The problem with Security Awareness programs is that it is hard to prove their successes. As with all security countermeasures, success is usually that nothing happens. Ideally, success also means that there is a report of the attempted attack, however that is rarely the case. With technical countermeasures however, logs are usually maintained that allow people to point to all of the prevented attacks.
More important, when there are acknowledged Security Awareness success stories, it is rare for organizations to share those stories, even internally. As principles in a company devoted to the human aspects of security and Security Awareness, we see Security Awareness success stories on a daily basis, however we cannot disclose those stories without permission.
So it was a pleasant surprise when we saw the CSO Salted Hash column, Inside an Attack by the Syrian Electronic Army, which highlights a major Security Awareness success story. The article highlights how the Security Awareness guidance we provided allowed IDG Enterprises, the parent company of CSO and Computerworld, among other major technology publications, to completely repel an attack by the Syrian Electronic Army (SEA).
As background, the SEA took issue with a presentation that Ira gave at the RSA Conference that detailed the SEA, their attacks, our experiences helping companies respond to their attacks, and methods to prevent similar attacks. The SEA responded by hacking the RSA Conference website, and we detailed exactly how that was accomplished. In response, the SEA hacked the Twitter feeds of the Wall Street Journal and Buzzfeed in an attempt to insult Ira. Ira prepared an article for Computerworld that analyzed the sequence of events. However, based on our experiences and working with the FBI on past attacks, we warned Computerworld to expect a focused attack from the SEA and detailed the expected methods that they would use, as well as guidance on how to prevent the expected attack.
In response, Computerworld's team worked with the appropriate people to ensure that the technical precautions were taken, as well as creating a proactive awareness program warning the appropriate IDG employees of the imminent attack. Details were provided regarding what employees should be on the lookout for, and special effort was made to ensure that the people with critical access were warned about what to expect.
As expected, spearphishing messages began to arrive the day the article went live on the website. The messages were in the format expected. Recipients of the message appropriately reported them. When the emails failed, the SEA apparently resorted to social engineering attacks, which were likewise unsuccessful and properly reported. This is critical as it demonstrates that when people are made aware of the likelihood of one attack, they are aware of the prospects for other forms of attack.
The reason this worked is that a "good" awareness program was implemented. It was not a generic video with no reinforcement. The information provided all of the critical elements of good awareness materials: 1) Awareness of what the issue is, 2) Definitive and relevant actions to take in response to the issue, and 3) Motivation to take the proper action.
Admittedly, the IDG team already has a general awareness to be on the lookout for spearphishing messages. That itself is a Security Awareness success. However it just becomes obvious when you are under attack.
The reality is that there are Security Awareness success stories every second of the day. They just do not get noted. Every time a person does not click on a phishing message, every time they avoid a malicious website, every time they lock their door or computer monitor, every time they refuse to enter private information for questionable purposes, it is a Security Awareness success story. It is however much more notable when you realize that you are under attack from an intent adversary.
The fact that we were able to predict exactly how and when the SEA would attack was a clear benefit. However, I was still pleasantly surprised to learn that nobody fell victim to the attacks. As previously implied, all security countermeasures will fail at some point in time, and it is impossible to create perfect security. This is why everyone should practice defense in depth.
While there are many characteristics of a successful awareness campaign, what made the IDG's awareness program effective in this case was:
- The guidance was clear as to what people should watch out for.
- The guidance was relevant to current and future circumstances, and stated why it was relevant.
- There was clear motivation as it was obvious what a failure would mean to the individual and the organization.
- People were informed exactly how to report attacks.
- Once an attack was detected, the organization was informed about the attacks.
- The organization helped people by taking the appropriate actions to block access to the dangerous websites, deleting unopened messages, and informing people about the details of the ongoing attacks. The latter provided additional motivation for people to behave more securely in general, which lead to the reporting of the social engineering attacks.
I assume that prior to the publication of this article, IDG would have sent out reminder messages to remind people about the past guidance, and tell them to be on the look out for other attacks that use similar strategies. This should produce similar results, i.e., repelling all attacks, but even if it doesn't, any damage should be proactively mitigated with defense in depth.
When you have a good Security Awareness program, you will have a lot of success stories, as not only will many incidents be prevented, you will know about them. It is frankly refreshing to be able to highlight a success story that we were involved in. However, make sure that you don't forget to acknowledge and highlight the small success stories that help you prevent the proverbial death by 1,000 cuts.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.