FBI/DHS hack shows need for role-based security awareness programs

When a hacker released the contact information of 9,000 DHS employees, it was the result of several awareness failings. The reality is that these are failed awareness programs that are typical of industry as a whole.

When a hacker released the contact information of 9,000 DHS employees, it was the result of several awareness failings. The reality is that these are failed awareness programs that are typical of industry as a whole.

Summarizing the attack, apparently a criminal compromised the user id and password of a random Department of Justice employee, reportedly through a spearphishing attack. The credentials did not however give the attacker the connectivity required, so the attacker called most likely a Department of Justice help desk number. The help desk gave the attacker credentials to some portal and/or VPN connection. From that point, the attacker was apparently able to access the unclassified Depart of Justice network, which led to the compromise of FBI and DHS telephone directories, and 200GB of unspecified data.

There were two apparent awareness failings. The first was likely the first employee clicking on a phishing message. The second failing was the help desk providing credentials to the attacker to access the network remotely. I am sure that some phishing vendors will claim that if there was more simulated phishing messages that this would not have happened. Those claims would be foolish. The Department of Justice already engages in phishing simulations. The best they can do is reduce the incidents, and not the inevitability.

However there is nothing phishing simulations would do to stop the social engineering calls to the help desk. Here is probably the most important aspect; the susceptibility to phishing was irrelevant if the person would not have been given the credentials to access the network.

[ MORE: The 7 elements of a successful security awareness program ]

When you have an organization the size of the Department of Justice, it is inevitable that credentials will be compromised through phishing, or social engineering. The only people who believe you can stop all attacks like that are fools or liars. Frankly, multi-factor authentication should have been in place, which would have prevented this attack. However there was almost a form of multi-factor authentication in place, as the attacker needed additional credentials to access the network remotely.

Again, that layer failed as a result of poor processes and awareness on the likely part of the help desk. Phishing simulations won’t mitigate that attack vector. Once a year videos, designed for a mass population would not be specific enough for the responsibilities of help desk personnel. Even when you have once a month videos, typically organizations run a different topic each month of the year, and the once a year social engineering video, which averages under 3 minutes, is not going to have a significant impact against all of the possible ruses a help desk employee might encounter.

Yet, when you look at what appears to be industry standard awareness programs, they rely on phishing simulations and monthly computer based training (CBT) modules designed for the general population. More has to be done.

The standard model works if you are checking a box. It does not work when you want to prevent actual incidents.

To improve this situation, you need to understand that just like people have different job functions, they might need role based awareness programs. You cannot expect to provide the same awareness materials to help desk staff that you would factory workers, and expect the results to be acceptable from both groups.

While you don’t have to provide different training and awareness programs for every conceivable role, it is clear that some roles, such as help desk personnel, engineers, IT, customer service representatives, among other high level categorizations, have specific awareness concerns.

[ Security awareness: Training moms and end users to spot a scam ]

To support role-based awareness, the appropriate policies and procedures must be in place. For example, when the Department of Justice criminal called up the help desk for assistance with access, there should have been clear procedures in place to authenticate callers.

As I previously wrote, awareness programs should represent The Department of How, not the department of no. When you tell people what not to do or, even worse, attempt to scare people, you are not instilling good behaviors, but trying to scare people from not doing the wrong thing. Awareness is about creating the right security related behaviors.

Instilling proper behaviors takes consistent education and reinforcement of all relevant topics. While phishing is a major attack vector on the part of malicious actors, you cannot ignore all other awareness concerns, which is apparently what many organizations are doing. Additionally, you cannot rely on a 3 minute video on a topic, once a year at best, and assume that people will significantly improve employee behaviors related to that topic.

The goal for awareness is to cost effectively reduce risk. This means that you save significantly more money by the incidents prevented, or more efficiently mitigated, than the cost that you invest in the program. It also implies that you have to address all vulnerabilities, created by user behaviors.

There is of course a need for phishing simulations and CBT as appropriate. However by themselves, they are no more effective than saying a network security program is satisfied by the presence of a firewall and anti-virus software.

As stated, focusing on the behaviors related to an individual’s role is what will enhance the effectiveness of awareness efforts. I fully understand that CBT and phishing simulations seem like a simple and easy solution to the problem. Unfortunately, the problem is not simple and the solutions will not be simple either.

Ira Winkler, CISSP can be reached at his company’s website at www.securementem.com

Join the CSO newsletter!

Error: Please check your email address.

Tags DHSfbi

More about CSODepartment of JusticeFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts