The Danger of Sensationalizing Phishing Statistics

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

The Resurgence of Data-Entry Phishing Attacks

‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

Breaking out of the compliance mindset

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.

Difference in the group

Addressing security threats requires a new direction from the mindset that compliance equals security.

While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.

Negative reinforcement: How NOT to improve user behavior

One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy.

Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate goal of security is to protect a network, not give users a reason to DDoS it.

For effective security awareness, keep it focused

Switch book coverIn their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance.

The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off their smallest debts first – regardless of interest rates. Although this flies in the face of conventional financial wisdom, it is a lot easier for people to remain focused by paying off a $200 debt than it is to pay off $200 of a $20k debt. It’s easier for our brains to process manageable changes, and when we feel like change is manageable, we’re more likely to implement it.

To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

To improve security awareness, think marketing

Security awareness is a term that often makes IT security pros cringe. It brings to mind images of mind-numbing training or of ineffectual posters and stress balls urging employees to change their passwords frequently.

Based on years of experience working with enterprises and other large organizations, we are launching a new blog series, “7 Principles Critical to Security Awareness Programs”, that will offer some insight in concepts we have incorporated in our solution to demonstrably improve security awareness for our customers.

The first topic we will address is marketing.

Changing behavior is one of the greatest challenges security officers face when implementing security awareness programs. Convincing people to change is hard in any arena, but when it comes to security – an area which most users neither know nor care much about – it’s especially difficult. We can learn a lot about changing behavior from a source security pros are often wary of: marketers.

How PhishMe addresses the top attack method cited in Mandiant’s APT1 report

There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.

First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.

What Trend Micro’s research means for organizations

Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.

Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.

Breaking the Myths of Social Engineering

Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.