Malware

Phishing attacks: Training tips to keep users vigilant

Organizations that take IT security very seriously still become victims to phishing attacks. How can we guard against social engineering? Here are a few tips from security experts.

Hello, I work at Oak Ridge; one very cool computer lab. I'm on the team that manages Jaguar. What? Oh yeah, it was a bummer when Tianhe (Chinese super computer) tested faster. Don't worry, we'll get the Cray back on top.

Err, what's this? Why would HR send me an email now? My benefits changed. Which ones? Sez to click the link to find out. I thought I wasn't supposed to do that....

That scenario is similar (well kind of) to what happened recently to more than 500 people at Oak Ridge National Laboratory (ORNL). Initial indications are that at least 50 people clicked the phishing link, beginning the successful download of malware due to a zero-day vulnerability.

Under attack

The U.S. National Laboratories are target-rich environments for secret-stealers. That's why they need and have some of the best IT and physical security experts on the planet working to keep things safe.

You may remember one of my heroes, Roger Johnson, head of the Vulnerability Assessment Team at Argonne National Laboratory. He breaks into things. Then fixes them so bad guys don't have the same opportunity.

I asked him about the phishing attack at ORNL. He replied:

"Yeah, 57 out of 530 employees responding to the phishing email seems to be a fairly consistent percentage for organizations. Getting to 0% is very difficult, even with well educated and motivated employees."

I see Roger's point. There have been several times when I stopped just short of getting suckered. And I write about this stuff.

I kept bugging Roger about what happened. Yet, he deftly avoided my barrage:

"Well, I'm really not a cyber-security expert. I mostly do physical security. I suggest you submit your questions to my colleague, Tyler Murphy. I will kind of look over his shoulder and provide my 2 cents.

He's not really going to be able to talk about how we do things here. That is a good security policy in and of itself. But, he can certainly talk about good cyber security practice in general."

Tyler works at Argonne National Lab as a network admin in the Nuclear Engineering Division. His specialty is cyber security and cyber security policy. As needed, Tyler also collaborates with Roger and the VAT.

Advice from Argonne

Plain and simple, phishing attacks work. With humans involved, completely eliminating this attack vector may not be possible. But, heeding advice from trusted experts will help stem the tide. Here's what two of them had to say.

Kassner: How do you get the word out and make sure employees understand what is required of them when it comes to security? Murphy: Employees hold a unique position in cyber security, especially in regards to "phishing" or social engineering attacks. The employee is both; part of the problem and part of the solution.

In order to make employees part of the solution, training is essential. Employees should be consistently briefed on what would qualify as a "suspicious" email, and what to do with it. The fact is, no matter how tough your external security may be, attackers will find a way to get in.

So you must train your employees to be conscious of any social-engineering threats that they may face. In order for them to stay informed and aware of the problems, management should:

  • Send email newsletters
  • Require mandatory training
  • Mandate refresher courses after a given amount of time

The key is to keep employees informed and to not let them get comfortable with sloppy security practices, because the very nature of a social engineering attack is to lure you into a false sense of comfort.

Kassner: Since my focus is on phishing attacks, are there any specific suggestions that you give employees? Murphy: Be suspicious of everything, especially emails from an unknown address. Be sure to use extra caution if an email is asking for credentials or if an email is referring you to a URL link.

In my experience, the most effective attacks are the ones that "look" official and use official-looking logos. So be aware of your company's policy towards requesting passwords or credentials. When in doubt, pick up the phone and call. No one in the cyber security field should ever get upset or annoyed if an employee seeks verification.

Kassner: Have you seen the email used in the attack? Is it official enough to fool people? Murphy:  It's my understanding that the email did have an official look. We should all bear in mind, however, that making something look official is not difficult. The hard and fast rule for any organization should be "we will never ask for your credentials over the phone or email." If this policy is put in place and followed, it can stop the most convincing attacks.

An email may look like it was sent directly from management, but if your organization has enacted and reinforced a "no credential request" policy the employee will automatically be suspicious and the attack is dead in the water.

Kassner: Roger, you mentioned something about a "Password of the Day." Could you explain how it would work? Johnson: The password of the day as a concept that is thousands of years old. It isn't a fabulous cyber countermeasure, because outsiders can often social engineer their way into getting it. But it is cheap, easy, and is most effective when the attackers are totally non-local -- as is often the case for cyber attacks.

The idea is that, for example, the password today is "hamburger" and the password tomorrow is "excitable". The passwords can be:

  • Printed up on calendars a month in advance.
  • Made available on an internal web site that is password protected
  • Played on a recorded message on an internal-only phone line.
  • Put up on electronic signs or bulletin boards around the facility.

