Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART II: The Human Component’s Fundamental Role in AntiPhishing Prevention

Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART II: The Human Component’s Fundamental Role in AntiPhishing Prevention - Initial Training

Details: Category: Social Engineering; Published: Monday, 23 January 2017 18:45

Written by Maria Monteiro, Filipe Custódio, VISIONWARE

This article is the second part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become a part of the enterprise security. To better understand this article please read the first part "Companies’ role in Antiphishing Prevention”.

PART II: The Human Component’s Fundamental Role in AntiPhishing Prevention - Initial Training

Assessment and training may significantly increase employee awareness, reduce click rates, and increase reports of phishing. They may transform your employees from unwitting targets to human firewalls. They become obstacles to hackers rather than conduits.
The initial testing, training, and ongoing testing should combine to not only elevate your users’ preparedness but sustain and institutionalize it.
Security maturity and cyber readiness requires excellence in people, policy, processes, procedures, and technology to guarantee the necessary cultural change among personnel. This lowers operations costs and barriers to further improvements in policy, process, and technology.
The success pervasively perceived by employees increases their willingness and motivation to hone training in other cybersecurity areas.

Employee education should start with a simple test to evaluate awareness and knowledge of phishing. An easy way is to show employees a collection of known phishing attempts, along with genuine e-mail and Web pages, and ask them to identify the authenticity of each. The feedback from the test can be used for further training.

To make it effective, allow workers to understand that the matter is serious: they have a critical role in protecting the company and its assets. Everyone should be included in the training and exercises. This includes senior management: they are main targets (especially for spear and whale phishing). Besides, their participation is a good example for the whole company. Besides, employees may develop a lack of trust if they find that companies are secretly testing them. It is important that businesses clarify the reasons for their actions and have employees understand the factual need for such measures.
The training should be gradual: don’t expect people to understand advanced phishing examples from day one. Teach them step by step on both phishing scenarios and training modules.
Besides gradual, it should also be periodical: repeat the process at least once every two months. Changing behaviour is a process. Training is important but continuous assessment is even better to set the right mind set. A one-time test yields only temporary results. To be effective businesses need to challenge employees' actions on a recurring basis.
Time it right. Make it as short and concise as possible. Don’t make it a month-long campaign. Time it early in the morning but not too early. You want to reach the main population of employees to make sure that most experience it first hand.
The training should be fun, interactive and short: through a scenario-based, online format with gamification and achievement elements to engage and challenge the user’s understanding of these attacks and decision-making in the handling of these threats.
Deliver different types of phishing attacks – links, attachments, fake websites requesting usernames/passwords, and requests to download rogue applications. Make it interesting. Make sure enough “signs” indicate that it’s not a real one. Don’t make it too hard, so they don’t feel they have no chance to succeed.
During and after training, the workers’ progress must be followed: failures and successes should be signalized and evolution should be taken in account in the upcoming exercises.

It is really important to assure that there is no shaming – campaign results should never be published publicly. Moreover, the landing page for those who have taken the bite on practical exercises should be something easy to absorb. Make sure the messages are positive and deliver the right mind set. Focus on the learning, not the problems they would have caused if it were a real attack. Hands-on experience and positive reinforcement change employee behaviour and promote diligence in the fight against phishing attempts.

The initial phase should teach employees protective safeguards and include them in the company’s IT policy.

Never give out personal, financial or other sensitive information to anyone who requests it.
[Make sure that you’re using a secure Web site when submitting sensitive information. To make sure you’re on a secure Web server, check the URL in your browser’s address bar — it should begin with “https://” rather than the typical “http://”. Also, there should be a closed-padlock image in the browser’s status bar. To ensure that the padlock image is not fake, double click on it and examine the Web site’s security certificate.]
Be suspicious of e-mail that requests sensitive information.
[Most organizations stopped making such requests via e-mail long ago because this tactic is used in phishing and spoofing schemes. If an e-mail asks for sensitive information, it most likely is a phishing attempt.]
Don’t click on links embedded in an e-mail that seems to come from a bank, financial institution or e-commerce vendor.
[In other words, for even a remote possibility of that e-mail being spoofed, don’t click on any links in it. Open a new browser window and manually type the site’s URL in the address bar.]
When prompted for a password, give an incorrect one first.
[A legitimate site will not accept the fake, but the phishing site will.]
Don’t fill in forms contained in e-mail that ask for sensitive information.
[Most responsible organizations don’t use an e-mail form for this purpose, as e-mail is not a secure medium. Submit such information only on secure Web sites.]
Keep your browser and operating system up to date with the most current patches available.
[Phishing attempts exploit browser vulnerabilities to fool users and install malicious code. Take note of this, especially if using Microsoft Internet Explorer.]
Thoroughly check your credit card and bank account statements regularly and look for any unauthorized charges.
Always use updated antivirus and firewall software to protect yourself from phishing attempts that try to surreptitiously install malicious software such as key loggers on your machine.
When in doubt, check. If you doubt the authenticity of a message, check directly with the institution.
If you think you have fallen victim to a phishing attack, notify.

