Many phishing awareness programs do a poor job of training employees to recognise and evade malicious fake emails. Business Reporter’s resident U.S. blogger Keil Hubert advocates employing ongoing phishing awareness training… via your preferred penetration tester.
A client recently commissioned a print article addressing why a customer should pay for penetration testing. I apologize that I can’t link to the finished piece; many of my American clients pay extra for the privilege of posting my content as if it was their own. Small companies and start-ups need regular infusions of original content on their company sites in order to stay at the top of Google’s  search results. They want to be seen –rightfully  – as ‘thought leaders’ in their respective industry niches, but they often aren’t bringing in enough revenue yet to justify keeping a professional writer on the bench full-time. Until they become breakout successes, they outsource the work to me.
Anyway, regarding the article… The client wanted me to explain to a skeptical audience why spending some of their meagre infosec budget on an external pen-test service was a shrewd use of resources. I was happy to oblige, since this is something that I believe quite strongly in. A company’s chief security officer (under whatever title he or she holds) has a duty to identify and deal with the company’s most glaring vulnerabilities before the baddies take advantage of them. The best way to find and plug those holes is to set an attacker loose on the company with a mandate to ‘count coup’ against whatever passes for the client’s crown jewels. A good pen-tester will assess the target and then take advantage of the easiest way in past the defenses to ‘win’ the game. Once the CSO knows how the red team pulled off its heist, he or she can close off that attack route. Rinse, repeat, etc.
One of the arguments that I made in the article was that a good pen-tester doesn’t limit him- or herself to just computer network exploits. I’ve worked in and for a bunch of large businesses where ‘pen-testing’ and ‘vulnerability scanning’ activities were limited exclusively to the company’s data network. To be fair, the testers were usually pretty good at finding unpatched servers, routers with default passwords, etc., but their results didn’t truly communicate how baddies would actually breach the company’s perimeter during a real attack. Real attackers exploit people first, because people are always the weakest link in any security model. Always.
That’s why I kept rewriting my ‘why you should pen-test’ submission all weekend. I had to stay under the client’s maximum word count, but I felt professionally obligated to address the issue of testing people as well as systems. A good pen-test needs to cover the whole range of information operations, which includes attacks against ‘wetware’ (a.k.a. human minds). I finally got it right and my client published the piece. So, it was successful… but I didn’t feel like it was successful enough. The idea has been bugging me for weeks now, because I wasn’t able to stuff in one crucial point:
Businesses need to inculcate phishing attack recognition and avoidance skills in all of its employees through repetition.
‘Phishing’ – as an attack method – is the art of using falsified messages to fool a target into doing something dangerous. Usually, this involves surrendering sensitive information, clicking a link that will take their browser to an website that will infect their PC with malware, and/or opening an attachment that installs malware. These days, most people get at least one of these fake email messages in their inbox every day. Most are designed to look like warnings from banks about fraudulent charges, warnings from shipping companies about delivered packages and other comparable sorts of correspondence. Some are indistinguishable from real company communiqués. The thing is, all phishing attacks share two things in common: first, they all contain errors if you look close enough. Second, they all should all be interpreted with withering scepticism.
Most modern companies’ infosec departments are well aware of the phishing threat and genuinely want to help make their users immune to it. Unfortunately, most companies are not allowed to spend 100+ hours per user teaching them skills like how to read raw message text, or how to safely validate an unknown IP address. CSOs everywhere would like to make their users as sophisticated as senior technologists, since the best defence against phishing is technical education. Unfortunately, I have yet to see a business that’s willing to invest that much time and money in technical training for non-technical staff. Instead, most companies make do with a 15-to-60-minute general internet safety CBT  that admonishes users to ‘not click on or reply to strange messages’. That’s wholly insufficient to address the threat, since a well-crafted phishing attack looks 100 per cent like a known, trusted company’s official communications.
That’s where a pen-testing initiative can be a CSO’s best friend: adding a benign phishing attack campaign into the company’s next pen-test is usually cheap and easy, and it provides measurable results. The SANS Institute’s Lance Spitzner teaches a dynamite security program management course called ‘Securing the Human’  that advocates warning your users that a fake phishing attack is coming before launching a fake phishing attack so that users are primed to be on the lookout. Then launch the attack with a benign payload and monitor who amongst the staff reports it correctly… and who falls for the fake. This approach satisfies your auditors’ needs for a pen-test, but also pays long-term dividends for the infosec team. The knowledge of who-all fell victim to the fake attack lets the CSO target his or her phishing defence education efforts against those users that most need the knowledge. I’ve seen this technique done and when it’s done well it’s bloody brilliant.
