As an Information Security Program Owner, I get a barrage of e-mails and phone calls multiple times a day from vendors looking to sell us their latest hotness security product. Between the e-mails, phone calls, expo floor at BlackHat this year, and several talks that I've seen at past conferences, I have noticed a disturbing trend that I thought was worth bringing up: phishing your users.
The concept is simple; you send e-mails to your users with content that appears legitimate along with links or attachments that are designed to simulate a spear-phishing attack. If the user recognizes it as malicious and deletes it, then they are left to carry on with business as usual. If, however, they fall victim to your trickery, then they are punished in the form of verbal and written lectures, letters to their management, and security awareness training. No carrot, all stick. This situation makes me think back upon an issue that I've encountered with my twin daughters at bedtime. For over a year we struggled to get them to stay in bed at night. We would lay them down, play some music, and then leave the room and it wasn't 5 minutes later before they were up playing, yelling, and coming back out into the hall. We yelled at them, spanked them, turned off lights, and did just about everything we could think of to get them to stay in bed. None of the punishments we did actually corrected the behavior. Do you want to know what actually worked? Offering them a treat in the morning if they stayed in bed all night. Positive reinforcement.
As much as we hate to admit it, adults aren't that different from children in this way. Nobody takes well to being tricked into clicking on links or opening attachments. Punishing them for it leads to even further resentment. And where do you think they focus those hostilities? The Security Team. Those people who you are trying to protect end up blaming you and your team for getting them into trouble. Now, what happens the next time you have a problem that you need that user's assistance to solve? Absolutely nothing. Every time you phish a user, you are burning a bridge that you may need later on. And since we all know how easy it is to phish a user, it just means that you are burning a lot of bridges.
So, what can we do to prevent our organization from being compromised by phishing and other types of social engineering attacks? To start with, you should incorporate security awareness training to run alongside your new hire training activities. Make sure that every employee has a baseline amount of knowledge on the issues and how to avoid them. Next, you should invest in technologies that will detect and prevent these types of malicious activities. Performing some sort of link and attachment inspection in e-mails and web content inspection for malware will significantly reduce the success rate of these types of attacks. Lastly, there are a number of vendors who will track real-life phishing attempts to your users and modify the links to be able to perform analysis on who clicked and who didn't. This has the exact same effect of phishing your users, where you can sit them down and have a talk about what happened, but without pitting them against the Security Team. The attacker is now the bad guy and you're just the friendly information security professional helping to get them back up and running and giving them tips so that it doesn't happen again. You are BUILDING BRIDGES. And, if you want to put an even more positive spin on this process, offer up a reward for those who get phished, but notify the Security Team instead of clicking on the link or opening the attachment. Everybody wins. That's why you shouldn't phish your users.
For my first breakout session of the TRISC 2009 Conference, I decided to check out Rohyt Belani's presentation on Spear Phishing. Rohyt is the CEO of Intrepidus Group and has spoken at a variety of conferences from BlackHat to OWASP to MISTI to Hack in the Box. I had heard from several other conference attendees that he was a pretty good speaker and the topic seemed interesting enough so I went and wasn't at all disappointed. My notes (while not very long) from the presentation are below and the actual presentation can be found here:
- CEO of Intrepidus Group
- Adjunct Professor at Carnegie Mellon University
- Frequent speaker at BlackHat, OWASP, MISTI, Hack in the Box
- Phishing: The act of electronically luring a user into surrendering private information that will be used for identity theft or conducting an act that will compromise the victim’s computer system.
- Example of spear fishing used for pump-and-dump scam
- Example of spear fishing used to download a Trojan, crack the admin password, and create domain administrator accounts on a windows server.
- Have a service called fishme.com that is used to run mock attacks against companies.
- 23% +/- 3% are susceptible to phishing attacks based on surveying on fishme.com
- Convincing people to click via authority works better than reward
- People are more “click happy” on a Friday afternoon
- Use an existing website that’s vulnerable to XSS or create a fake SSL certificate