A security awareness success story

The problem with Security Awareness programs is that it is hard to prove their successes. As with all security countermeasures, success is usually that nothing happens. Ideally, success also means that there is a report of the attempted attack, however that is rarely the case. With technical countermeasures however, logs are usually maintained that allow people to point to all of the prevented attacks.

[Inside an attack by the Syrian Electronic Army]

More important, when there are acknowledged Security Awareness success stories, it is rare for organizations to share those stories, even internally. As principles in a company devoted to the human aspects of security and Security Awareness, we see Security Awareness success stories on a daily basis, however we cannot disclose those stories without permission.

So it was a pleasant surprise when we saw the CSO Salted Hash column, Inside an Attack by the Syrian Electronic Army, which highlights a major Security Awareness success story. The article highlights how the Security Awareness guidance we provided allowed IDG Enterprises, the parent company of CSO and Computerworld, among other major technology publications, to completely repel an attack by the Syrian Electronic Army (SEA).

As background, the SEA took issue with a presentation that Ira gave at the RSA Conference that detailed the SEA, their attacks, our experiences helping companies respond to their attacks, and methods to prevent similar attacks. The SEA responded by hacking the RSA Conference website, and we detailed exactly how that was accomplished. In response, the SEA hacked the Twitter feeds of the Wall Street Journal and Buzzfeed in an attempt to insult Ira. Ira prepared an article for Computerworld that analyzed the sequence of events. However, based on our experiences and working with the FBI on past attacks, we warned Computerworld to expect a focused attack from the SEA and detailed the expected methods that they would use, as well as guidance on how to prevent the expected attack.

In response, Computerworld's team worked with the appropriate people to ensure that the technical precautions were taken, as well as creating a proactive awareness program warning the appropriate IDG employees of the imminent attack. Details were provided regarding what employees should be on the lookout for, and special effort was made to ensure that the people with critical access were warned about what to expect.

[Follow up: Syrian Electronic Army responds to attack article]

As expected, spearphishing messages began to arrive the day the article went live on the website. The messages were in the format expected. Recipients of the message appropriately reported them. When the emails failed, the SEA apparently resorted to social engineering attacks, which were likewise unsuccessful and properly reported. This is critical as it demonstrates that when people are made aware of the likelihood of one attack, they are aware of the prospects for other forms of attack.

The reason this worked is that a "good" awareness program was implemented. It was not a generic video with no reinforcement. The information provided all of the critical elements of good awareness materials: 1) Awareness of what the issue is, 2) Definitive and relevant actions to take in response to the issue, and 3) Motivation to take the proper action.

Admittedly, the IDG team already has a general awareness to be on the lookout for spearphishing messages. That itself is a Security Awareness success. However it just becomes obvious when you are under attack.

The reality is that there are Security Awareness success stories every second of the day. They just do not get noted. Every time a person does not click on a phishing message, every time they avoid a malicious website, every time they lock their door or computer monitor, every time they refuse to enter private information for questionable purposes, it is a Security Awareness success story. It is however much more notable when you realize that you are under attack from an intent adversary.

[How to use Syrian Electronic Army attacks to improve security awareness]

The fact that we were able to predict exactly how and when the SEA would attack was a clear benefit. However, I was still pleasantly surprised to learn that nobody fell victim to the attacks. As previously implied, all security countermeasures will fail at some point in time, and it is impossible to create perfect security. This is why everyone should practice defense in depth.

While there are many characteristics of a successful awareness campaign, what made the IDG's awareness program effective in this case was:

  • The guidance was clear as to what people should watch out for.
  • The guidance was relevant to current and future circumstances, and stated why it was relevant.
  • There was clear motivation as it was obvious what a failure would mean to the individual and the organization.
  • People were informed exactly how to report attacks.
  • Once an attack was detected, the organization was informed about the attacks.
  • The organization helped people by taking the appropriate actions to block access to the dangerous websites, deleting unopened messages, and informing people about the details of the ongoing attacks. The latter provided additional motivation for people to behave more securely in general, which lead to the reporting of the social engineering attacks.

I assume that prior to the publication of this article, IDG would have sent out reminder messages to remind people about the past guidance, and tell them to be on the look out for other attacks that use similar strategies. This should produce similar results, i.e., repelling all attacks, but even if it doesn't, any damage should be proactively mitigated with defense in depth.

[Syrian Electronic Army hacks Microsoft's Office Blogs site]

When you have a good Security Awareness program, you will have a lot of success stories, as not only will many incidents be prevented, you will know about them. It is frankly refreshing to be able to highlight a success story that we were involved in. However, make sure that you don't forget to acknowledge and highlight the small success stories that help you prevent the proverbial death by 1,000 cuts.

Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags security awareness programsSEAspear-phishingsecuritycomputerworldSyrian Electronic ArmyCSOSecurity LeadershipIDGIdea

More about CSOFBIIDGMicrosoftRSAWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler, Samantha Manke

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place