Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Security Awareness? How do you keep your staff safe? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Awareness? How do you keep your staff safe?

If you’ve been following recent diaries from my fellow handlers Brad and Manuel, they peel the covers back on a couple current malicious emails campaigns.  Many of the readers of the Storm Center diaries will be use to the ebb and flow of these stories. Here in Australia there’s a speeding fine scam email [1] that’s been running for the last few weeks, and there’s no indication it will drop off any time soon. 

There is plenty of training, education and horror stories out on the Internet about malicious email, so why is it a recurring problem? One suggestion has been that it plays on human emotions. Threatening or enticing emails are designed to draw in the unsuspecting and then there are those users that will go to significant lengths to bypass security controls just to see the dancing cat/chicken/Hans Solo.

So providing useful and meaningful security awareness isn’t easy and has to be made relevant to individual audiences, even within the same organization. Providing the same training education to senior management and then a development group will probably miss the mark for both groups and result in a “Meh, I won’t fall for that”. Sadly generic security training often results in a trained staff member that still falls victim to a relatively convincing scam.

At this point you’d be expecting some wondrous solution. Sorry, not today.  I will say this is something that takes constant revising, effort and innovative thinking to engage your staff. I’ve mentioned before that SANS has some nifty resources [2], but I really love finding how people try to instill security in their organizations. A security engineer from Riot Games posted how his security team took a different approach to getting in the hearts and minds of their staff about thinking about security as a whole [3]. This goes back to build a story about being security minded that your audience understands, hopefully cares about, and starts to adopt in their working practices and lives. 

Will it stop everyone clicking links or opening random email attachments? I doubt it, but flipping a person from an attack vector to an attack alerter is a worthy goal.

If you have any other examples of innovative ways at getting people to care about good, basic security approaches, please add a comment or drop us a line [4]

 

[1] https://www.service.nsw.gov.au/news/afp-warns-public-email-traffic-infringement-scam   

[2] http://www.securingthehuman.org/resources/

[3] http://blog.markofu.com/2015/01/socialising-security-riot.html

[4] https://isc.sans.edu/contact.html

 

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
We run security weeks every so often on our intranet.
Each day a new tip
Also encourage user to test skills using sites such as http://www.sonicwall.com/furl/phishing/
nickcardwell

2 Posts
Hi Chris, We do it in combination of training, awareness and random tests. The methodology that I have myself seen working is get your training tailored to what is important for your organisation for instance for me clicking on unsolicited mail is more priority than the awareness session for using 8 character password as we have tools in place to check the later part. Once training is sorted out, awareness has played a very important role via monthly or weekly mails, some posters around the most common areas and finally conducting random tests, like sending non-malicious phishing mails to see who falls prey to it. We have seen noteable reduction in how many people used to click on phishing mails when we started the training and now when are few months down. There are hardly less number of people who click on phishing mails. Not saying that my problem for the life is sorted out but seeing this progress gives confidence in security overall. Also to add, most of the content of the training is build combination of our threat feeds, our monitoring sources and results from pen tests which show us where we need to target on people side.
nickcardwell
1 Posts
Quote:Sadly generic security training often results in a trained staff member that still falls victim to a relatively convincing scam.


Chris et all:

It was a continual battle over PEBKAC @ my last company and sadly it went all the way to the VP since she had PHD (Pappa Had Dough) and she was going to do what ever she wanted,period.

She had an ilk he won't let me read my FB or shop on-line or use weatherbug ect. ect. ect. She would then complain to daddy that I was stopping sales when they could not deduce pure logic, your actions will not only stop sales but grind the company to a halt.

She went as far as getting the keys to the kingdom and turning off the AV, Malware and the alarms would light up, she and others did not care.

Now in contrast, the other 98% of the staff & employees followed the very rules set forth by company policy. However as we all know, one moldy blueberry can destroy the entire bunch when it sets on top of the rest of them, it does not work the other way around.

It finally got so bad, I left and @ 55 you can only imagine what fun that has been, yet another reason why I moved into security.

I would appreciate any suggestions that I can do in the future. I was polite, held seminars, many got scareware on their own PC's ( I would fix on my own time) and some at the company going to poisoned sites while others were compliant.

I even put training videos on how things work, light end testing to no avail. Am I perfect, hell no, do I strive daily to better myself, YES!

Again, any sage advice would be appreciated. A career that I have loved from the days of DOS ===> has worn on me, not because I do not want to stop the bad guy, but when you must fight the good guys also, it wears you down. If things do not get better, maybe I will try my hand @ shopping cart wrangling.

Thanks to all for reading this, again please give me your thoughts.

Best to all, and safe computing.
ICI2I

63 Posts
I'm not sure we can ever be successful as long as the end user is considered a legitimate and significant link in the security chain. Not saying that in a derogatory way, just practically speaking. Training can reduce the risks for threats such as phishing, but never eliminate them or even get them below a certain threshold.
Dean

135 Posts
Absolutely agree. The very best any awareness program or even vendor has claimed is a 5% failure rate. Think about this analogy:

"As CEO and CFO of Public Company LLC, I affirm that our financial statements are 95% accurate and I am 95% confident that there is no financial fraud by insiders."

Uh huh.
Anonymous
Long time reader, first time poster. Instead of spewing out all of my thoughts here I'll post a link to an article I already wrote about it.

http://infosystir.blogspot.com/2015/02/the-path-to-fixing-security-awareness.html

I helped implement a live fire monthly awards based phishing program in a mid-sized hospital with amazing results.

Slide deck here if you are interested in the metrics and materials.

http://www.slideshare.net/amandasullivanberlin/shooting-phish-in-a-barrel
infosystir

1 Posts
Security awareness trainings don't work, else by now we should have had a smarter workforce capable of understanding where to click. Investing in security awareness trainings is money down the drain, since this program needs to run ad-infinitum assuming the workforce is changing. Without an infinite budget, I don't see how security awareness trainings can bring about any change to the behavior of the workforce, since all you need is one idiot.

The solution(s) can be had at the technology level itself -- refuse non-ASCII emails, remove attachments, both can be done at the MTA-level. Phishing problem solved. Deploy technology that makes it impossible for its users to play fool. Why bother creating awareness when the you can drive a stake through the heart of the problem?
coderaptor

1 Posts
Quoting coderaptor:Security awareness trainings don't work, else by now we should have had a smarter workforce capable of understanding where to click. Investing in security awareness trainings is money down the drain, since this program needs to run ad-infinitum assuming the workforce is changing. Without an infinite budget, I don't see how security awareness trainings can bring about any change to the behavior of the workforce, since all you need is one idiot.

The solution(s) can be had at the technology level itself -- refuse non-ASCII emails, remove attachments, both can be done at the MTA-level. Phishing problem solved. Deploy technology that makes it impossible for its users to play fool. Why bother creating awareness when the you can drive a stake through the heart of the problem?


Respectfully training your workforce is never a waste of money. A properly trained workforce will help, when (not if) the security technology fails. Also training will help those employees at home and at other jobs.

If we focus more on training and less on preventing then we might just educate the entire work force (at some point).

I wholly agree you can't fix stupid but you can educate it out of someone.
PW

63 Posts

Sign Up for Free or Log In to start participating in the conversation!