Phishing as Part of Security Awareness Training

Security awareness training is very broad in scope, but essentially it amounts to creating a formalized environment for familiarizing and educating employees about proper procedures for protecting a company from intrusion and theft. Properly designed, it should ensure that all workers understand corporate policies and procedures for using company assets in a secure and conscientious manner.

That being said, phishing is a black art. It is designed to trick otherwise conscientious employees into doing something that they would never ordinarily consider. Phishing poses a unique problem to corporate security.

In many cases, employees have abrogated their responsibilities, operating under the mistaken impression that filters remove all incoming threats from e-mails. This is a notion that we need to do away with; phishing awareness education is the key.

Phishing exploits this confidence that people have in the security of their e-mail system. Publicly, companies have been stating that their systems are secure, and that their customers’ personally identifiable information (PII) is safe in their hands. They are pretty much obliged to make this claim, true or not, so that customers feel comfortable transacting business with them in the form of e-commerce.

Banks have a pretty good grip on the situation already. Most of the reputable ones guarantee the security of online transactions. Bank-level encryption is virtually unassailable, but even if a criminal should acquire customer information by a different means, banks will generally still cover the loss after investigating.

How Did They Get the Information?

Just briefly, let’s just look at one common route that may have permitted them to obtain PII information in the first place. One particular Canadian bank (CIBC) published dozens of phishing attempts submitted by their customers to help their other customers learn to recognize them. Let’s have a look at a couple. Note the atrocious grammar, missing or incorrect punctuation, misspellings, poor word-choices, and just a general sense of sloppiness. Nothing of this nature would ever be sent from a legitimate bank.

From: <Canadian.Imperial.Bank.of.Commerce.Message [Random number].december20@comtrade.com>

Date: December 20, 2016 at 3:26:45 PM MST

Subject: We are unable to process your banking services

To: [Email address]

CIBC Internet Services has introduce a new method to keep customers safe while banking online as we have upgraded our page to serve you better.

You are hereby required to update your profile records with us to match this new feature <missing punctuation>

Account login to Continue -> [Link to counterfeit site removed]

You have 24 hours to confirm your information with us, otherwise your account will be suspended.

C.I.B.C Internet Security Company [No such thing exists; it’s a bank, not a security company]

Canada 2016


From: CIBC Canadian Imperial Bank of Commerce <CIBC.cibconline@cibc.com>
<Too many “cibc” references—overkill>

Date: December 15, 2016

Subject: We are unable to process your banking services

To: [Email address]

Hello, <missing customer name>

Unfortunately CIBC Online was unable to process your banking services due to security reasons <unspecific and missing punctuation>

As a result, your CIBC/CMO account has been locked and all your services are suspended.

Click the link, sign on and confirm identification details in order to unlock your account and resume your banking services:

https://cmo.cibc.com/wp/wps/portal/bbdsignon?TAM_OP=login&FAILREASON=&OLDSESSION=1
<fake “legitimate” address with a hidden redirect to counterfeit site>

Canadian Imperial Bank of Commerce – 2016 CIBC

These sorts of scams used to be particularly effective with those who were unfamiliar with electronic communications. They were likely to assume that, if a particular company was named in a communication, then that was the actual source. In the beginning, the elderly were targeted, but nowadays our “elderly” are people who have been using technology for decades, and they are among the most savvy tech users of all.

The criminals needed to up their game if they were going to continue their thievery. They began by creating duplicate websites for the institutions they planned to imitate. When one of their “customers” (victims) arrived at the site, everything was familiar; it looked as it was supposed to look.

When they began to “confirm” (surrender) their personal information and passwords, the illusion that they were on the official site continued. The site would then announce that all the account information was up to date and all services were restored.

No action would necessarily be taken against the account directly by the criminals. Instead they would use all the information collected to apply for mortgages, open dozens of credit card accounts, and build up a massive debt for the customer. It would remain completely invisible to the victim until no payments were forthcoming on the debt and their credit rating was affected.

On a Corporate Scale

In 70% of cases, phishing scams against employees on the corporate scale have a fairly high a chance of success. That is the percentage of companies that are still relying on rudimentary protection such as SPAM-filters and antivirus software.

Antivirus software pre-filtering for incoming e-mail is taken as a given; it protects against many potentially hostile attachments. Anti-spam software has become very effective at weeding out URLs that take people to sites other than those claimed by URL.

If this protection is 99% effective, that means that 10 attempts get past for every 1,000 legitimate e-mails. Increase the effectiveness to 99.9% and it is still 1 for every 1,000 proper e-mails. To increase the efficacy beyond that point often means relegating legitimate e-mail to manual sorting or, worse, inappropriate deletion.

