A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail. At the CyberCrime Symposium in Portsmouth, N.H., earlier this month, Street illustrated all the ways that attackers can gain physical and network access to corporate computers, from tailgating to get physical access to custom USB drives to infect workers' systems, to phishing employees to gain network credentials. He stresses that his success is not due to his skill in social-engineering workers, but the employees' lack of preparedness to handle the strategies used by the bad guys.
"This is stuff that anybody can do with any kind of skill level," Street said.
Companies need to stop solely focusing on preventing attacks and invest effort in detecting when attackers have breached their systems. A good way to do that is to train employees to better recognize threats and respond to potential security issues in the proper way, turning workers from liabilities into assets.
"A determined attacker is going to get into your network. Who is going to report it, how are they going to respond -- those are the questions that you need to ask," Street said. "It's time to think of your employees as the biggest human intrusion-detection system."
Companies looking to take advantage of that human IDS should start focusing on training their employees. Here are four steps to get you started.
1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.
Yet rather than buy a one-size-fits-all series of training videos, companies should focus on changing behaviors, Cohen says.
"The status quo doesn't work," he says. "People look at buying hundreds of firewalls, but not spending the appropriate amount of money training their employees or making sure their employees know how to protect their assets."
2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employees phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.
"Immersing a user in that experience can help immensely," says Scott Greaux, vice president of product management for PhishMe. "Thirty seconds is enough time for someone to learn from a single event like that."
[Email scammers are increasingly using security as their chief weapon for fooling users into clicking on infected links and attachments. See Report: Four Out Of Five Phishing Attacks Use Security Scams.]
Both PhishMe and MAD Security have similar data on the improvement seen after regular education and training. At initial testing, about half of all employees will fall for a phishing attack targeted at the company. After a few training sessions, the number typically falls below 10 percent.
"Organizations that commit to the success of a security awareness program can see hard data on its success and a return on their investment," MAD Security's Cohen says.
3. Teach the individual
Periodic testing and video training are not the only ways to solve the training problem, Cohen says. The training should be tailored to the company and the individuals who work there.
For one client, for example, MAD Security decided to create a viral video of a cat being electrocuted by a USB memory stick, ending with the tagline, "USB devices can be dangerous."
"In an organization, the people in a military uniform learn very differently than those in accounting," says Cohen says. "So you can't get everyone a one-size-fits-all type of training."
4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting his credentials to a phishing site, or holding a door to allow him in the building, a properly trained employee can still act on his suspicions and correctly respond to the threat. An employee who reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened.
"You are reducing what your attack potential is, and users that are susceptible to social engineering will still know what to do to report a potential attacker," Greaux says. "We've seen companies where it's a three-month cycle to detect an attack through technology, where a properly trained employee who voices [his] suspicions can lead to detection in about 10 minutes."
Fostering an environment where employees can make mistakes and still use their training to help protect the company is critically important, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.