Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:00 AM

Four Ways To Turn Insiders Into Assets

Stop thinking about employees as threats and train them to make your company harder to attack

Jayson Street has few problems walking into businesses and getting access to sensitive company data.

A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail. At the CyberCrime Symposium in Portsmouth, N.H., earlier this month, Street illustrated all the ways that attackers can gain physical and network access to corporate computers, from tailgating to get physical access to custom USB drives to infect workers' systems, to phishing employees to gain network credentials. He stresses that his success is not due to his skill in social-engineering workers, but the employees' lack of preparedness to handle the strategies used by the bad guys.

"This is stuff that anybody can do with any kind of skill level," Street said.

Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning workers from liabilities into assets.

"A determined attacker is going to get into your network. Who is going to report it, how are they going to respond -- those are the questions that you need to ask," Street said. "It's time to think of your employees as the biggest human intrusion-detection system."

Companies looking to take advantage of that human IDS should start focusing on training their employees. Here are four steps to get you started.

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.

Yet rather than buy a one-size-fits-all series of training videos, companies should focus on changing behaviors, Cohen says.

"The status quo doesn't work," he says. "People look at buying hundreds of firewalls, but not spending the appropriate amount of money training their employees or making sure their employees know how to protect their assets."

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employees phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.

"Immersing a user in that experience can help immensely," says Scott Greaux, vice president of product management for PhishMe. "Thirty seconds is enough time for someone to learn from a single event like that."

[Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. See Report: Four Out Of Five Phishing Attacks Use Security Scams.]

Both PhishMe and MAD Security have similar data on the improvement seen after regular education and training. At initial testing, about half of all employees will fall for a phishing attack targeted at the company. After a few training sessions, the number typically falls below 10 percent.

"Organizations that commit to the success of a security awareness program can see hard data on its success and a return on their investment," MAD Security's Cohen says.

3. Teach the individual
Periodic testing and video training are not the only ways to solve the training problem, Cohen says. The training should be tailored to the company and the individuals who work there.

For one client, for example, MAD Security decided to create a viral video of a cat being electrocuted by a USB memory stick, ending with the tagline, "USB devices can be dangerous."

"In an organization, the people in a military uniform learn very differently than those in accounting," says Cohen says. "So you can't get everyone a one-size-fits-all type of training."

4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting his credentials to a phishing site, or holding a door to allow him in the building, a properly trained employee can still act on his suspicions and correctly respond to the threat. An employee who reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened.

"You are reducing what your attack potential is, and users that are susceptible to social engineering will still know what to do to report a potential attacker," Greaux says. "We've seen companies where it's a three-month cycle to detect an attack through technology, where a properly trained employee who voices [his] suspicions can lead to detection in about 10 minutes."

Fostering an environment where employees can make mistakes and still use their training to help protect the company is critically important, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/29/2012 | 2:02:14 PM
re: Four Ways To Turn Insiders Into Assets
Great article, and very interesting perspectives! I personally enjoyed the statement about a failure that can be a success, and your opinion about teaching the individual: GǣThe training should be tailored to the company and the individuals who work thereGǥ. Thank you so much for sharing this article, and keep up the good work!
Deirdre Blake
Deirdre Blake,
User Rank: Apprentice
11/21/2012 | 2:39:53 PM
re: Four Ways To Turn Insiders Into Assets
wise advice.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
PUBLISHED: 2021-04-22
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
PUBLISHED: 2021-04-22
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.