Technology is a marvelous tool that enables people in the 21st century to effortlessly communicate with each other in almost every corner of the globe.
Regrettably, it can’t prevent stupidity. That’s what security vendor RSA discovered in 2011 when the company’s spam filters reportedly caught email with a malicious Excel spreadsheet and dumped them into the staffs’ junk filters.
Unfortunately some people opened the email anyway and infected the company. Parent company EMC apparently had to spend US$66 million to clear up the mess.
The incident is recounted as a warning in a slim new book Phishing Dark Waters (Wiley, CDN$42, 188 pages) by Christopher Hadnagy, CEO and Michele Fincher, chief influencing officer, Social-Engineer Inc., a U.S. company that helps organizations do penetration and phishing tests.
Aimed at CIOs and CSOs, it offers advice on how attackers think and how organizations can create their own awareness programs.
The fact is, they confessed in an interview Monday, even experienced people can be fooled by phishing ploys: Hadnagy admitted he’s one of them. So CSOs need to understand what makes people click on links they are told to ignore or are in messages that are too good to be true.
“It’s not about stupidity. We are made to react to certain types of stimuli,” he said, including greed (‘Offer only good today’), fear (‘Detection for new virus attack’), authority (‘From the CEO’) and desire (‘Deal on trip to Bahamas’).
Understanding that allows organizations to develop protocols and education for protection, he said. “Without understanding the why all you’re doing is throwing a bunch of money into anti-virus and packet inspection and network filters. Those things may work, and they may protect you from 90 per cent of the malware that’s out there.” But, he adds, it won’t help a spear phishing attack against a targeted company or officials within it.
Which is why, Hadnagy and Fincher say, organizations must address human decision-making as part of an anti-spam strategy.
According to the Anti-Phishing Working Group, an association of IT industry compnaies and law enforcement agencies, 128,378 phishing sites were observed in the second quarter of 2014, the latest period stats are available. That was the second highest number of phishing sites detected in a quarter, eclipsed only by the 164,032 seen in the first quarter of 2012.
Hadnagy is a long-time security worker and penetration testing who set up his consultancy after writing a course for IT security pros on social engineering. Fincher has degrees in engineering and counselling who specializes in understanding influence and manipulation of people.
The book talks about the psychology behind (bad) decision-making, explaining how the brain’s amygdala processes stimuli — like fear — that phishing authors play on. CSOs may not find that as interesting as the chapter on the psychology of influencing people (suckers) to fall for their ploys.
This becomes useful when IT pros want to craft their own education campaigns. And the authors insist that CSOs make sure staff understand the point of awareness training is education, and not merely getting good scores on tests.
IT pros will find the real value of the book in creating phishing tests — which, the authors add, should be part of penetration tests.
They emphasize that phishing tests have to be scientific — setting a baseline with the first test and then tracking and collecting statistics on follow-up tests to accurately measure progress.
One problem CSOs have is seeing “massive fluctuations” in testing results — a low click rate one month then high the next, suggesting staff aren’t learning. That’s probably because those test emails were crafted too hard to spot, followed by a test that’s too easy. Tests should gradually increase in difficulty.
If they don’t craft their own campaigns, one of the biggest mistakes IT departments make is buying phishing software with a limited number of templates to base tests on. The book has a good section reviewing the pros and cons of these applications
Of course the book also includes lessons CSOs can pass on to staff on identifying phishing attacks, such as learning to hover over URLs within messages and analyzing email headers.
And there’s also teaching staff to ask these four questions when looking at every message:
–Does the email come from someone I know;
–Was I expecting this email;
–Are the requests being asked of me reasonable;
–Does the email use techniques of greed, fear or curiosity to hit my emotions — does it try to get me to take an action.
That’s a good list to photocopy, emboss and give to every staff member.