Initial training should then aim at common learning, allowing:

Awareness of key types of phishing attacks: spear phishing, whaling and watering holes;
Learners to be able to define phishing and its risk to the individual and the organization;
The delivery of phishing attacks reviewed to include email, phone and mobile deliveries;
Best practices on how to avoid being phished;
Employees able to identify web links and suspicious URLs.

In this highly interactive training experience, learners are challenged to recognize common types of phishing and social engineering attacks and choose the safest course of action.
The process should continue after, mostly through real world simulations, which allow the employee to individually make its path and progress, learning at his/her own pace.

Don't miss the third part of this series: "The Human Component’s Fundamental Role in AntiPhishing Prevention - Real-World Simulations" which will be published on February 3.

For more information consult the Sources of this Research:

APGW: http://www.antiphishing.org
Berkeley Resources: https://security.berkeley.edu/resources/phishing
BizTech Magazine: http://www.biztechmagazine.com/article/2006/01/phishing-protection
Black Hat Briefings: https://www.blackhat.com/presentations/bh-europe-08/Rosiello/Presentation/bh-eu-08-rosiello.pdf
Carnegie Melon University: Lessons From a Real World Evaluation of Anti-Phishing Training: https://www.cs.cmu.edu/~ponguru/eCrime_APWG_08.pdf
Computer Weekly: http://www.computerweekly.com/tip/Preventing-phishing-attacks-Enterprise-best-practices
Federal Communications Comission: https://transition.fcc.gov/cyber/cyberplanner.pdf
Federal Trade Commission: https://www.consumer.ftc.gov/articles/0003-phishing
Global Learning Systems:
- http://www.globallearningsystems.com/products/anti-phishing-training
- http://www.globallearningsystems.com/index.php/products/phishtrain/
InfoSec Institute:
- https://www.infosecinstitute.com/phishsim
- http://resources.infosecinstitute.com/top-9-free-phishing-simulators/#gref
- http://resources.infosecinstitute.com/category/enterprise/phishing/spear-phishing-and-whaling/#gref
- http://resources.infosecinstitute.com/category/enterprise/phishing/phishing-tools-techniques/
InfoSecurity Magazine: http://www.infosecurity-magazine.com/blogs/effective-phishing-assessment/
IronScales: https://d30npevhrs2eg4.cloudfront.net/wp-content/uploads/2016/11/07090852/combatting-modern-email-phishing-attacks.pdf
Looking Glass Cyber Solutions: https://www.lookingglasscyber.com/blog/phishing-quiz-whats-your-aptitude/
KnowB4:
- https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
- https://s3.amazonaws.com/knowbe4.cdn/Best+Practices+for+Dealing+with+Phishing+and+Next-Generation+Malware+-+KnowBe4.pdf
MediaPro: https://www.mediapro.com/courses/phishing-awareness/
PhishLabs: https://www.phishlabs.com/t2-spear-phishing-protection/employee-defense-training/
PhishMe: http://phishme.com/product-services/reporter
PhishTrain:
- https://www.phishtrain.com/email
- https://medium.com/@phishtrain/2-0-phishtrain-update-features-f69f865d2af0#.hfjdr1cqp
SonicWall: https://www.sonicwall.com/phishing/phishing-quiz-question.aspx
Tangible Security: https://tangiblesecurity.com/index.php/services1/employee-security-awareness-training
TechTarget:http://searchsecurity.techtarget.com/news/2240181849/Emerging-antiphishing-tools-use-testing-training-to-educate-users
The State of Security: https://www.tripwire.com/state-of-security/security-awareness/bsidesdc/
Wombat Security:
- https://www.wombatsecurity.com
- https://www.wombatsecurity.com/security-education/educate

by Maria Monteiro, Filipe Custódio (VISIONWARE)