Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART III: The Human Component’s Fundamental Role in AntiPhishing Prevention

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART III: The Human Component’s Fundamental Role in AntiPhishing Prevention - Real-World Simulations

Details: Category: Social Engineering; Published: Friday, 03 February 2017 14:53

Written by Maria Monteiro, Filipe Custódio, VISIONWARE

This article is the third part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become a part of the enterprise security. To better understand this article please read the previous parts "Companies’ role in Antiphishing Prevention”, and "The Human Component’s Fundamental Role in AntiPhishing Prevention — Initial Training".

PART III: The Human Component’s Fundamental Role in AntiPhishing Prevention - Real-World Simulations

The best way to prepare employees for real-world attacks is to train them with real-world simulations. Individual learners follow different paths through the instruction based on their responses. As they progress through the course, they build their awareness of phishing tactics and test their ability to identify and respond to threats appropriately.

Periodically immersing employees in simulated real-life phishing scenarios that deliver hands-on experience with safe examples and on-the-spot education opportunities - for example through real phishing emails to create timely examples and content focused on today’s greatest threats.
Failure is the best opportunity to change human behaviour. It is the moment in which individuals are most willing to act differently: When an employee fails a phishing simulation, they immediately receive high-impact training that conditions them to spot and report real-world phishing attacks.

This allows the awareness element to be there as well: opportunity to combine phishing tests with security awareness education, with a feature that (optionally) directs phished users to a landing page with an awareness education video.

Providing instant feedback when a successful phish is reported or when an employee fails a simulated phish creates a memorable experience.
Once reported, employees receive immediate positive feedback that reinforces the right behaviour: positive reinforcement is the key to a successful human phishing defence program.

In practical exercises, like simulation emails, files or messages, it is important to take the help desk team into account: some phishing campaigns drive lots of phone calls and emails to the helpdesk. Don’t make them hate training days. Don’t send more emails a day than they can handle. Use embedded report buttons on email clients when possible to allow immediate feedback. It will change their reporting habit for real world attacks as well.

Email Phishing

It’s best to hit your employees with emails that they might receive. Change difficulty levels and start from the ground up.

The ‘arrival page’ should explain the employee why that specific email could be a phishing email, demonstrating aspects that he/she should’ve noticed - and this will make him more attentive in the next (real or fake) phishing attempt.

Text Message Phishing

Bearing in mind the tools that are so commonly used and that hold important data and information, the scope of phishing simulation should include text message phishing. Phishes will be sent to employee cell phones and work similarly to email phishes.

Phone Call Phishing

A series of templates have been made to simulate scam phone calls that are becoming increasingly common. On top of that, users can type their own message to be read by a robot. Tracked is if the target picks up, call back, or enter numbers on the keypad.

Don’t let yourself or your employees fall victim to a phishing attack. Now that you know how rampant they are, and what many of them entail, it’s well within your control to defend against them. Just like phishing scams are unnervingly simple to launch, they are equally easy to defend against if you practice some extra caution.

For more information consult the Sources of this Research:

APGW: http://www.antiphishing.org
Berkeley Resources: https://security.berkeley.edu/resources/phishing
BizTech Magazine: http://www.biztechmagazine.com/article/2006/01/phishing-protection
Black Hat Briefings: https://www.blackhat.com/presentations/bh-europe-08/Rosiello/Presentation/bh-eu-08-rosiello.pdf
Carnegie Melon University: Lessons From a Real World Evaluation of Anti-Phishing Training: https://www.cs.cmu.edu/~ponguru/eCrime_APWG_08.pdf
Computer Weekly: http://www.computerweekly.com/tip/Preventing-phishing-attacks-Enterprise-best-practices
Federal Communications Comission: https://transition.fcc.gov/cyber/cyberplanner.pdf
Federal Trade Commission: https://www.consumer.ftc.gov/articles/0003-phishing
Global Learning Systems:
- http://www.globallearningsystems.com/products/anti-phishing-training
- http://www.globallearningsystems.com/index.php/products/phishtrain/
InfoSec Institute:
- https://www.infosecinstitute.com/phishsim
- http://resources.infosecinstitute.com/top-9-free-phishing-simulators/#gref
- http://resources.infosecinstitute.com/category/enterprise/phishing/spear-phishing-and-whaling/#gref
- http://resources.infosecinstitute.com/category/enterprise/phishing/phishing-tools-techniques/
InfoSecurity Magazine: http://www.infosecurity-magazine.com/blogs/effective-phishing-assessment/
IronScales: https://d30npevhrs2eg4.cloudfront.net/wp-content/uploads/2016/11/07090852/combatting-modern-email-phishing-attacks.pdf
Looking Glass Cyber Solutions: https://www.lookingglasscyber.com/blog/phishing-quiz-whats-your-aptitude/
KnowB4:
- https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
- https://s3.amazonaws.com/knowbe4.cdn/Best+Practices+for+Dealing+with+Phishing+and+Next-Generation+Malware+-+KnowBe4.pdf
MediaPro: https://www.mediapro.com/courses/phishing-awareness/
PhishLabs: https://www.phishlabs.com/t2-spear-phishing-protection/employee-defense-training/
PhishMe: http://phishme.com/product-services/reporter
PhishTrain:
- https://www.phishtrain.com/email
- https://medium.com/@phishtrain/2-0-phishtrain-update-features-f69f865d2af0#.hfjdr1cqp
SonicWall: https://www.sonicwall.com/phishing/phishing-quiz-question.aspx
Tangible Security: https://tangiblesecurity.com/index.php/services1/employee-security-awareness-training
TechTarget:http://searchsecurity.techtarget.com/news/2240181849/Emerging-antiphishing-tools-use-testing-training-to-educate-users
The State of Security: https://www.tripwire.com/state-of-security/security-awareness/bsidesdc/
Wombat Security:
- https://www.wombatsecurity.com
- https://www.wombatsecurity.com/security-education/educate

by Maria Monteiro, Filipe Custódio (VISIONWARE)