Or whatever. The point is that there is a separate, credible channel of communication for the password, even if that channel is not particularly secure.

Any official email or substantial IT instructions with action items must contain the correct password of the day, or they must be ignored. There could even be separate passwords for the different shifts.

There are more secure approaches (like authentication hashes), but this one is fairly painless, and reminds employees on a daily basis about the threat of cyber attacks and social engineering in a way that an automated authentication hash (or encryption) does not.

Kassner: In light of what has happened, could you speculate as to what changes may be coming? Murphy: This was a serious incident. And, the only way to move forward is to learn from it. They need to find out how and why these breaches in security occurred and use that knowledge to improve security.

Without a doubt, this event is going to encourage more employee training, and inspire a more conscious effort towards keeping employees better informed about social-engineering risks.

With respect to social engineering as a whole, the big lesson that needs to be taken away is this: Countering security threats is not only the responsibility of cyber-security professionals. It is the responsibility of all employees.

Kassner: Any other thoughts either of you would like to share? Murphy and Johnson: We both think it makes sense to randomly test employees with fake social-engineering attacks. Then reward those who do not take the bait.

For example, everybody not clicking on the fake phishing email gets a lottery ticket for a really great prize. Or maybe the first dozen employees who report a phishing attempt get a prize.

If security is just about punishing people, then security becomes this unpleasant, "us versus them" thing. On the other hand, if employees get praise, recognition, and prizes for practicing good security, it becomes a positive thing we can all get behind.

Kassner: Good advice from the trenches.

Final thoughts

No one is immune from phishing. Thinking so is exactly what the bad guys want. It makes their job easier.

I can always count on my friends at Argonne to help with a thorny issue. Thank you, Roger and Tyler.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

11 comments
bboyd
bboyd

Just don't allow html emails in intra-company systems. Tag any incoming external mail with a "THIS IS EXTERNAL MAIL" tag. Why make it easier to attack when simplified systems will foil most of the attacks. Still the no credentials asked policy is and always will be the fundamental building block. People need to stop giving things like Drivers license to merchants. Heck the whole territory of US Virgin Islands had their birth certificates invalidated as US ID because of that reason. Merchants would make a copy to secure credit. So passport forgers started using those copies to make phake passport requests.

Michael Horowitz
Michael Horowitz

Murphy's comment to "Be suspicious of everything, especially emails from an unknown address." strikes me as wrong. The most dangerous emails pretend to be from a known trusted source. In fact, that's the gist of much of this article.

Michael Kassner
Michael Kassner

Sorry, I had to. Seriously, any help is a good thing when it comes to keeping each and everyone of us safe from phishing attacks.

Michael Kassner
Michael Kassner

Pretending imply the source email address is unknown, otherwise why the ruse?

AnsuGisalas
AnsuGisalas

I can see your point, but on the other hand : if 1% of emails from known-sounding addresses are fake and malign, then probably 99% of emails from unknown addresses are also malign. So the unknown address IS a big danger sign. It's just not the only one. Ultimately the content is the big tell-tale; teach people to know what will be phished for, so they can learn to say "uh-oh" whenever someone asks for those things. Same with children, they have to know which information bad people will ask for, it's often the only tell...

santeewelding
santeewelding

My good friend... You occupy your comment with surface effect. Perhaps, because, you also write, and are accustomed to finding anything to get the bare tip of a fingernail under, pick up, and peel. So am I accustomed. There are no edges here. Beware yours.

Spitfire_Sysop
Spitfire_Sysop

according to P.T. Barnum this cannot be avoided. Perhaps you could identify the "Suckers" at your organization through the random testing. When employees fall in to your honeypot you can put them on a wall of shame. If you see a pattern of the same people falling for the scams you can try to teach the old dogs new tricks. Perhaps a little e-mail tracker could highlight a message from a new sender. Notifying: "You have never recieved mail from this person before. Take care to verify the sender is who they claim to be." Implementing digital signatures internally could differentiate internal communications from external.

AnsuGisalas
AnsuGisalas

You have to consider the work force. They're not all sysops, and they're not all suspicious curmudgeons either. And they probably shouldn't be, either... If you start punishing them for falling for a very effective tactics, they'll only resent Security. After all, it's their attitude BEFORE the phishing attack which makes the difference. We can all be duped by a fast-talker, and we need to realize this - it makes us more secure to know it, and it makes us better able to understand the (other) potential targets, too. We need to work with the dupes-to-be, not against them.

Michael Kassner
Michael Kassner

There are perfect-storm moments when even the best-informed could be fooled.

santeewelding
santeewelding

And the Perfect Storm is Category 5. That's how I snookered myself -- more than once.