The following news clip is from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the Department of Homeland Security:
A recent spear-phishing campaign started and ended in October 2012, using publicly available information from an electric utility's Web site to customize an attack against members of the Energy Sector. Employee names, company email addresses, company affiliations, and work titles were found on the utility's Web site on a page that listed the attendees at a recent committee meeting. This publicly available information gave the attacker the company knowledge necessary to target specific individuals within the electric sector.
Malicious emails were crafted informing the recipients of the sender's new email address and asked them to click on the attached link. This link led to a site that contained malware. Another email with a malicious attachment may also have been associated with this campaign.
Fortunately, no intrusions or infections were discovered following the campaign that targeted 11 specific entities.
What if this happened to people in your organization? Would your co-workers take the bait and click the link, putting your business at risk for malware?
We all want to believe our colleagues are smart enough to detect the foul smell of a phish attempt, but that's not always the case. Some messages - like the one referenced above - are quite believable and they fool even the most astute people.
A recent experiment showed just how successful those types of campaigns can be. Fake spear phishing messages were sent to employees of two real-world utility companies. Twenty-six percent of the recipients clicked on a link in the phony emails. Had this been a real phishing attack, just one click on a malicious link could have unleashed malware into the organization.
While there are technological solutions to combat phishing attempts, they aren't especially effective. It's hard to develop the technology that will weed out a well-crafted email message before it reaches the intended target.
Security experts agree that one of the best defenses is to bolster "the human firewall." In other words, to provide training to workers so they learn to recognize (or at least suspect) a phish attempt. If you can get your colleagues to slow down and really evaluate the messages they receive before acting on them, you've won half the battle.
An innovative approach to user education is to use simulated attacks on your colleagues. A recent Naked Security survey featured in the Sophos Security Threat Report for 2013 shows that 85% of the 933 information security people who responded to the survey say that businesses should "fool employees into opening inappropriate emails with the aim of education."
A new report discusses whether this is an effective approach to security awareness and training. The report is based on a roundtable discussion among members of Wisegate, including practicing CSOs from Fortune 500 companies. The roundtable was initiated by Joe Ferrara, CEO of Wombat Security Technologies, a security awareness and training company.
The CSOs were asked, "Does simulated attack training work?" The group consensus was yes, it does work. As one security leader put it, "it is more of a teachable moment — and the key will be following up with training that works for the employee." In addition, it helps to get workers to realize just how vulnerable they are to attacks that use social engineering to gain their confidence.
The CSOs cites some specific benefits of simulated attack training:
The CSOs agree that simulated attacks are a valuable part of user awareness training — if they are done right. Ferrara offers the following best practices to ensure you get the most out of your training program: