To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

To improve security awareness, think marketing

Security awareness is a term that often makes IT security pros cringe. It brings to mind images of mind-numbing training or of ineffectual posters and stress balls urging employees to change their passwords frequently.

Based on years of experience working with enterprises and other large organizations, we are launching a new blog series, “7 Principles Critical to Security Awareness Programs”, that will offer some insight in concepts we have incorporated in our solution to demonstrably improve security awareness for our customers.

The first topic we will address is marketing.

Changing behavior is one of the greatest challenges security officers face when implementing security awareness programs. Convincing people to change is hard in any arena, but when it comes to security – an area which most users neither know nor care much about – it’s especially difficult. We can learn a lot about changing behavior from a source security pros are often wary of: marketers.

An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.

What is definition of phishing?

According to a recent infographic produced by via resource, 37.3 million users were subject to phishing attacks in 2012, but what definition of phishing is being used? What does phishing actually mean?

As consumers increase the amount of time that they spend online, cybercriminals are ramping up their productivity – launching larger, more efficient and increasingly targeted attacks against brands both in and outside the financial services industry.

PhishMe delivers email-based anti-phishing solutions. Through our interactions with prospects and customers, we’ve realized that there are several different definitions of phishing floating around and that often the term “phishing” is used interchangeably with terms like “malware” and “spam”.

What’s in a word? Well, it’s an important distinction. While both phishing, malware and spam are rampant in today’s threatscape, they are not one and the same. Pure phishing threats are analyzed and acted upon differently than spam and malware.

A general definition of phishing by Wikipedia:

“Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

Phishing is, admittedly, a wide-reaching term. There are several ways to carry out a phishing attack, which is likely where some of the confusion comes into play. In the broad sense, you could say that phishing is any attempt on behalf of a cybercriminal to steal credentials. This can be carried out via a phishing website where the victim is prompted to enter his credentials or via a malicious executable.

At PhishMe, we categorize a malicious threat as phishing according to the following two rules:

  1. If the page is representing a brand and asks for any login/personal information.
  2. If the URL is not say “companyname.com, and if you do a Whois on it, the domain is not registered to that company name. So, if the URL is ilikepuppies.com and displays the logo of a major brand, it is trying to make itself look like that major brand.

What’s the difference between Phishing and Malware?

The relationship between phishing and malware is a bit blurry, mostly because they often work together to achieve the goal of the cybercriminal. In fact, the term “malware” is often included in phishing discussions.

Now that being said, here is Wikipedia’s malware definition:

“Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.”

“….Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or Trojans rather than viruses…”

One key distinction is that not all malware is delivered via email. Malware converges with phishing when it is being used as an accessory to execute the phishing attempt.

When it comes to defining today’s malicious threats, where do you encounter confusion? How do you differentiate between them? Share your thoughts in the comments section below.

What is MTTK and Why is it Important to Cybersecurity?

There has been much talk recently about MTTK, but what is MTTK and why is it so important? This post explores the term and explains why MTTK is such an important concept in cybersecurity terms.

When your organization is attacked, how long does it take you to know that the attack is taking place? Of course, we’d all like to be able to answer “right away.” However, for many companies that isn’t the case. Examples of phishing attacks lodged against major brands who don’t discover that they are being phished until months later have become commonplace.

When a phishing attack happens, time is not on your side. The faster that you react to mitigate the attack and take down the phisher, the less damage that you incur as a result of the attack. Of course, you can’t react if you do not realize that the attack is happening. Therefore, it is critical in this era of cyber security, that we take every measure identify attacks when (or before) they happen.

What is MTTK?

Mean time to know (MTTK) is the average time that it takes for a company to discover that security has been compromised. According to a recent article published by Dark Reading, the term became popular after this year’s RSA conference, although the concept has been around for a while. The point is that that we need to know what’s happening in our environment and the sooner that we do know, the better we are able to prevent damage and lasting impact to our company. We can quantify this by measuring the average time between the initiation of an attack and the breach being discovered by the security team. The lower your MTTK, the more effective you are at identifying when your internal environment has been compromised.

Why is it important to lower your MTTK?

  • The longer it takes for you to realize that an attack is happening, the more successful the phishing attack. In the case of a phishing attack, there isn’t much time to react. Most of the damage is done within the first two hours of a phishing attack.
  • The more successful the phishing attack, the more damage to your brand. This can be the most costly consequence of a successful phishing attack. Losing customers’ trust can stop them from purchasing from doing business with your company for years, if they come back at all.
  • A high MTTK suggests that you don’t have a handle on what’s happening within your internal security environment.

DMARC Failed to Protect Against Walmart Spam

Think that DMARC is all that you need to prevent your company from email spam? Think again.

Last week, there was a spam campaign that imitated a Walmart.com receipt. An email was sent to Walmart customers falsely confirming the purchase of a large flat screen TV costing approximately $1,000. The cinematic home experience was to be enjoyed by someone else, since the receipt showed the item was being shipped to an address that would be unfamiliar to the customer.

