[BreachExchange] Phishing Training is a Tool, Not a Solution

Destry Winant destry at riskbasedsecurity.com
Mon Nov 19 09:39:52 EST 2018


https://www.securityweek.com/phishing-training-tool-not-solution

If You Find Yourself Frequently Blaming Users for Successful Attacks,
You Know Your Security is Not Working

Training users to recognize phishing is a best practice, an important
“tool in the toolbox” as an IT manager once told me, and definitely
something I agree with among a list of steps to improve one’s security
posture. But I’ve heard anecdotes recently about IT managers
prioritizing training above investing in better automated security,
and have begun to wonder if training firms and many security providers
who now offer it have been a bit too successful in their marketing,
effectively convincing many that the job of protection should be
shifted to the end user.

A lot of phishing training is going on. A recent study by Osterman
Research asked organizations a series of questions about phishing and
user training, among other issues, and ascertained that 93% of
organizations give their employees some kind of phishing awareness
training. Of course, doing this “right” is not in everyone’s budget,
or runs quickly into a limit of tolerance on the time to be taken from
the schedules of busy employees.

Can you (really) spot the fake?

Such training, everyone agrees, is good. Everybody knows that security
is about layers, and having alert users is another layer. But anybody
signing up for sessions for their company should understand it in that
context—it’s another tool, not a solution. I was struck in the
Osterman survey report by the fact that over half of IT and security
managers rate their users “highly” or “extremely” capable of
recognizing mass phishing and spear phishing emails (59% and 54%,
respectively). What’s generating such confidence among this group?
Personally, I’m not as sanguine. I see examples of phishing emails and
spoofed web sites all the time, and while many fall to the quality
level associated with Nigerian scams, I’m frequently struck by the
subtlety of the approach, the high quality of the imitations, and the
deceptive tactics employed. In considering the ability to spot the
phish by a general employee population working away in the frenzy of
their email-inundated lives, such a level of optimism contradicts my
own anecdotal sense of things. A CIO at a large company told me
recently that he feels that 40 percent of his users will “click on
anything,” which seems realistic to me, and, if true, still means 60
percent of users are bringing some utility to the task of identifying
phishing emails. It’s an attitude that makes room for the benefit of
training in contributing to stopping some phishes, without
over-relying on it.

I have to point out that, even when an alert user does their duty, the
phish may still happen, because we’ve already entered the realm of
possible human error. One case in point is the phish of campaign
advisor John Podesta’s Gmail account during the (Hillary) Clinton
campaign. Podesta thought the password reset email he received odd, so
his assistant forwarded it to a security analyst working with the
campaign, which led to arguably the most famous typo in IT security
history—the consultant accidentally wrote “legitimate,” when he knew
the email was a phish, and had intended to write “illegitimate.”

Blame the victims?

It’s a truism of security that users are the Achilles heel or “weak
link” in any system of defenses. I recognize the wisdom in this,
although sometimes it sounds to me a bit like blaming airline
passengers for their plane going down. It seems at any security event
today, there is a lot of touting of user training by user-education
and, more recently, large security companies, pushing messaging along
the lines of “protection starts with people”. Is this really the
user’s responsibility? We don’t expect them to delete their own spam
or to really know what attachments to click on. Are we in the process
of giving up on technology’s ability to block phishing?

Security is the weakest link – not the user

My view is that if you find yourself frequently blaming users for
successful attacks, you know your security is not working. I agree
that we should be thinking about how users work, what they do and how
it affects the security posture of the business, but does security
really start with them? If you start from the premise that IT should
be an enabler for employees to be more productive, then it follows
that security should protect them automatically. True, no system is
infallible, and I’ve already acknowledged the importance of layered
security, but my advice is do not let your email security vendor get
away with delivering phishing emails to your users—they should just
block them. Do not let your web security provider get away with
allowing users to connect to phishing sites—they should just block the
connections. It’s time to swing the pendulum back, and put the
responsibility to do battle with phishing campaigns back where it most
correctly belongs—on the security systems.


More information about the BreachExchange mailing list