As an Information Security Program Owner, I get a barrage of e-mails and phone calls multiple times a day from vendors looking to sell us their latest hotness security product.\u00a0 Between the e-mails, phone calls, expo floor at BlackHat this year, and several talks that I’ve seen at past conferences, I have noticed a disturbing trend that I thought was worth bringing up: phishing your users.<\/p>\n
The concept is simple; you send e-mails to your users with content that appears legitimate along with links or attachments that are designed to simulate a spear-phishing attack.\u00a0 If the user recognizes it as malicious and deletes it, then they are left to carry on with business as usual.\u00a0 If, however, they fall victim to your trickery, then they are punished in the form of verbal and written lectures, letters to their management, and security awareness training.\u00a0 No carrot, all stick.\u00a0 This situation makes me think back upon an issue that I’ve encountered with my twin daughters at bedtime.\u00a0 For over a year we struggled to get them to stay in bed at night.\u00a0 We would lay them down, play some music, and then leave the room and it wasn’t 5 minutes later before they were up playing, yelling, and coming back out into the hall.\u00a0 We yelled at them, spanked them, turned off lights, and did just about everything we could think of to get them to stay in bed.\u00a0 None of the punishments we did actually corrected the behavior.\u00a0 Do you want to know what actually worked?\u00a0 Offering them a treat in the morning if they stayed in bed all night.\u00a0 Positive reinforcement.<\/p>\n
As much as we hate to admit it, adults aren’t that different from children in this way.\u00a0 Nobody takes well to being tricked into clicking on links or opening attachments.\u00a0 Punishing them for it leads to even further resentment.\u00a0 And where do you think they focus those hostilities?\u00a0 The Security Team.\u00a0 Those people who you are trying to protect end up blaming you and your team for getting them into trouble.\u00a0 Now, what happens the next time you have a problem that you need that user’s assistance to solve?\u00a0 Absolutely nothing.\u00a0 Every time you phish a user, you are burning a bridge that you may need later on.\u00a0 And since we all know how easy it is to phish a user, it just means that you are burning a lot of bridges<\/strong><\/span>.<\/p>\n So, what can we do to prevent our organization from being compromised by phishing and other types of social engineering attacks?\u00a0 To start with, you should incorporate security awareness training to run alongside your new hire training activities.\u00a0 Make sure that every employee has a baseline amount of knowledge on the issues and how to avoid them.\u00a0 Next, you should invest in technologies that will detect and prevent these types of malicious activities.\u00a0 Performing some sort of link and attachment inspection in e-mails and web content inspection for malware will significantly reduce the success rate of these types of attacks.\u00a0 Lastly, there are a number of vendors who will track real-life phishing attempts to your users and modify the links to be able to perform analysis on who clicked and who didn’t.\u00a0 This has the exact same effect of phishing your users, where you can sit them down and have a talk about what happened, but without pitting them against the Security Team.\u00a0 The attacker is now the bad guy and you’re just the friendly information security professional helping to get them back up and running and giving them tips so that it doesn’t happen again.\u00a0 You are BUILDING BRIDGES<\/strong><\/span>.\u00a0 And, if you want to put an even more positive spin on this process, offer up a reward for those who get phished, but notify the Security Team instead of clicking on the link or opening the attachment.\u00a0 Everybody wins.\u00a0 That’s why you shouldn’t phish your users.<\/p>\n","protected":false},"excerpt":{"rendered":" As an Information Security Program Owner, I get a barrage of e-mails and phone calls multiple times a day from vendors looking to sell us their latest hotness security product.\u00a0 Between the e-mails, phone calls, expo floor at BlackHat this year, and several talks that I’ve seen at past conferences, I have noticed a disturbing […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[508,240,28],"tags":[597,411,598,484,595,622,596,102],"class_list":["post-618","post","type-post","status-publish","format-standard","hentry","category-malware-security","category-phishing","category-security","tag-blackhat","tag-e-mail","tag-link","tag-malware","tag-phishing-2","tag-security","tag-vendors","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-9Y","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=618"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/618\/revisions"}],"predecessor-version":[{"id":620,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/618\/revisions\/620"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}