Client-side attacks are dominating when it comes to organizations’ top security concerns these days, and the only way to step up and ensure that your organization is protected is to go on the offensive and test your end users.
This year at the RSA conference, Core Security held a user group meeting to help us gain a better understanding of our customers’ thoughts on the current state of IT security and to talk about their primary areas of concern.
During the discussion, one of our customers relayed their organizations’ results from using CORE IMPACT Pro to conduct an internal client-side penetration test against their own end users -- 85 percent of whom clicked on the link provided in the email-borne assessment. Obviously that number is very high, and the e-mail had been crafted to mimic a spear-phishing attempt.
However, after conducting new security education programs for its users based on the client-side testing results, training that highlighted the severity of clicking on links without first verifying their legitimacy, they followed up with another client side pen test that resulted in only 5 percent of the targeted audience clicking on the link that was provided.
Now those are some impressive results.
Yet, where it only takes one person to compromise your entire network, and even though 5 percent is worlds better than 85 percent, the subsequent test shows that organizations need to work diligently to affect significant changes in their end users’ behaviors.
For you can be as diligent as you want and as paranoid as your firewalls, but in the end, no matter how much you patch and harden your systems, client-side attacks will continue to succeed unless you take greater lengths to secure your networks as well as train your employees.
The truth is people inherently trust things that appear to be from a reliable source and hackers understand that reality and how to exploit it.
Get rid of the "ZOMG I have a firewall!" attitude and start proactively securing the inside of your networks. Even if you feel like you’ve arrived at a place where you can get a night’s rest without worrying about your servers, it doesn’t mean anything if you have a happy link-clicker, MySpace-er, Facebook-er, or even YOU, the Twitter-er. Those tiny URL’s sure are cute, huh?
Utilizing the Client-Side Pen Test functionality in IMPACT Pro could potentially save you a lot of embarrassment, even if it means having to wait while cutting through the red tape that sometimes goes along with gaining approval for these types of end user tests.
And for those of you asking, “Will Microsoft IE 8 save us?,” I implore you to understand that the security hype around IE 8, much like any other software or Web app, will only last as long as it takes hackers to break it. This cycle will never stop and defensive solutions will always struggle to keep pace with new attacks.
In this economic downturn, where everyone wants to be the hero, cutting corners to save funds in this never ending arms race called IT security is not your best bet. Stand tall and learn precisely how your users behave when presented with potential attacks… pen-test!
-Caitlin Johanson, Technical Support Engineer