Upon receiving this email, the natural reaction would be to click on the link in email to find out more about the fraudulent transaction. However, doing so would require a visit to a malicious webpage that would download malware. That malware would then share credit card information and banking credentials with the scammers.

We’ve been hearing about DMARC as the solution to exactly this kind of email scam. In this particular spam campaign, the emails didn’t actually come from Walmart’s domain name.

Walmart.com (spelled with one “l”) is the real domain name. The company also owns Wal-mart.com. For either one of those domains, there would be a DMARC record published. If an email had been sent by the real Walmart, there would be a signature in the email that can be checked against Walmart’s registered domains. The email would be cryptographically confirmed as having been sent by Walmart. That’s the whole point of a DMARC record.

DMARC shows the true provenance of an email. If an email is not cryptographically signed, it should be rejected because that shows that it was not sent from an official source – in this case, Walmart. In this case, the domain name used to send the email wasn’t Walmart – it just appeared that way. If you were not careful, it would have been easy to be fooled. The email just came from a domain that looked very similar to that used by Walmart.

In fact, there are over 140 variations of misspellings of the Walmart domain name that are in use, such as “Wallmart.org” and “wallmart.net.” As a customer receiving the email, you might not even have noticed that Walmart was spelled incorrectly. Since none of those domain names are valid and do not belong to Walmart, Walmart did not have a DMARC record published for any of those domains. From the victim’s perspective, he sees “Walmart” spelled correctly in the “From Name,” but the email address (the domain portion of the email address) was not a DMARC protected domain. This, combined with high-resolution graphics and a professional look and feel makes for a convincing email, effectively mimicking an actual online purchase confirmation from Walmart. However, the emails were not being rejected because they didn’t fail the DMARC test. The DMARC test was never actually performed.

We believe that DMARC is a good thing. We’re happy that people are using DMARC. We believe that there will be some spam campaigns that will be blocked because of a failure to comply with DMARC, but in this case, DMARC wouldn’t have helped them at all. That’s why it’s important to use DMARC as one tool in the fight against phishing, as opposed to a single method to stop phishing. It is far from an all-encompassing solution.
Similar instances of phishing attacks are lodged against major brands each day. What are some of the other lessons we can learn? Please feel free to share your comments below.

2-factor authentication wouldn’t have prevented AP Twitter hack

When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).

Phishing and Brand Reputation: What’s the Damage?

There has been a lot of talk recently about phishing and brand reputation, specifically how phishing attacks often have a major negative effect on how customers view a particular brand. After a phishing attack, many customers lose trust in a brand.

What happens when you lose your customers’ trust?

Successful brands are built on trust. You’ve spent years building your brand and earning your customers’ trust. Don’t leave your brand equity vulnerable to an attack that could cost you your current and future customers.

Your Brand is at Risk

It’s with good reason that, according to Frost & Sullivan, 71% of security executives consider “protecting their brand” as their top priority. Each year, hundreds of brands are targeted by cyber criminals who are launching targeted phishing attacks. According to the most recent Anti-Phishing Working Group (APWG) Phishing Attack Trends Report, the number of brands targeted for phishing attacks reached the highest levels on record last year.

Phishing attacks happen, but can they happen to you? They most certainly can. In fact, there are an ever-increasing amount of high profile attacks reported in the press on a regular basis. Brands who possess customer data that is considered highly desirable to hackers are bigger targets for phishing attacks, but any brand doing business online is at risk.

Brand Damage: The Cost of Phishing to Your Brand

When a brand is attacked, there both are quantitative and qualitative repercussions. The cost of a phishing attack that affects 500 customer accounts can reach upwards of $1.4 million, when you account for the direct financial loss of funds to the cybercriminal plus the strain on internal resources to manage and investigate the crisis. That’s the immediate financial hit that you can expect, but there are long-term costs too – your reputation.

When your customers fall victim to an attack on your brand, consumer perception is that it’s all your fault. Once your brand is targeted, your customers are 42% less likely to do business with you in the future.

This sentiment applies even if the consumer doesn’t fall victim to releasing credentials. Simply receiving a phishing email is enough to write you off. Thus, your brand can be assumed as “guilty by association”. When a consumer is targeted via a phishing attack directed at your brand, the consumer has a negative experience that he/she associates with your brand. Negative experiences will certainly not increase shareholder value.

Adding further insult to injury, the media often takes note of the situation, cementing consumer perception that doing business with you is a risk. While perhaps not fair, your brand becomes caught up in the associated downward spiral. Consumers, fearful of identity theft, choose your competitor.

Be the Brand Consumers Trust

It all comes down to trust.

In many ways, you are the brand that consumers trust. You have a proven track record of delivering quality products and/or services to your customer base. But, cybercriminals are using that same strength and equity of your brand to carry out their mission.

In today’s world, your success as a brand is determined in part, by your ability to protect the safety of your customers. Building a security infrastructure that will allow your customers to do business with you safely is crucial when it comes to keeping and expanding your customer base.

Defining a Sophisticated Attack

What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).

On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.