Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.
The headlines roll in… The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations. In that same interview he says that the attack (spear-phishing) is not unique.
This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right? Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.
Well, brace yourselves. Abandoning technical controls and substituting it with just awareness training isn’t our message. Organizations shouldn’t and can’t give up security technologies. In fact, based on some of the good work security technology vendors have been doing, we have witnessed firsthand spearphishers changing their methods to cope with the ever-improving technologies that are doing their best to prevent breaches. (More about this later).
The NY Times had AV and it failed to prevent the breach. Does this mean that technical controls are worthless? Absolutely not. Technical controls like anti-virus, firewalls and intrusion prevention/detection all help tune out the noise we see with known problems. If the network defender spends their entire day chasing down nuisance attacks by lesser adversaries, how can they begin to focus on the more sophisticated problems?
To be clear, the PhishMe message isn’t to abandon traditional network defense and security technology. Our message is that even the best tech will have gaps, and the role your human assets play in defending the network cannot be dismissed. An educated user base is the best choice you can make when it comes to filling these gaps. With consistent and relevant training, the vulnerabilities that technical controls cannot patch will be protected by another layer of security. The real problem is that too many programs are designed to only rely on technical controls and feed useless information to users. Holistic information security is a balance between technical controls (both tried and true and bleeding edge) and IT consumers who understand their role in security. The latter has either been neglected for too long or inundated with information that is too technical or focused on items that don’t matter.
Would the NY Times be making headlines today if one of their staffers reported suspicious email based on training they received? We’ll never know.