Pushing the Envelope on Data-Driven Security Awareness Mark T. Chapman CFE CISSP CISM CRISC

Transcription

1 Pushing the Envelope on Data-Driven Security Awareness Mark T. Chapman CFE CISSP CISM CRISC Presentation Overview The Importance of Perspective. The diagram at the right represents the four perspectives of an effective information security awareness program. Risk Based Continuous Improvement. October 22 & 23, 2014 Disney s Contemporary Resort Orlando, Florida US #ISSAConf Follow a program from basic to advanced levels. Identify key activities, common problems, and success. Share Stories Use real Stories from the Trenches based on redacted real-world examples. Basic Level Just Get Started Program How to win executive sponsorship, approval and funding? How can I do this while doing my real job? Can we mimic another successful program? Training Should we only start with compliance-related training? How do we get people to actually take training? Attacker Does the organizational culture and environment support testing? How to effectively communicate the intentions and results? How sophisticated should the mock-social engineering tests be? Employee How do we get employee feedback? Can we get an online feedback form or suggestion box? 1

2 2

3 Integrating the Training and Attacker Perspective Mock Spearphishing Test Company sends fake phishing s to employees to see who clicks on suspicious links. Online Training Videos or Games When a user clicks, they are told what they did wrong, and the system uses the Teachable Moment to direct the user to online training. Rinse and Repeat? What measurable effect does this process have on your information security posture? Intermediate Level Establish Credibility Hypothesis-Based Testing Parameters Program How to define the scope and measure the success of the program? How to make sure the program is relevant? How to formally plan the next steps? Training What kind of training is best? In person? Computer-based? Beyond training records, how to measure success? Does it work? How to leverage other perspectives to provide better context? Attacker Are we always starting with an objective or hypothesis? Could the results lead to concrete actions beyond just training? Are we truly simulating the attacker perspective? How do we know? Employee Can we use risk-based survey techniques to improve? What have we learned that is or is not effective? Have there been any surprises? Define your hypothesis BEFORE you design or run your tests. Identify potential actions based on proving or disproving the hypothesis. It does not matter if you are right or wrong, if you knew the answer before testing then why test? Be sure your hypothesis helps improve the credibility of your program. 3

4 Hypothesis-Based Intermediate Examples Hypothesis: Users will not share data. Users will not enter sensitive data on unauthorized web forms. Users are less likely to click on unsubscribe links than on other links. Users are more susceptible to sophisticated phishing attempts. Users are more likely to respond in their native language. Our training program reduces susceptibility to phishing attacks and the results last for at least six months. Be sure to plan ahead! This could be a good source to drive additional campaign activity. It also may be something that should not be collected due to privacy laws. Hypothesis: Users will notice subtle changes. Hypothesis: Sophisticated=Dangerous? Example Result: At a ratio of 1.5:1, users were more likely to click on the less sophisticated message. Although whitelisting removed this variable, the less sophisticated messages had a lower spam score and are more likely to be delivered without whitelisting. Can this type of test help credibility? 4

5 Hypothesis: Native Language. Example Result: In Brazil, the click-through rate was essentially identical between English and Portuguese. Also, it was an almost exact match with the click-through rate of Spanish Speakers who received the English message. The outlier is the significantly lower rate of Spanish Speakers who received the Spanish message. unsubscribe LINK Example Result: Out of the users who clicked, it was a 1:1 ratio of clickers vs. unsubscribe clickers. How would you use this information? What could go wrong? UNSUBSCRIBE LINK Actionable Results Approximately 50% of all engagement activities were for users clicking the unsubscribe button vs. clicking on other links, viewing images, or replying to an . If users feel it is safe to click on unsubscribe links, the organization may be exposed to similar threats as any other click-through behavior. Share the preliminary results with users that about half the time a user clicks on a suspicious link, it is of the unsubscribe variety. Train on the importance of ignoring unauthorized unsubscribe links. Future campaign idea: Consider performing a test where an unsubscribe link would provide a form for users to enter their address. Only after actually submitting the unsubscribe form would a You ve been phished and training message follow. Out of Office - Information Disclosure 5

6 Out of Office Another Perspective Intermediate Level Risk Based Surveys 6.2% of the outbound campaign s received out of office notifications which disclosed information about the people, coworkers and the organization. The information gathered through out of office notifications may enable an attacker to perform more advanced social engineering or other attacks against the people or organization. Configure the systems to not allow out of office notifications to be sent outside the organization or to unknown addresses unless there is a specific business reason to do so. Train users to limit the amount of information shared within any out of office notification. Look for other ways to share the detailed information in a controlled manner such as an Intranet site. Intermediate Level Risk Based Surveys Advanced Level Make a Difference Program Can we positively impact our overall security posture? Can we admit when something isn t working and fix or abandon it? Is it an integrated riskbased continuous improvement process? Training Are we targeting the right training to the right people based on risk? Can advanced training techniques make a difference? Can we leverage the context of actual realtime risk-based events? Attacker Can test planning and results be based on big data risk analytics? Are all tests and results integrated with the infosec program? Can we leverage the context of actual realtime risk-based events? Employee Are we tied into other risk-related programs? Is there a way to measure real-time in the context of events? Are people wanting to mimic our effective program? 6

