Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/20/2012
01:00 AM
50%
50%

Four Ways To Turn Insiders Into Assets

Stop thinking about employees as threats and train them to make your company harder to attack

Jayson Street has few problems walking into businesses and getting access to sensitive company data.

A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail. At the CyberCrime Symposium in Portsmouth, N.H., earlier this month, Street illustrated all the ways that attackers can gain physical and network access to corporate computers, from tailgating to get physical access to custom USB drives to infect workers' systems, to phishing employees to gain network credentials. He stresses that his success is not due to his skill in social-engineering workers, but the employees' lack of preparedness to handle the strategies used by the bad guys.

"This is stuff that anybody can do with any kind of skill level," Street said.

Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning workers from liabilities into assets.

"A determined attacker is going to get into your network. Who is going to report it, how are they going to respond -- those are the questions that you need to ask," Street said. "It's time to think of your employees as the biggest human intrusion-detection system."

Companies looking to take advantage of that human IDS should start focusing on training their employees. Here are four steps to get you started.

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.

Yet rather than buy a one-size-fits-all series of training videos, companies should focus on changing behaviors, Cohen says.

"The status quo doesn't work," he says. "People look at buying hundreds of firewalls, but not spending the appropriate amount of money training their employees or making sure their employees know how to protect their assets."

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employees phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.

"Immersing a user in that experience can help immensely," says Scott Greaux, vice president of product management for PhishMe. "Thirty seconds is enough time for someone to learn from a single event like that."

[Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. See Report: Four Out Of Five Phishing Attacks Use Security Scams.]

Both PhishMe and MAD Security have similar data on the improvement seen after regular education and training. At initial testing, about half of all employees will fall for a phishing attack targeted at the company. After a few training sessions, the number typically falls below 10 percent.

"Organizations that commit to the success of a security awareness program can see hard data on its success and a return on their investment," MAD Security's Cohen says.

3. Teach the individual
Periodic testing and video training are not the only ways to solve the training problem, Cohen says. The training should be tailored to the company and the individuals who work there.

For one client, for example, MAD Security decided to create a viral video of a cat being electrocuted by a USB memory stick, ending with the tagline, "USB devices can be dangerous."

"In an organization, the people in a military uniform learn very differently than those in accounting," says Cohen says. "So you can't get everyone a one-size-fits-all type of training."

4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting his credentials to a phishing site, or holding a door to allow him in the building, a properly trained employee can still act on his suspicions and correctly respond to the threat. An employee who reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened.

"You are reducing what your attack potential is, and users that are susceptible to social engineering will still know what to do to report a potential attacker," Greaux says. "We've seen companies where it's a three-month cycle to detect an attack through technology, where a properly trained employee who voices [his] suspicions can lead to detection in about 10 minutes."

Fostering an environment where employees can make mistakes and still use their training to help protect the company is critically important, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
11/29/2012 | 2:02:14 PM
re: Four Ways To Turn Insiders Into Assets
Great article, and very interesting perspectives! I personally enjoyed the statement about a failure that can be a success, and your opinion about teaching the individual: GǣThe training should be tailored to the company and the individuals who work thereGǥ. Thank you so much for sharing this article, and keep up the good work!
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
11/21/2012 | 2:39:53 PM
re: Four Ways To Turn Insiders Into Assets
wise advice.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28331
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a de...
CVE-2020-28928
PUBLISHED: 2020-11-24
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
CVE-2020-28994
PUBLISHED: 2020-11-24
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database.
CVE-2020-13620
PUBLISHED: 2020-11-24
Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration.
CVE-2020-13942
PUBLISHED: 2020-11-24
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest ava...