Should you simulate a phishing attack on your own colleagues to raise security awareness?

The following news clip is from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Department of Homeland Security:

A recent spear-phishing campaign started and ended in October 2012, using publicly available information from an electric utility's Web site to customize an attack against members of the Energy Sector. Employee names, company email addresses, company affiliations, and work titles were found on the utility's Web site on a page that listed the attendees at a recent committee meeting. This publicly available information gave the attacker the company knowledge necessary to target specific individuals within the electric sector.

Malicious emails were crafted informing the recipients of the sender's new email address and asked them to click on the attached link. This link led to a site that contained malware. Another email with a malicious attachment may also have been associated with this campaign.

Fortunately, no intrusions or infections were discovered following the campaign that targeted 11 specific entities.

What if this happened to people in your organization? Would your co-workers take the bait and click the link, putting your business at risk for malware?

We all want to believe our colleagues are smart enough to detect the foul smell of a phish attempt, but that's not always the case. Some messages - like the one referenced above - are quite believable and they fool even the most astute people.

A recent experiment showed just how successful those types of campaigns can be. Fake spear phishing messages were sent to employees of two real-world utility companies. Twenty-six percent of the recipients clicked on a link in the phony emails. Had this been a real phishing attack, just one click on a malicious link could have unleashed malware into the organization.

While there are technological solutions to combat phishing attempts, they aren't especially effective. It's hard to develop the technology that will weed out a well-crafted email message before it reaches the intended target.

Security experts agree that one of the best defenses is to bolster "the human firewall." In other words, to provide training to workers so they learn to recognize (or at least suspect) a phish attempt. If you can get your colleagues to slow down and really evaluate the messages they receive before acting on them, you've won half the battle.

An innovative approach to user education is to use simulated attacks on your colleagues. A recent Naked Security survey featured in the Sophos Security Threat Report for 2013 shows that 85% of the 933 information security people who responded to the survey say that businesses should "fool employees into opening inappropriate emails with the aim of education."

A new report discusses whether this is an effective approach to security awareness and training. The report is based on a roundtable discussion among members of Wisegate, including practicing CSOs from Fortune 500 companies. The roundtable was initiated by Joe Ferrara, CEO of Wombat Security Technologies, a security awareness and training company.

The CSOs were asked, "Does simulated attack training work?" The group consensus was yes, it does work. As one security leader put it, "it is more of a teachable moment — and the key will be following up with training that works for the employee." In addition, it helps to get workers to realize just how vulnerable they are to attacks that use social engineering to gain their confidence.

The CSOs cites some specific benefits of simulated attack training:

• It increases specific awareness of the phishing and spear phishing threat. When workers fall for a simulated attack, they become more aware of the real threat and more receptive to the message from IT security.
• It improves the general awareness of security. Simulated attack programs help to open the lines of communication between workers and security staff, which in turn helps to improve the efficiency of general security awareness training.
• It provides security training metrics. Simulated attacks allow you to track the effectiveness of your security training over time and to target the areas or people that most need additional training.
• It helps to focus both the company and the security staff on user behavior and how to turn that weak link into a strength. People can be a weak link in the security chain when it comes to social engineering attacks. Running simulated attacks can help you develop a balance between spending on technology and spending on security training.

The CSOs agree that simulated attacks are a valuable part of user awareness training — if they are done right. Ferrara offers the following best practices to ensure you get the most out of your training program:

• Get internal buy-in on the approach from executives across all departments.
• Assess the existing level of user awareness prior to starting a new simulated attack methodology. This gives you a baseline for judging the effectiveness of this methodology and to plan future campaigns.
• Use the upfront assessment data, combined with new data from the simulated attacks, to plan and prioritize future training.
• Combine your training methodology with learning science principles in order to ensure maximum retention by your colleagues.
• Continue the learning assignments throughout the year.
• Maintain heightened user awareness by making your training program a continuous process.

For more information, read the full report, "A Security Officer Debate: Are simulated phishing attacks an effective approach to security awareness and training?"

Read the article at Network World