The security community doesn't agree on the best way to counter social engineering attacks. Some experts say the answer is more user-awareness training. Others argue that awareness training has failed.
"I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere," Bruce Schneier, chief security technology officer at BT, recently wrote on DarkReading.com. Users don't have a clear understanding of the threats, Schneier says. Instead of designing systems that force them to learn more complex ways of looking at their computers and the threats around them, we should design ones that conform to the way they currently view the threats, protecting them where they are. >>
It's a heated debate that can upset people on opposing sides. For instance, one RSA conference presenter conducted a class on "how to patch stupidity," Spitzner says. "He explained why people are stupid, how they're stupid and how to fix stupid. It was a very emotional talk for me, because how can you sit there and insult the very people who can end up helping us? That's something I'm desperately trying to change."
MAD Security's Murray offers another reason security pros have difficulty embracing the human element of defense: They're not people people. "Most of us were nerds. We got into hacking and all this geeky stuff because we didn't like people," he says. "We weren't captain of the football team or the popular kids in school, so we get really uncomfortable when someone says 'Security is a people problem. Go talk to your people.'"
Risk Mitigation And Early Detection
The truth is that no security tool, technical or otherwise, will eliminate 100% of the risks. But that doesn't diminish tools' power.
Cutting back on risk is a key goal of awareness training. Phishing susceptibility rates can fall to 8% from 58% through regular immersive training, whereby users are forced to deal with simulations of real threats, PhishMe's Belani says. With untrained employees, the attacker could send two emails and probably avoid detection, Belani says. "Now the attacker has to send more like 50 emails, and there's a chance that the technology will actually catch that," he says.
And with sophisticated spearphishing and scamming, the goal isn't prevention but early detection. "The faster you detect that really sophisticated attacker, the less time they have to really create a foothold and the more quickly you can get your organization into response mode and try to eradicate that infection," Murray says.
Take the executive conned by the fake email chain from four colleagues. The saving grace was that soon after the attack, he suspected something smelled rotten about the email thread and contacted his IT department.
Fostering such a mentality can turn those so-called stupid users into smart ones, Spitzner says. "These are scientists, doctors, lawyers, accountants, researchers. They're not stupid," he says. "It's just that we've never done a good job of educating them. When we teach them to detect and report, people become a detection system to improve organizational resilience."
Spitzner points to Mitre, a government contractor that develops the Common Vulnerabilities and Exposures list. Mitre has had great success with its own "human sensor awareness program." Employees now detect about 10% of the advanced attacks after they've slipped by technology defenses. That percentage may not seem like much, but considering that these are employees from all walks of life sniffing out attacks that most security technologies couldn't detect, it's a meaningful boost.
Companies don't always fully assess the effectiveness of their anti-phishing programs, Spitzner says. They look for a drop in the number of people who fall victim to phishing, but they don't count the dramatic increase in the number of phishing emails employees report.
Turning "clueless" employees into effective human sensors takes patience, creativity and consistent messaging, elements missing from most security training programs. Employees generally take such programs when they're hired and then annually thereafter to satisfy regulatory requirements. But without patience, creativity and consistent messaging, these programs will fail.
You want to take advantage of teachable moments when people have just been burned, Rohrbaugh says. "Those are the times when you can make an evangelist for the security department," he says.
But don't wait around for bad things to happen. Institute incremental training that teaches employees how to spot phishing messages, the fundamentals of handling data securely, the basics of good password hygiene, and enough background on threats to persuade them to pay attention.
"We learn best through immersion and experience," Belani says. "So let's immerse people in the experience but do it in a controlled manner. When we're sending them a simulated phish, it's not like, 'Ah, got you, stupid!' We tell them: Anyone can fall for this. We're here to handhold."
Whichever method you use, it should be bite-sized and regular enough to make a difference. One word of caution: Message users with warnings and simulated phish email too often, and you risk losing their interest. And whatever you do, make the message interesting.
The very term "security training" sets the tone for snooze-worthy content, Murray says. It's why both he and Belani advocate that we take a page from marketers.
"We're not training our users. We're marketing to them," Murray says. "Marketers attempt to change the behavior of users with respect to how they buy things. We are trying to get them to 'buy' security. … In this case, my product is: Don't click on that link."
At the end of the day, whether you call it security marketing, behavioral modification or security awareness training, the goal is the same: Find ways to help users stop being so easy to fool.