.com/blog/2010/08/21/5-things-youll-need-to-know-to-change-human-behavior/
orenfalkowitz
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 2:01:11 PM
Re: Training is the Fiction
Humans do amazing things, changing their behavior isn't one of them and its not a strategy for cybersecurity. 

Cybersecurity isn't even in the top 100 of things we've already done, with less sophisticated tools, mind you, that are far harder. 
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:54:03 PM
Re: Training is the Fiction
I do not agree with this, and for almost the same reason you argue against user training.

I agree that users never are or will be perfect, and we can't expect them to be.... but the same can be said of technologies. I have not seen a technology that perfectly captures all the spear phishing and spam out there. Even the best products, which successfully stop or recognize 99% of the crap, still miss. More importantly, the adversary tunes to this and evades the technologies. 

Driving school doesn't stop all accidents, but you would have MANY more without it. 

To me, you need to combine technology and training to get the best statistical advantage. Neither will catch or stop everything, but combined, you'll statistically reduce misses and failures to a much smaller number. 

No solution is perfect. The real question is how you can minimize your incidents to the bare minumum. I argue that technology alone won't get you there, and I have seen other studies (some linked) showing training does lower incidents to. The best solution is a hybrid of the two, ignoring training will increase your incidents. 
orenfalkowitz
orenfalkowitz,
User Rank: Strategist
3/24/2017 | 1:46:48 PM
Training is the Fiction
Expecting users to be perfect isn't a solution, we don't have that expectation of surgeons nor would we expect them to have an equal level of training that they receive for cybersecurity. 

We know that training whether traffic school or sex education has a limited impact in changing outcomes. 

95% of data breaches begin with phishing. The solution is technology that preempts attacks and takes advantage of weaknesses in the attackers delivery of phishing campaigns, not solutions that react and don't change the rsults we're seeing today.

 

 

 

 
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:46:41 PM
Re: 192.168.0.1
Thank you! ^_^
CNACHREINER981
CNACHREINER981,
User Rank: Author
3/24/2017 | 1:28:36 PM
Re: Beyond Training: The second part of Anti-Phishing
Yes. The ideal combination is technologies that can block the obviously bad stuff, other technologies that can help "advise" human choice (as you suggest), and training and user awareness. I definitely agree you need technologies to just block as much as you can, irregardless of the human. I do feel that even the best technologies aren't infallible, so training is still important. I do really love the idea of emails being visually flagged then they fail certain checks that could make them "suspicious" this technology assist really could help the user in making a decision with even more info.
DonT183
DonT183,
User Rank: Black Belt
3/24/2017 | 1:24:00 PM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
DonT183
DonT183,
User Rank: Black Belt
3/24/2017 | 10:28:28 AM
Beyond Training: The second part of Anti-Phishing
Beyond expecting staff not to respond to Phishing we need to inspect that ability.  Learning approaches for Staff is an excellent idea.  Inspection needs to go further to advise human choice.  Know where your email came from and who sent it.  All email that did not come form a digitally signed email server should be flagged as from an untrusted email server.  All email that did not come digitally signed by the sender should be flagged as from an uncertian email sender.  Add this advice to trained staff and Phishing should get much harder to do.

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31884
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has an Improper Access Control vulnerability which allows a low privilege user to delete other users API Keys including high privilege and the Administrator users API Keys.
CVE-2022-31887
PUBLISHED: 2022-06-28
Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password.
CVE-2020-19896
PUBLISHED: 2022-06-28
File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.
CVE-2020-19897
PUBLISHED: 2022-06-28
A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.
CVE-2021-41559
PUBLISHED: 2022-06-28
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.