Defence-in-depth is a widely-accepted security strategy. The US National Security Agency, which first applied it from a military context to information security, emphasised a “layered approach” to security involving people, technology and operations.
But while organisations spend up big on technical layers such as firewalls and intrusion detection, the same can’t said of efforts to secure the human. Does security awareness at your organisation mean a one day course and a few phishing posters near the water cooler? Or is there a sustained effort to drive cultural change across the organisation, systems to measure improvements, and a program to drive behavioural changes to improve security at work, home and on the road?
Not a month went by in 2015 without one massive breach or cyber attack affecting tens of millions of people. There was the Ashely Madison leak, and numerous breaches at US health insurers. State-affiliated Chinese hackers were also accused of stealing 21 million records from the US Office of Personnel Management, and in December hacking the Australian Bureau of Meteorology.
Those breaches could have started with a technical exploit, or just as likely a combined phishing and malware attack, which once again features prominently in Verizon’s 2016 Data Breach Incident Report.
Three in 10 phishing emails are opened by employees
Verizon notes that phishing email are almost exclusively used by organised crime gangs and state-backed attackers. And if the breach didn’t start with a phishing attack, leaked credentials are almost certain to come back and bite in future phishing attacks.
Despite numerous high profile breaches and awareness that phishing is a real risk, it appears people are actually getting worse at avoiding phishing.
Based on eight million “sanctioned phishing emails” from several security awareness vendors, Verizon found that employees opened 30 percent of phishing email, and that 12 percent clicked on the malicious link or attachment. Last year’s data revealed that 23 percent of phishing email was opened, and 11 percent clicked. Phishing emails are unsophisticated but time and again they prove to work.
It may help explain the rise in Dridex banking malware and its use of ‘macro malware’ in Microsoft Office attachments. Targets are lured into enabling macros that are disabled by default and the malicious macro installs Dridex modules to capture banking credentials from the browser and siphon them out.
Phishing is also quiet and efficient. According to Verizon, the average time it took for the first user to open the phishing email was 1 minute and 40 seconds. The first click came on average in just under four minutes.
Another telling figure from the report is that in a sample of 636,000 phishing emails, only three percent of users reported a possible threat to management.
How to move security awareness beyond compliance
Given that altering human behaviour is such a common first step to the loss of corporate secrets, credentials, personal or health information, it would seem wise to train humans to resist those attempts and for organisations to view it as more than a compliance issue.
Security awareness is tough to do though. It’s challenging to help people connect the dots between behaviours, such as re-using passwords across multiple sites, and the potential consequences.
This kind of awareness was one of the reasons Australian security expert Troy Hunt launched the Have I Been Pwned? website. The site alerts subscribers if their credentials turn up in a leak and now counts over 300 million ‘pwned’ accounts that have been exposed publicly after a breach.
“It’s interesting, as time has gone by, the number of times people say I had no idea I was in this or that breach. There are many organisations that never let people know, and even when the organisation’s policy is to let people know, a lot of people still don’t have any idea,” Hunt told CSO Australia.
“What’s really interesting is when people say: That might explain why I’ve had these other accounts compromised. And then you go: So what you’re saying is you might not have had very good password practices. And they answer: ‘Yeah, well it was an unimportant account and I re-used passwords for that.”
Another revelation from leaks catalogued in Have I Been Pwned? are the existence of corporate email addresses in dating-site breaches, including Ashley Madison and the more recent leak stemming from a breach at the dating site Beautiful People.
“I think there needs to be a much better awareness of where does the personal use of corporate assets begin and stop,” said Hunt.
The corporate stance on the use of social networks on work computers has changed over the years. Many organisations have relaxed former bans on Facebook at work in order to support better work-life balance. But Hunt contends, in an age when everyone has their own smartphone, it might make sense to draw a clearer line on how and when these apps are used.
“We might be at a point where it is more justifiable to lock down some of those generally personal-use-only assets or sites because we’re carrying out access to it with our personal devices anyway,” he notes.
These are discussions that could be had as part of a security awareness program, but all too often are swept up in compliance with resources for awareness limited to security posters, according to Hunt.
“[Posters] become white noise. It doesn’t stick. With phishing, compliance folks want to tick the boxes that says training has been done. That seems to be the first priority. The actual effectiveness of how well that education works then becomes a distant second,” said Hunt.
Security awareness is a ‘nice to have’, often run by geeks
One of the chief problems for better security awareness is a lack of investment in resources, time and skills. This affects the quality of awareness programs, how staff are engaged, and whether security behaviour is measurably improved, which ultimately shapes whether those with the purse strings see value in investing in it.
Todd Lefkowitz, vice president of global services at security firm, Rapid7, told CSO Australia that while everyone understands that people are the weakest link in an organisation, that’s not reflected in spending on security awareness.
“I think firms invest more so in technology, but I also think firms are becoming very aware of the fact that there is a massive skills shortage,” he said.
“People treat security awareness training as a nice to have and it’s executed as a nice to have. People need to put it more front and centre in terms of the criticality to the organisation,” Lefkowitz added.
On the upside organisations now have web-based technologies to make training short, interactive, game-like, and fun.
