So I know that everyone was worried about WannaCry and the Ransomware epidemic that we just had. Though this type of attack isn’t new, this one particular instance got so much attention because it was such a large attack and affected many in the world. Many organizations immediately started researching with their security vendors how to detect, deter and remediate…Sound familiar? Yeah, that’s Core’s line and we have products that could have helped then and can help today. But I’m not here to sell you on those things. I would rather have you look at the weakest link in an organization; the one that should be your first line of defense instead of the gateway into the company. All of the existing security infrastructure you have in place could be practically worthless because of a simple action taken by this weakest link. What is this weakest link? Some of you may have guessed it - your users.
How many times have you heard of breaches caused by social engineering or phishing? I bet many because that’s how most start. Take the recent WannaCry. You had to click or download to get infected, which requires an interaction by a user. Many who are tasked to protect organizations provide plenty of security where it’s required and help to protect the information within a network from the endpoint to egress and vice versa. But what happens when these phishing attacks become more complex, less detectible or a zero-day type? With all of this technology we use, why not go back to good old training and awareness? Wouldn’t it be nice to stop, or at least slow down, the potential of compromising your company? Well, you can with adding training and testing to all existing security.
Now training is simple. Have recorded sessions on security awareness and do a campaign with your employees to equip them with the proper knowledge as to how to operate in your organization safely; many organizations provide this online - SANS has one that is pretty good. Now I know that sometimes users roll their eyes at these types of trainings, but why not follow up with some testing? Actually phish your users and see if they click on emails and/or download what is attached. I can tell you from experience - there is nothing like getting caught to make users aware. Here at Core Security we are big on security. So much so that we look out for users who walk away from their stations without locking them. If one is found, an email is usually sent out to the whole organization in a joking fashion. For example, it could be a resignation letter stating they will be moving on to go jump on beds for a living….yeah it may sound childish, but it’s a little embarrassing and the next time that person walks away without locking their computer they’ll think twice (happens every 6 months or so, usually a Noob). Same would happen if someone fell for the bait on a phishing campaign. I bet next time they get a suspicious email they will think twice, possibly question the email and would rather be safe than sorry.
Now testing and executing is something you can easily do with repetition so users can continuously be made aware. Maybe you are already doing it once a year or just doing so to check a box. Nowadays, we are doing a million things and need some reminding from time to time. Attackers are looking for you to make an error and when you don’t their thought process may be, “Hmm, didn’t happen this month, but I’ll try again in a couple more months to see if I can have them make a mistake.”
Why not deliver more frequent tests - especially to the users who have access to very sensitive data (PII, PCI, etc.)? Take Core Impact for example. It can actually run the type of security awareness campaigns where you can know who clicked on an email and even capture information to expose any vulnerabilities the system may have or even the user, for that matter. If the user clicks on the link, it can redirect them to an internal Security Awareness page to retrain. There are many ways to accomplish this and the testing can be as simple as registering who clicks to even trying to compromise the system with a download or attachment. In my most recent webinar, I went over some quick and easy ways to do this testing. My colleague, Bobby Kuzma, also has a recording and blog on more specific techniques in Windows for those who want to try to gain control of or even test security on the devices or users being phished. Check them out and you can see how easy you can implement this type of testing into your organization.
Being able to have this type of testing and ability to enhance your existing training with testing (since it sticks) will only benefit the organization, strengthen those doors and hopefully make your users smarter. With automation and scheduling available, you can easily setup some repeatable testing. Imagine if you’re an organization that gets breached and come to find out that it was the receptionist who was the entry point (open door) all because she forgot about the training she received six months prior and clicked on a personal email. That’s all it takes to start an attack. Wouldn’t it be nice to have some peace of mind knowing that your users are smarter than that? If not then start making them!