There Is a More Dangerous Vector

Conventional phishing may be bad enough, but spear-phishing   targeting major executives can do even more damage. Obtaining the credentials of a CxO can give access to the entire system. Without adequate checks and balances, great harm can be accomplished with a single authorization.

Examples of good countermeasures include requiring two different authorizations from different physical locations, or a one-time single use code transmitted to a USB-like device for each person. A very sophisticated system is one in which a login requires two separate devices, such as a smart phone and the terminal itself, where ambient noise from the microphones of both are compared to prove that the person is actually present at the terminal.

You and Your Employees Are Your Best Line of Defense

Even in the unlikely event that there was only one penetration by a phishing attempt, one thoughtless click can compromise the entire network… just one… If malicious code is buried in the e-mail, it can execute instantly when its attachment is opened. If a malicious URL link is clicked on, the destructive script can be downloaded in less than 20 seconds. Increasing awareness is the most effective method of protecting your assets.

Obtaining Training Materials

There are materials available online that will allow you to set up your own programs in-house. While it is perfectly feasible to build such a system, it does mean assigning an employee (or employees) to the task full time. This is not a one-and-done sort of project.

The best methodology requires training to familiarize employees with the techniques and requirements, as well as company policies and expectations. But that alone will never do the job. Most people cannot retain information delivered once—less so if the knowledge isn’t exercised on a regular basis.

External Agencies Are Economical

For that, an outside agency is generally considered best. Irregularly received pseudo-phishing attempts keep employees on their toes by simply making them aware that such e-mails will be received. Once they are aware that they will be expected to identify them, isolate them, and report them, and that it will reflect directly in their annual review, the buy-in is much higher.

Once they are vested in identifying these emails, it can actually become an amusing little game that they participate in voluntarily. More important, however, is that it exercises the skills that they have learned. The IT department will be expecting to receive the reports that are part of the false-phishing attempts but, when an unknown one pops up, they can immediately inform the entire staff by way of a high-priority, company-wide memo that pops up on every screen alerting people not to open that e-mail while it is cleaned out of the system. You obtain fast identification and reporting, plus quick response to a new threat.

Delivering Training

While part of the training is the fake-phishing attempts, as discussed, the remainder comes in the form of either computer-based training (CBT), or instructor-led training (ILT). These are both applicable and useful to different people.

The largest problem is generally logistics. Coordinating an available period of time for instructor-led training and a large number of participants can be very difficult. It can work well with small groups.

Interaction in small groups with ILT gives rise to a commonality of purpose; people respond positively to each other’s ideas and enthusiasm. This can engender strong compliance with the program until the enthusiasm begins to wane.

If there are individuals in a group who are shy or reticent, and they feel like they “don’t get it,” they may be too embarrassed to admit it, or even to ask questions about it. ILT training is generally fairly fast-paced, so costs are minimized.

Generally speaking, we remember 10% of what we see; 20% of what we hear; and, at peak efficiency, about 30% of what we both see and hear. That doesn’t make for very good odds of retaining the information from an ILT session.

Computer-based training, on the other hand, has some pretty significant advantages:

  1. It’s more convenient, eliminating the logistics problems, as well as the capacity problem. A single ILT session might support a couple of dozen of people, whereas CBT can handle as many people as you have.
  2. Good CBT programs make interactivity fundamental to the whole process. If it is just a series of videos, employees can simply turn them on and walk away from their desk, letting the machine record that they watched it when they may not have done so.
  3. Employee/students get to learn at their own pace, stop, go back, and review at their leisure, assuring a more complete absorption of knowledge.
  4. CBT can be updated with the latest information and company policies and remain relevant at all times, but ILT information can fall behind in relevancy.
  5. CBT can be in tune with the needs of the learner. Unsuccessful test results can allow the program to adjust the training to emphasize weak areas
  6. ILT training engenders ILT testing, which means that all those tests must be scored, adding to the time and expense. With CBT, all the scoring is accomplished automatically without human intervention, which can be a real cost saving.
  7. So CBT is ultimately a far less expensive option for almost everybody. ILT can fill the gap for people with highly sophisticated IT knowledge and specialized training requirements but, on the whole, CBT is the best choice for phishing training.

The Takeaway

Cybercriminals are not taking any vacations. We can apply all the hardware and software fixes we can imagine, but ultimately it comes down to your human firewall. We have to keep our people informed, trained, and constantly reminded about the threat.

If your humans need training, come and see us. We would be delighted to assist you in getting prepared to repel these bandits.

Drop by https://securityiq.infosecinstitute.com/ and try out the training for free. It’s interesting and fun enough to keep your employees’ attention. Remember, preparation is half the battle.

Be Safe

Section Guide

Randi
Sherman

View more articles from Randi

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Randi
Sherman

View more articles from Randi