“That way you’re getting the user to pay much more attention to the subject matter,” said Lefkowitz.
Hunt agrees, pointing out services like Phish5 that can be used to test over and again how resilient staff are to phishing. Similar services are offered by Knowbe4 and PhishMe.
“We’re going to see how many people we can catch with this. We’re not going do them once a year but run them on an ad hoc basis and see if there’s actually education that’s sticking,” said Hunt.
The lack of investment in security awareness is backed up by a recent report from the Securing The Human program at the SANS Institute, which found in its Security Awareness Report 2016 that half of all security awareness personnel it surveyed had a budget of $5,000 or less. Larger organisations were just as likely to have miserly budgets for awareness. Less than 15 percent of respondents were dedicated awareness personnel, with most spending fewer than 10 hours on ‘securing the human’.
Lance Spitzner, director of SANS Securing The Human, told CSO Australia that companies are investing in awareness, but not enough and that too often “geeks” end up leading these programs.
The survey revealed that 80 percent of security awareness personnel are former IT or IT security professionals, who may lack the communications skills to make security awareness training relevant and engaging.
“Too many organisations still think of security in terms of bits and bytes. Technology is only one part of security, they are forgetting about processes and people,” said Spitzner.
That is improving in certain industries like defence, education, and manufacturing, according to Spitzner, however he also noted that organisations are investing in the wrong area.
“We need less geeks leading awareness programs and more communicators, public relations and marketing folks. We are lacking soft skills,” he said.
He recommends partnering with the communications department from the outset, or even embedding a comms person in the security team. Communications professionals will be able to help develop messaging, emotional outreach, and culture changing.
Interestingly, SANS’ survey found that the communications department was the major “blocker” to security awareness programs. Yet this same group is well-placed to overcome the cognitive bias that comes with being an expert in a certain field.
For example, when security professionals see people continuously fail to use complex passwords, it might not mean they are not motivated to follow good advice but rather that they find complex passwords confusing and difficult. The security awareness trainer could instead explain what two-factor authentication is and how to use it, or alternative password strategies such as the use of pass-phrases.
Hunt sees a role here for organisations to support the adoption of password managers and biometrics for authentication.
“There are people that will argue endlessly that biometrics are not for authentication, they are for identification. But frankly it becomes a semantic argument. If we can have a way where people can have strong passwords and then log on with a physical attribute that’s certainly better than what can be done most of the time,” he said.
Why spend on awareness if users are stupid or reckless?
One thing to avoid is viewing awareness training as a failure if a certain proportion of people always seem to fail a phishing test, according to Spitzner.
“Security awareness is nothing more than a control, a control to manage human risk,” said Spitzner. “Anti-virus is a control, firewalls are a control, encryption is a control. They all reduce risk, they cannot eliminate it. Awareness is no different.”
“What if the percentage that falls victim were also trained to report it, so even though five percent fell for it, they also reported it, building a more resilient organisation?” Spitzner asked.
According to Lefkowitz, organisations can convince staff to treat corporate information security seriously by helping them understand the positive impact they can have on security in their personal lives, for example, by helping them avoid major new threats like ransomware.
“We want people to think about this just as much for themselves, as for the company. This is really actionable information that they can use for the betterment of their own security. So if you let them believe that this is going too help safeguard personally identifiable information, it’s going to go a long way to helping them think more thoughtfully about how they handle data moving forward, whether it’s the company’s or their own,” said Lefkowitz
Security awareness however also needs to factor in cultural tendencies of both an organisation and the nation it operates in.
Hunt sees the rise in CEO fraud as a symptom of attackers exploiting cultures of subservience. CEO fraud is where an attacker uses a bogus email address that appears to be the CEO’s and tricks a subordinate into authorising a wireless transfer to what they are told is the bank account of a trusted organisation, such as a supplier.
According to Federal Bureau of Investigation, US firms have lost $2.3 billion dollars to CEO fraud between February 2016 and October 2013. The attackers often target firms that have international supplier relationships.
“Think about a place like Asia where the cultural norms are that you don’t question. If it’s someone in a senior position that asks you to do something, your propensity to do it is so much greater than if you’re here, where in Australia where you’ll often tell someone to get stuffed if they don’t like it,” said Hunt.
“Many companies tend to be very traditional very hierarchical, very much someone at the top of the tree who barks orders and other people beneath them take it. That sort of environment is going to make things harder to catch when there is no active culture of questioning,” he continued.
Yet, security training has its limits and organisations still need to ask what processes are in place to prevent things like inadvertently paying huge sums to fraudsters.
“You’ve got to ask, What kind of controls were in there such that the compromise of one individual was able to get large sums of money out? Does there need to be better controls around having multiple levels of authorisation for this sort of thing?” said Hunt.
Which all comes back to defence-in-depth and investing adequately in people, processes and technology.
“Security at the human level involves everyone from the front desk, the CEO and board. It extends to how guests are treated, how doors are opened and closed, how badges are displayed,” said Lefkowitz.
“Security awareness training is a start, but it’s enforcement and having the right policies and procedures that ensure people are acting appropriately with respect to any sort of information.”