Taking it one step further, I believe strongly that CSOs need to be carrying out safe test attacks like this all the time. That is, don’t just stop at one test and call it good. Keep them coming. Start with easy ones, and see how people react to them. Teach users what they missed and how to spot the frauds. Then gradually ramp up the sophistication of the attack messages until you’re eventually using real (but de-fanged!) attack messages from the wild. Use the results of the tests and a corresponding continuous education campaign to hone your users’ skills. Train them through repeated exposure.
I’ve been on a literary and cinematic allusions kick all year long, and this column is no exception. The story that triggered this column was James Cain’s 1934 classic noir novel The Postman Always Rings Twice. I chose this source for two reasons: first, I really like the noir genre. Second, and more importantly, because the story’s nonsensical title actually fits this topic perfectly.
If you haven’t read the book (or seen the 1946 movie version), Postman revolves around a shifty drifter (Frank) and a bored married woman (Cora) who conspire to murder the woman’s husband (Nick) so that the two lovers can start a new life together. For years, critics were annoyed because the title of the story seems to have nothing whatsoever to do with the story itself. There isn’t a postman to be found in the book. Per Wikipedia’s synopsis on the genesis of the title:
‘In the preface to Double Indemnity, Cain wrote that the title of The Postman Always Rings Twice came from a discussion he had had with the screenwriter Vincent Lawrence. According to Cain, Lawrence spoke of the anxiety he felt when waiting for the postman to bring him news on a submitted manuscript, noting that he would know when the postman had finally arrived because he always rang twice. Cain then lit upon that phrase as a title for his novel. Upon discussing it further, the two men agreed such a phrase was metaphorically suited to Frank’s situation at the end of the novel.
‘With the “postman” being God or fate, the “delivery” meant for Frank was his own death as just retribution for murdering Nick. Frank had missed the first “ring” when he initially got away with that killing. However, the postman rang again, and this time the ring was heard. Frank is wrongly convicted… and then sentenced to die. The theme of an inescapable fate is further underscored by [Nick’s] escape from death in the lovers’ first murder attempt, only to be done in by their second one.’
Does that tie into phishing? Yes. Yes, it does. I’m arguing that while a fake phishing attack is a great training tool for teaching users how to recognize and respond to phishing attacks, one test on its own isn’t enough! To effectively inoculate users against the threat, you need to hit the users again and again with similar attacks until they decide to change their bad behaviour. A user who successfully evades one attack may have done so based on dumb luck rather than critical thinking and shrewd security-mindedness. If you stop training your users with just the one fake attack message (the ‘first click’, so to speak), then some of those users will be brought low by the next real message to hit their inbox (the ‘second click’). I’m arguing that a responsible head of security needs to keep on educating and coaching his or her users until they’re savvy enough to not fall for any two phishing attack messages in a row – fake or otherwise.
Given how destructive a massive cyber breach can be to a company, it’s in every CSO’s best interests to ‘harden’ the targets that hackers are most like going to go after. That means preparing the company’s employees first and foremost. Hardening humans means teaching them how to spot and evade attempts to get them to unwittingly suborn the company’s cyber defences. As for teaching… experience is the best teacher of all, especially when the student is keenly interested in avoiding a second embarrassing failure.
In the book, Frank the Drifter could have escaped the death penalty had he only recognized the self-destructive course that he was on and changed his ways. In the office, a well-meaning employee can escape getting fired (or, worse, being held fiscally accountable for catastrophic damage) by recognizing that he or she is susceptible to fake emails and changing his or her ways. The best way to set a wayward soul back on the straight-and-narrow path is to show them where, when and how they erred under test conditions where no actual harm can come from their mistakes.
 …and Bing’s and Yahoo’s and everyone else’s search engines. But mostly Google’s.
 I want credit for resisting the pun ‘write-fully’ in this sentence. I’ll cash that credit in later on in this column.
 Computer-based training module. Also known as ‘condescending b******s time’.
 For disclosure’s sake, I’ve taken the course and I’m a die-hard advocate for every other infosec professional taking it as well.
 I knew I was going to need that pun credit. Without it, Lyonsdown likely would’ve docked my wages for that ‘pier’ quip.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.