[BreachExchange] Don’t be a fool about endpoint protection

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 6 18:54:11 EDT 2017


http://www.itsecurityguru.org/2017/04/05/dont-fool-endpoint-protection/

In the U.S., 35 percent of working-age adults do not know what phishing is.
Considering the average office worker can see up to one risky email a day,
that’s quite alarming. Clearly, this awareness gap is putting both business
data and systems at risk. Factoring end users into the endpoint protection
equation just makes sense.

Discussions about phishing prevention are on the rise, which is good.
Unfortunately, that’s partially at the expense of organizations and end
users. When companies like Google and Amazon make the news because
attackers are corrupting their brands in order to propagate phishing scams,
there are certainly more conversations — but at the tradeoff of more
compromised networks, accounts, and devices.

But even though more and more companies and individuals are falling victim
to phishing emails, and publications and news outlets are shining a light
on this threat vector, that doesn’t mean end users have a solid awareness
of this threat or that they’re actively trying to avoid these types of
attacks. Those who do have some sense of the risk phishing messages pose
are complicating the matter in another way: overconfidence.

A recent study published by the University of Texas at San Antonio found
that a growing reason many end users fall for phishing scams is due to
overconfidence; they simply believe they are smarter than the actors
responsible for an attack. This is leading to a carelessness that is
compromising endpoints with alarming regularity.

Compounding the problem is the fact that phishing messages are becoming
more sophisticated. While overconfident users are looking for Nigerian
prince emails, attackers are developing more targeted and more detailed
messages that are exceedingly sophisticated and difficult for even infosec
professionals to spot. And with ransomware on the rise and continuous
advances in malware, these attacks can come with some crippling payloads.

The reality is that end users — and their decision-making skills — are
attached to a vast number of your endpoints. If you are not continually
educating employees about how to spot the evolving techniques and nuances
cybercriminals are using to attempt to penetrate your defenses, you are
allowing unnecessary risk to percolate within your security chain.

The first step in an effective security awareness training program is
assessing employees’ depth and breadth of knowledge, and attempting to
identify your organization’s most pressing susceptibilities. Though we’ve
talked almost exclusively about phishing within this piece, the reality is
that end-user risk management is bigger than email-based attacks. Many of
the worst breaches we’ve seen of late weren’t caused by a single mistake,
but rather a series of them. Typically, multiple employees could have taken
action to stop an attack if they knew what to look for. A comprehensive
training program helps to fill in the knowledge gaps, which can mean the
difference between a single compromised endpoint, and a major data breach.
As such, it’s important to assess your users and figure out where your
organization’s gaps and weak links really are.

Some of today’s best security awareness programs incorporate phishing
simulations, which allow companies to evaluate end users’ susceptibilities
without exposing their networks to an actual attack. To ensure longevity,
choose a tool that supports customizable email templates, multiple types of
attachments, data entry fields, and the ability to test users’ recognition
of embedded links and spoofed senders. Content updates are also critical,
as cybercriminals are always coming up with new attack scenarios. Tools
that regularly provide new and refreshed templates and materials help to
ensure your program remains relevant and effective.

When using assessment tools like simulated attacks, it’s important to have
a plan and measurable goals; this will allow you to take your program to
another level. A good place to start is measuring failure rates (i.e.,
interactions with simulated phishing emails). Tools that allow you to dig
in and analyze failure rates by user attributes — like department, office
location, and manager — give you visibility into important susceptibility
metrics and variations between groups, job functions, and geographies. It’s
also valuable to be able to identify users who have had multiple failures —
so-called “repeat offenders” — as this allows you to work with managers and
your HR department to adjust access permissions and develop other
escalation paths that will help employees become more careful (and keep
your endpoints more secure).

A step that organizations sometimes overlook is delivery of ongoing
cybersecurity training. Simulations are great for assessing end users’
ability to detect attacks, but they have a limited ability to educate
employees about the breadth of techniques attackers use. The most
successful program administrators educate end users about the types of
threats they will encounter and give them the knowledge and well-placed
confidence — not overconfidence — they need to make good decisions. The
most sophisticated programs educate their users multiple times per year,
opting for short and easily digestible lessons that don’t just teach new
concepts but also help to reinforce previous lessons to prevent knowledge
loss. Look for an education tool that offers brief, focused modules that
will allow you to regularly provide training without overwhelming end
users. If you can automatically assign training to employees who fall for a
simulated attack, that’s a great advantage. This allows users to more
clearly connect the dots between the phishing simulation and the follow-up
education. If you send a simulated attack in January and then don’t provide
training until August, you’ve lost any possibility for a logical connection
between the two events.

Phishing can have serious impacts on endpoint security, which in turn can
affect your organization’s intellectual property, reputation, customer
confidence, and other important business indicators. If you are involved
with developing an endpoint protection strategy, don’t be foolish and
overlook how your end users’ awareness and knowledge (or lack thereof) play
into your metrics for success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170406/76e40b88/attachment.html>


More information about the BreachExchange mailing list