Ira Winkler - Security Awareness For Dummies

Organizations typically create security awareness programs to ensure that their employees, or users, are aware of cybersecurity problems that are already known to the organization. Phishing messages, which I cover in the next section, represent the most prolific attack against users.

Phishing attacks are common enough these days that many people are already familiar with the term. A working definition is “an email message that intends to trick a user into taking an action that is against the user’s interests.” A phishing awareness program would ideally train people to properly determine how to handle incoming emails in a way that reduces the likelihood of loss. For example, if a message asks for the disclosure of information, the ideal situation is that a user knows what information they can disclose and to whom while also determining whether the sender is valid. Chapter 6discusses this topic in more detail.

To appreciate the losses that a phishing attack can cause, consider these prominent attacks:

Sony: The infamous 2014 Sony hack, which was reportedly perpetrated by North Korea, began with a phishing attack. The hack resulted in the leak of information about movies, the movies themselves, and embarrassing emails. Sony reported costs of the hack to be $35 million.

Target: The 2013 Target hack, which compromised more than 110 million credit card numbers and consumer records, began with a phishing attack of a Target vendor. Target reported the resulting costs to be $162 million.

OPM: The attack on the Office of Personnel Management (OPM), discovered in 2014, which compromised the security clearance files of 20 million US government employees and contractors, began with a phishing attack against a government contractor. The costs and losses are immeasurable because this attack is considered a major intelligence success for China, the perpetrator of the attack named by the US government.

Colonial Pipeline: The Colonial Pipeline ransomware attack in 2021 began with a phishing message that captured user credentials and allowed the criminals to establish a sustained presence on the network. This allowed the criminals to find the most critical systems and eventually install the ransomware, which caused Colonial Pipeline to shut down the pipeline, halting a primary oil delivery to the US east coast. Colonial Pipeline paid the criminals approximately $4.4 million, but the actual costs resulting from the shutdown were tens of millions of dollars to Colonial Pipeline and an incalculable cost to the economy.

The Verizon Enterprises Solutions’ Data Breach Investigations Report, commonly referred to as the DBIR, is one of the most often cited studies in the cybersecurity field. The report, which is produced annually, is drawn from data collected directly by Verizon’s managed security service. The DBIR, considered a reliable overview of real-life attacks against organizations around the world, indicates that more than a whopping 85 percent of all major attacks begin by targeting users. You can access the report at www.verizon.com/business/resources/reports/dbir .

Just as people get themselves into automobile accidents despite advances in automobile safety, even reasonably aware users may fall victim to cybersecurity attacks. All cybersecurity countermeasures will eventually fail. Countermeasures include encryption, passwords, antivirus software, multifactor authentication, and more. Perfect security doesn’t exist. Your goal in establishing a security awareness program is to reduce risk by influencing user actions.

Don’t expect users to be perfect — risk reduction isn’t about eliminating risk altogether, which is impossible. Expect your security awareness program to reduce the number and severity of incidents, thereby reducing losses from the incidents.

Also, a more aware user knows when something seems wrong and knows how to react to it. If your users sense that they might have been compromised, they start taking actions to mitigate the loss. If they accidentally email sensitive data to the wrong person, they try to stop the message or have it deleted. If they end up on a malicious website that starts serving adware, they disconnect before additional damage can occur. They know how to properly report any and all potential incidents, so your organization can begin to stop any loss or damage in progress. In the worst case, at least they can launch an investigation after the fact to find out what happened.

In the ideal situation, even when a user takes no potentially harmful action, they report the situation to the appropriate party. They report details such as whether someone tried to follow them through a door, even if they turn the person away, because they know that the person might attempt to enter through another door or follow someone else through the door. If someone detects a phishing message, they don’t click on it — instead, they report the message because they realize that other, less aware users may click on it, and then the administrators can delete the message before that happens.

As you can see, awareness requires more than knowing what to be afraid of — you also have to know how to do things correctly. Too many awareness programs focus on teaching users what to be afraid of rather than on establishing policies and procedures for how to perform functions correctly, and in a way that doesn’t result in loss.

The goal for awareness is for users to behave according to policies and procedures. Part of the function of an awareness program is making users aware that bad guys exist and that those bad guys will attempt to do bad things. But awareness programs primarily focus on making people aware of how to behave according to procedures in potentially risky situations.

At a cybersecurity conference where I spoke, I was in a buffet line at lunchtime. At one table that the line passed, I saw some stickers that said, Don’t Click On Sh*t! The person in front of me was an administrator, and he grabbed a handful of stickers while saying, “I need a lot of these to give to my users.” I then replied, “You must give your users a lot of ‘sh*t’ to click on.”

The guy was confused and asked what I meant. I replied that the users would have no items to avoid clicking on if the systems he supported didn’t pass the messages to the users. I then added that if he knows users will click on problematic items, he should be taking active measures to stop the inevitable damage. He was confused, but of course kept the stickers.

For more information on user-initiated loss, find a copy of my book, written with Dr. Tracy Celaya Brown, You Can Stop Stupid: Stopping Losses from Accidental and Malicious Actions (Wiley, 2021).

Users can cause only the amount of damage they’re put in the position to cause — and then allowed to carry out. However, even after they make a potentially damaging mistake, or even if they’re blatantly malicious, it doesn’t mean that the system should allow the loss to be realized.