Implementing a security awareness program seems rather straightforward, until you actually start to implement one - factoring in things like resources and the people (users) to be trained. At that point, it can seem complicated, costly, and unnecessary. However, the process doesn't have to be a logistical and expensive nightmare, and it's certainly worth it in the long run.
Organizations both large and small have implemented awareness programs for next to nothing, and while they're not perfect, many of them are able to show measurable results. The key to these successes however, is based on understanding what it is that the organization is actually trying to accomplish.
While doing topical research for this story, CSO discovered a common thought among the experts and executives that were consulted, including some who spoke to us during two regional security conferences this summer (B-Sides Detroit and CircleCityCon).
Often, executives view security and business as two separate items, and while this point-of-view is changing, it takes effort to get some executives to commit to security and make it part of the business overall.
When this happens, tangible security needs such as license renewals, support and service contracts, firewalls and other appliances all of those are things that executives understand. However, awareness training, to the executives at least, seems like an extended version of general security training, and there just isn't money for something like that.
At the same time, there's also a shakeup happening - thanks to a seemingly endless stream of data breaches this year that have placed several large companies in the headlines. The result of this shakeup is fear, and sometimes fear has a way of producing the budget needed to strengthen security. In some circles, this additional funding opens the door to the development of security awareness programs.
Is awareness training really needed?
Security awareness training is something that can cause a good deal of debate among experts. Some agree that it's needed; others will call it a waste of time and resources.
Dave Aitel, in a column for CSO, expressed an opinion that such training wasn't needed:
"Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization.
"Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee--and if these measures fail, that the network is properly segmented to limit the infection's spread."
However, the other side to that argument comes from Ira Winkler:
"The question to ask is whether the losses prevented by awareness training are more than the cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you are reducing phishing attacks by 50 percent, you are mitigating 50 percent of the potential losses...
"The original opinion also says that a sophisticated security awareness program can prevent 90-95 percent of attacks. A 90-percent-plus reduction of loss will always be a good return on security investment, especially when the cost of typical security awareness programs is minimal?"
Awareness programs are not a replacement for solid security infrastructure and policies. Nor are they a replacement for response and incident handling. They can't be. The only thing awareness does is increase the odds of recovery, and increase response times should an incident occur.
While training employees to act as monitors for Phishing attacks or emails with malicious attachments is helpful, that doesn't mean such campaigns won't be successful. However it does mean that the security team may know about the problem sooner, and that could be the difference between preventing a disaster - or suffering through one.
One of the main steps to building a good security awareness program is to separate it from security training. Security awareness is not the same as security training when it comes to employees.
Security training serves to offer a structured set of rules, which is what most auditors will look for when assessing compliance. Security awareness, on the other hand, aims to modify behavior. If done right, the company's employees will become an extension of the existing security program. However, while security training can be done annually, awareness programs are a continuous process.
A living proof of concept:
Amanda Berlin works in security for a medium-sized healthcare organization in the Midwest. Over the last few months, she has created an effective awareness program almost out of thin air.
Her organization didn't have the resources to pay for external awareness development and training, but it was needed, so they had to go it alone. It's taken some time, but her efforts have resulted in a program that benefits the company, keeps the staff engaged in security related topics, and has little to no impact to the bottom line.
"So we knew the weakest element in our security were people," Berlin said in an interview with CSO.
"That's probably the weakest part of any organization. You can have IDS / IPS, massive email filtering, but stuff is still going to get through and [criminals] are still going pretext."
As mentioned, user education can go a long way to keeping outsiders off the network, but it isn't a silver bullet.
In the past, prior to implementing the awareness program, Berlin's organization had to deal with various socially-based attacks. Yet, those were mostly random phone calls and faxes (fake domain renewal bills for example), so need for a scaled awareness program wasn't made abundantly clear until the company had a penetration test performed.
"We had a [penetration test] with some Phishing included, and that was what got them domain admin access. Right away, within fifteen minutes, somebody clicked and gave out their credentials, and they [the red team] were in from the outside."
It was an eye-opening experience. Other than the expected security training, related to HIPAA and other regulatory requirements, nobody in her organization had given a thought to implementing user awareness training against Phishing or similar attacks.
However, the main takeaway from that initial penetration test was that if the human element had been hardened, or at least better prepared, then the other defenses on the network would have had a better chance of keeping the attackers out.
Training out of thin air and OSINT:
For Berlin, the process of building an awareness program from scratch started with a series of conversations with her boss and the organization's education department.
The idea was to develop materials that would benefit any user. However, they had to keep the materials basic, so that the information was easily understood and the technical aspects were obtainable to anyone, no matter their personal skill set.
"[We used] things that would be really helpful for any end user, like 'Don't click on stuff' emails. We didn't get too far into it, but we used that and put it out there," Berlin explained.
After the material was shared during formal and informal staff meetings, it was time to test the employees and see what they've learned.
The first month her program ran, the targets were selected by way of available OSINT, or open source intelligence. By targeting company email addresses that were already publicly available, Berlin was starting with the same pool of potential victims that an actual criminal could, which helped her set the tone for the program's development.
