Hello, I work at Oak Ridge; one very cool computer lab. I’m on the team that manages Jaguar. What? Oh yeah, it was a bummer when Tianhe (Chinese super computer) tested faster. Don’t worry, we’ll get the Cray back on top.

Err, what’s this? Why would HR send me an email now? My benefits changed. Which ones? Sez to click the link to find out. I thought I wasn’t supposed to do that….

That scenario is similar (well kind of) to what happened recently to more than 500 people at Oak Ridge National Laboratory (ORNL). Initial indications are that at least 50 people clicked the phishing link, beginning the successful download of malware due to a zero-day vulnerability.

Under attack

The U.S. National Laboratories are target-rich environments for secret-stealers. That’s why they need and have some of the best IT and physical security experts on the planet working to keep things safe.

You may remember one of my heroes, Roger Johnson, head of the Vulnerability Assessment Team at Argonne National Laboratory. He breaks into things. Then fixes them so bad guys don’t have the same opportunity.

I asked him about the phishing attack at ORNL. He replied:

“Yeah, 57 out of 530 employees responding to the phishing email seems to be a fairly consistent percentage for organizations. Getting to 0% is very difficult, even with well educated and motivated employees.”

I see Roger’s point. There have been several times when I stopped just short of getting suckered. And I write about this stuff.

I kept bugging Roger about what happened. Yet, he deftly avoided my barrage:

“Well, I’m really not a cyber-security expert. I mostly do physical security. I suggest you submit your questions to my colleague, Tyler Murphy. I will kind of look over his shoulder and provide my 2 cents.

He’s not really going to be able to talk about how we do things here. That is a good security policy in and of itself. But, he can certainly talk about good cyber security practice in general.”

Tyler works at Argonne National Lab as a network admin in the Nuclear Engineering Division. His specialty is cyber security and cyber security policy. As needed, Tyler also collaborates with Roger and the VAT.

Advice from Argonne

Plain and simple, phishing attacks work. With humans involved, completely eliminating this attack vector may not be possible. But, heeding advice from trusted experts will help stem the tide. Here’s what two of them had to say.

Kassner: How do you get the word out and make sure employees understand what is required of them when it comes to security?
Murphy: Employees hold a unique position in cyber security, especially in regards to “phishing” or social engineering attacks. The employee is both; part of the problem and part of the solution.

In order to make employees part of the solution, training is essential. Employees should be consistently briefed on what would qualify as a “suspicious” email, and what to do with it. The fact is, no matter how tough your external security may be, attackers will find a way to get in.

So you must train your employees to be conscious of any social-engineering threats that they may face. In order for them to stay informed and aware of the problems, management should:

  • Send email newsletters
  • Require mandatory training
  • Mandate refresher courses after a given amount of time

The key is to keep employees informed and to not let them get comfortable with sloppy security practices, because the very nature of a social engineering attack is to lure you into a false sense of comfort.

Kassner: Since my focus is on phishing attacks, are there any specific suggestions that you give employees?
Murphy: Be suspicious of everything, especially emails from an unknown address. Be sure to use extra caution if an email is asking for credentials or if an email is referring you to a URL link.

In my experience, the most effective attacks are the ones that “look” official and use official-looking logos. So be aware of your company’s policy towards requesting passwords or credentials. When in doubt, pick up the phone and call. No one in the cyber security field should ever get upset or annoyed if an employee seeks verification.

Kassner: Have you seen the email used in the attack? Is it official enough to fool people?
Murphy:  It’s my understanding that the email did have an official look. We should all bear in mind, however, that making something look official is not difficult.
The hard and fast rule for any organization should be “we will never ask for your credentials over the phone or email.” If this policy is put in place and followed, it can stop the most convincing attacks.

An email may look like it was sent directly from management, but if your organization has enacted and reinforced a “no credential request” policy the employee will automatically be suspicious and the attack is dead in the water.

Kassner: Roger, you mentioned something about a “Password of the Day.” Could you explain how it would work?
Johnson: The password of the day as a concept that is thousands of years old. It isn’t a fabulous cyber countermeasure, because outsiders can often social engineer their way into getting it. But it is cheap, easy, and is most effective when the attackers are totally non-local — as is often the case for cyber attacks.

The idea is that, for example, the password today is “hamburger” and the password tomorrow is “excitable”. The passwords can be:

  • Printed up on calendars a month in advance.
  • Made available on an internal web site that is password protected
  • Played on a recorded message on an internal-only phone line.
  • Put up on electronic signs or bulletin boards around the facility.

Or whatever. The point is that there is a separate, credible channel of communication for the password, even if that channel is not particularly secure.

Any official email or substantial IT instructions with action items must contain the correct password of the day, or they must be ignored. There could even be separate passwords for the different shifts.

There are more secure approaches (like authentication hashes), but this one is fairly painless, and reminds employees on a daily basis about the threat of cyber attacks and social engineering in a way that an automated authentication hash (or encryption) does not.

Kassner: In light of what has happened, could you speculate as to what changes may be coming?
Murphy: This was a serious incident. And, the only way to move forward is to learn from it. They need to find out how and why these breaches in security occurred and use that knowledge to improve security.

Without a doubt, this event is going to encourage more employee training, and inspire a more conscious effort towards keeping employees better informed about social-engineering risks.

With respect to social engineering as a whole, the big lesson that needs to be taken away is this: Countering security threats is not only the responsibility of cyber-security professionals. It is the responsibility of all employees.

Kassner: Any other thoughts either of you would like to share?

Murphy and Johnson: We both think it makes sense to randomly test employees with fake social-engineering attacks. Then reward those who do not take the bait.

For example, everybody not clicking on the fake phishing email gets a lottery ticket for a really great prize. Or maybe the first dozen employees who report a phishing attempt get a prize.

If security is just about punishing people, then security becomes this unpleasant, “us versus them” thing. On the other hand, if employees get praise, recognition, and prizes for practicing good security, it becomes a positive thing we can all get behind.

Kassner: Good advice from the trenches.

Final thoughts

No one is immune from phishing. Thinking so is exactly what the bad guys want. It makes their job easier.

I can always count on my friends at Argonne to help with a thorny issue. Thank you, Roger and Tyler.