Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/11/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How to Catch a Phish: Where Employee Awareness Falls Short

Advanced phishing techniques and poor user behaviors that exacerbate the threat of successful attacks.

Teaching employees how to spot malicious emails is one of many steps toward keeping phishing attacks at bay. As attackers adopt more advanced techniques, it's imperative teams also learn how the behavior inside and outside their inboxes can put a business at risk.

For the fourth annual "Beyond the Phish" report, Proofpoint researchers pulled data from nearly 130 million responses submitted to its Security Education Platform between Jan. 1, 2018, and Feb 28, 2019. It's tough to compare the newest 2019 results with previous years because this time employees were quizzed on a newly expanded range of more advanced cybersecurity topics.

Simulated phishing attacks are handy for evaluating a portion of users' weaknesses but don't fully reflect how well employees understand phishing. After all, you can't get a sense of someone's password hygiene, mobile device security, or confidential data security by seeing whether or not they fall for a fake phishing attack. Instead, they have to answer questions.

"We obviously do look at phishing but also take a broader look at the cybersecurity landscape and behaviors that influence cybersecurity posture," says Gretel Egan, security awareness and training strategist at Proofpoint. "Beyond email are behaviors and risk that influence cybersecurity for an organization."

This year, users answered 22% of questions incorrectly, on average, across 14 subjects – up from 19% in Proofpoint's 2018 analysis. Given the expansion of assessment programs and addition of tougher questions, Egan says the uptick isn't a surprise. The decline doesn't indicate a lack of awareness, she says; it's a sign some organizations are starting to challenge people.

"It points to the complexity of these topics and the nuances around phishing, around data protection, and around understanding some compliance directives related to cybersecurity," she explains. "It's bigger than one decision inside of an email."

Categories with the greatest percentage of wrong answers included "identifying phishing threats" (25%), "protecting data throughout its lifecycle" (25%), "compliance-related cybersecurity directives" (24%), and "protecting mobile devices and information" (24%). Those with the most correct answers? "avoiding ransomware attacks" (11%), "passwords and account authentication" (12%), and "unintentional and malicious insider threats" (13%).

Users struggled to answer questions about mobile device encryption, securing personally identifiable information (PII), technical safeguards in blocking social engineering attacks, distinguishing public from private data, and responding to a suspected physical security breach.

There was also good news, researchers found: Employees demonstrated mastery in questions on identifying potentially risky communication channels, physical security safeguards while traveling, recognizing ransomware and malicious pop-ups, and risks linked to Bluetooth pairing.

Egan describes how users' actions can unknowingly put their employers at risk and exacerbate the phishing threat. Some overshare information on social media, for example: A post saying "my boss is out of town this week" may seem benign but can be valuable intel for an attacker.

"We also see users struggling to understand how their actions on local devices can impact the security of corporate data and sometimes personal data," she continues. People have been educated on how to use devices from a functional standpoint but not a secure one. For example, letting family members use corporate devices and using the same device for personal and business matters are both common behaviors that can put sensitive information at risk.

Attackers Get Sophishticated
The need to educate employees on secure behavior grows stronger as cybercriminals adopt sophisticated phishing tactics, as researchers found in INKY's "2019 Special Phishing Report."

"The evolution of attackers' techniques is really quite striking," says Inky CEO Dave Baggett.

"In terms of trends we see, we're seeing a ton of brand forgery emails whose goal is credential harvesting," he continues. Attackers often disguise emails as coming from legitimate Microsoft or Amazon accounts, trying to get users to enter credentials on a fake login page. With usernames and passwords, they attempt logging into banking websites or webmail accounts.

Many people are still under the impression phishing is intrinsically complicated, he adds, and it often isn't. In terms of a brand forgery, for example, "it's incredibly easy," Baggett says. More advanced actors know how secure email gateways (SEGs) work and how to bypass them.

One of these subtle tactics is "hidden text," a specific way for attackers to sneak malicious code into an email, Baggett says. Most email is now designed using HTML, which is complex and difficult to properly interpret, making it tough for software to determine what users will see. This gives attackers new opportunities to slip malicious content through security systems.

SEGs often look for specific brand names or text that could indicate an email is brand spoofing. Cybercriminals can bypass this by inserting random small, white-text letters between the letters or phrases that are visible to users. Adding gibberish text, which is invisible to security systems and end users, will let phishing emails slip past SEGs and into unsuspecting users' inboxes.

Some attackers craft emails to appear more conversational and forego the use of attachments or links in order to bypass SEGs. Security tools with traditional spam filtering techniques will likely allow a casual message from an attacker pretending to impersonate a CEO or vendor.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TK_M
50%
50%
TK_M,
User Rank: Apprentice
7/19/2019 | 7:46:19 AM
phishing simulation isn't enough
As much as I believed in phishing simulations, I have had a change of mind after years of seeing and doing phishing assesments myself - nothing changes especially when only one user needs to fall victim to phishing. I'm more of the view that users need not worry about phishing - the person in HR is duty bound as her job to click links and open documents. It's infosec's job to sort out phishing on a technology level.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
CVE-2014-3699
PUBLISHED: 2019-12-15
eDeploy has RCE via cPickle deserialization of untrusted data