Using the Social Engineer Toolkit, or SET, she created an initial campaign that consisted of an obviously suspicious email, and a simple link to a webpage she created to collect credentials.
"It was just a plain two, three line, HTML email. I wanted to try and make it as blatantly obvious that I wasn't a legitimate source. I wanted to see how good their [personal] filter was," Berlin, recalling the first email that was sent to users, explained.
The first set of emails were sent from a Gmail account created for the exercise. They contained no identifiable information, and used a basic HTML link to a local IP as the trap. Out of the initial run of a few hundred emails, Berlin said that she managed to get nearly 60 percent of the targets to enter their credentials.
The powers that be viewed the results as proof positive that something should be done about this gap in security, but the program needed to be tuned, and there needed to be a way to track the results. The process took a few months, but eventually Berlin was ready to launch her program officially.
Rewarding those who help:
While the initial test proved that an awareness program was needed, the question of who should be doing the training was the first hurdle. In fact, research showed that there were plenty of vendors available to come in and run an awareness program. However, the cost of hiring someone form the outside was steep, and would put additional pressure on an already taxed budget.
Instead, Berlin explained, the company opted to manage things internally. Moreover, some of the money that would have gone to an external training firm ($1,000) was allocated in order to establish a reward scheme for employees.
"So every time somebody reports a Phishing email, whether it be form me or the outside, they need to forward it to the help desk or call and let us know, so we can actually see the email. If it's a legitimate one, we'll go through the steps to actually block it; otherwise we'll let them know they've been entered into the drawing."
The program allows employees to report legitimate Phishing emails, as well as emails that are sent as part of the ongoing awareness training. In addition, other suspicious electronic activity may also count, such as emails with attachments that the employee didn't expect, but that is determined on a case-by-case basis.
Another interesting aspect to the program is the encouragement to report people who are attempting to access the employee's system that haven't been authorized to do so.
The incentive scheme itself is simple and geared towards the staff's personal interests. There is a monthly drawing for a $20 gift card, followed by a quarterly drawing for a $50 gift card to either Bass Pro Shops or Red Lobster. There is also a yearly grand prize worth $400 in the form of an Amazon gift card.
The financial motivation has helped things tremendously, Berlin noted, as the number of reports focused on legitimate Phishing attacks has "skyrocketed." Even better, the stigma associated with reporting a potential problem, or admitting that an attack was successful, has plummeted to nothing.
While rewards are important, for Berlin's organization, tracking and measuring progress is the main concern. After only a short time of operation, the stats from her program are impressive. The number of successful attacks in the training program have continued to fall steadily since the program officially started.
In January: 985 emails were sent to employees; and out of those, 53 percent of the targets actually clicked the Phishing link. Of those who clicked the link, 36 percent of them entered credentials and 11 percent of all the targets reported the attack.
In February: 893 emails were sent out, resulting in a click rate of 47 percent. Again, of those that clicked, 11 percent of them gave out credentials and 11 percent reported it.
The test in March didn't go as well. There were 1,095 emails were sent, but only three percent of the targets clicked the link. Of those that clicked, none of them entered credentials. In fact, everyone who clicked the link in March also reported the email.
"In March I think the reason that I had such a low rate of participation in general was due to the all around subject/theme of the Phish," Berlin said, when asked about the stats.
"We had a large push for the March of Dimes that month and it seems like every other email was about another donation opportunity, or bake sale of some sort. We think that the majority of them were just deleted along with the rest of them, or filtered out as noise."
April was another interesting month. There was no opportunity to enter credentials this time around, as the goal was to target clicks. Anyone who clicked on the email was directed to a "You've been hacked!" message.
During this test, two percent of the 1,111 emails sent resulted in a click, and 25 percent of those who got the message reported it.
While Berlin's awareness program clearly has changed user behavior, as well as improved the overall security posture for her organization, that doesn't mean that it's foolproof. There's plenty of room to grow, and the program itself is in a constant state of tuning.
For example, there are plans to improve tracking, and make the process easier to manage. Currently, the tracking process is manual, so the goal is to have it completely automated. There are also plans to increase the program to include mobile devices directly, as many of the providers within the organization rely on tablets in their day-to-day routine.
Awareness is only part of the battle:
Security awareness programs are only one piece of a larger security puzzle. By the time a Phishing email reaches a user, parts of the security chain have failed (anti-Spam) and the weakest-link in the chain now has an active role in defense.
If the users are trained, or to use a stronger term, conditioned to spot random abnormalities, there is a greater chance that a passive Phishing attack will fail. But no one is perfect, and targeted Phishing attacks will succeed eventually.
This is why users should be encouraged to report not only the attempt, but any failures as well without the fear of punishment. This engagement will help lower the time it takes to address the incident, and in some cases, it could actually prevent an incident from exploding into a monumental disaster.
Users are often snickered at for trading their passwords for candy during social engineering experiments. However, this willingness to do a task that takes little effort in exchange for something of value works both ways.
The user who will trade access for sugar is also someone that can be trained to spot attacks for gift cards, and financially, that's affordable when compared to the cost of mitigating a data breach.