7 Voice Testing Scenarios 1. Send an or SMS with instructions to Call and enter code 4732 to see if you are a winner. 2. Traditional vishing, with an auto-dialer calling to say Cross-Platform Attack Simulation Send a text message with a link. Have the landing page be a full-screen emulation of the login screen. Do users attempt to unlock their phones? (Be careful to not actually collect passwords.) This is the IT Department, we have seen a problem with your machine, press 1 to let us remotely access your computer. SMS as an Attack Vector SMS text messaging may be an underestimated threat vector. Recommendations: Instruct employees of the dangers of interacting with mobile messaging both from a technical and non-technical perspective. Consider extending, implementing, and validating SMS-specific antispam controls on company-owned mobile devices. Ensure that anti-virus, web-content filtering and similar controls apply to the company-owned mobile devices. The theme for this campaign was an imaginary joke of the day subscription service. The campaign sent an SMS message to each user indicating they subscribed to a daily joke service. The message invited users to unsubscribe by replying to the message with the word bummer or by clicking on a web link that was unique to them. If a user clicked on the link, the landing page simply accepted the unsubscribe request. Did more people Reply or Click? Out of those who replied, how many followed the directions? 7

8 Click-Through (Failure) Rate SMS Click or Reply Users who responded were approximately 2 to 3 times more likely to reply to the SMS than to click on the link. Attackers may exploit consistent behavior in cross-channel attacks to thwart controls that focus on a single vector. Consider future campaign designs to evaluate other likely cross-channel social engineering attack vectors. Following Arbitrary Unauthorized Instructions People who replied to the message precisely followed arbitrary unsubscribe instructions 91% of the time. By itself, the potential business impact of following the unsubscribe instructions for this campaign were minimal. The bigger potential concern builds on PhishLine.com aggregate industry data that indicates once a user starts engaging in any stage of a campaign they are more likely to perform all steps. Encourage users to ignore arbitrary instructions received from an untrusted or unverified source. Consider future campaign designs to exploit the vulnerability associated with the concept of compliance to specific arbitrary instructions combined with the concept that once a user starts interacting with one step in a campaign, they are likely to continue. For example, ask users to perform some innocuous task just to get them engaged or distracted before making additional less-innocuous requests. Repliers Who Precisely Followed the Arbitrary Instructions Other Response 9% Arbitrary Instructions Followed 91% How to test the effectiveness of Security Awareness Training Day Test random sample before training. Test another sample the day after training. Test 1,2,3 weeks after training to see when it wears off. The Effects of Training Day on Click Through Rates 18.0% 16.0% 14.0% 12.0% 10.0% 8.0% 6.0% 4.0% 2.0% 0.0% Pre- Test Week 0 Week 1 Week 2 Week 3 Week 4 Hypothesis 15.7% 2.5% 2.6% 2.9% 3.4% 8.9% Actual % 15.5% 15.1% 15.9% 15.3% 15.6% Actual % 4.5% 4.9% 4.6% 4.8% 5.0% Did training work? The campaign results did not show that those who took the offered training (17.8%) were less susceptible to new campaigns vs. those who did not take the training (15.8%) The campaign result indicated that the supplied training made no significant difference. Repeat the test with other training content and methods to see if there is a difference. 8

9 What can go wrong? Emotional Responses The dangers of focusing only on clickthrough rates especially as the only metric for the effectiveness/justification of the security awareness program. Side effects of too many phishing simulations? What works? Share the results with users without overstating the scientific validity of the test. It is very powerful to share company-specific data with employees, especially if the metrics are understandable. Incorporate the results into security awareness training curriculum. The point is that people should be aware that certain times of day they may let their guard down. (See blog article Escape Click-Through-Rate Captivity at Five-Second Rule Conclusions The Importance of Perspective. We reviewed 4 perspectives. Risk Based Continuous Improvement. We followed a program from basic to advanced levels. We identified key activities, common problems, and defined success with examples. Thank You! Mark T. Chapman, CFE CISSP CISM CRISC President and Founder, PhishLine.com mchapman nospam@ nolinkkeef dphishline.com Share Stories Hopefully, the stories helped you gain at least one insight you can act on regardless of where your program is. 9