You are on page 1of 32

Welcome

to the Securing The Human. Today we will focus on three key points. First, why humans are so vulnerable, what makes end users the weakest link. Second, how these vulnerabili?es are being ac?vely exploited, what are the latest human based aAacks. Finally we will cover how we can patch these vulnerabili?es. Specically what does and does not work in security awareness. Security awareness and educa?on is something that SANS is extremely passionate about. We rmly believe that by focusing on the human, organiza?ons can drama?cally reduce risk. Both this presenta?on and SANS Securing The Human program is developed and maintained by Lance Spitzner. If you feel this presenta?on or SANS awareness program is not the absolutely best possible, please contact Lance immediately with your sugges?ons and feedback. Lance Spitzner Technical Director, SANS Securing The Human program Mobile: +1.708.557.6006 Skype / TwiAer: lspitzner Blog: hAp://www.securingthehuman.org/blog

First, some background on myself. I graduated from University of Illinois with a BA in military history and served seven years in the US Army, four of those years as a tank ocer. This experience would lay the founda?on for my interest in informa?on security. In addi?on, I gained an apprecia?on in the military for the need on intelligence on threats you will be defending against, this is where I learned to Know Your Enemy (working with tanks is also where I learned how to talk loud). Following the military I received my MBA and started working as a Senior Security Architect at Sun Microsystems. My job was to travel around the world helping secure Suns customers. This is where I gained my technical experience, primarily in host and network based security. During this ?me I also gained an interest in cyber intelligence, just like in the military if I was going to defend against a threat I needed to understand that threat. Unfortunately there was very liAle informa?on on cyber threats at this ?me, perhaps just a paper or two on how an exploit worked. As such I began researching and deploying honeypots, developing the concept of honeynets along the way. These proved extremely eec?ve in gathering intelligence, as a result I started the Honeynet Project. Over the next ten years I con?nued to ac?vely research cyber threats, their mo?va?ons, methods and ac?vi?es. Along the way I published several books on the concept. In the past several years one trend I began to no?ce was how cyber aAackers began shibing their focus from purely technical exploits to actually exploi?ng the human. This trend has con?nued to grow un?l the situa?on we have today, where the human has become literally the weakest link. As such my passion has become securing the human. In August, 2010 I joined SANS full ?me to dedicate myself to this cause, and in part that is why I am here with you today.

Before we can discuss how to solve the human factor, we have to rst understand the problem. And to understand the problem we have to rst go back into ?me, the late 1990s. This period was the golden age of hacking, the true wild, wild west of the Internet. This was the ?me when business and organiza?ons were just catching onto the power of the Internet and connec?ng their networks as fast as possible. However there was absolutely no considera?on of security. Computers such as Win95 and WinNT were deployed with no rewalls, no automa?c upda?ng and by default had all services enabled and running. For an aAacker this was the perfect storm, all they had to do was blindly scan the Internet and exploit hundreds of thousands of vulnerable systems. The simplest way to infect computers was to reach out and hack into them. We as an industry felt tremendous pain, and because of that pain organiza?ons, vendors and the security community have invested a tremendous amount into securing systems. Today Windows7 be default comes with its rewall enabled, automa?c upda?ng, minimized services, memory protec?on and a variety of other advanced security features. If you take that same system today and deploy it on the Internet, it may take months if not years before the system is hacked. We have been successful, systems are secure. But if computers today are so hard to hack, then why are so many organiza?ons gefng owned? Simple, the human. Think about that same Windows7 computer we installed on the Internet. By default that computer is highly secure, there is very low risk of an incident. That drama?cally changes when a human touches the key board. The moment people start reading email, surng the web or using USB s?cks computers get hacked.

Computers store, process and transfer informa?on. As such, organiza?ons spend a tremendous amount of ?me securing them. However employees store, process and transfer informa?on also, just like a computer. In fact, you could say humans are nothing more then another opera?ng system. And yet organiza?ons have done nothing to secure them. For the past ten years organiza?ons have focused only on technology, that is where all the advances have been. But the human OS was leb behind, as a result this is the most vulnerable opera?ng system in any organiza?on . and the bad guys know it. That is the purpose of this presenta?on and Securing The Human. We are going to x that, we are going to show you how to patch the human OS.

Here is a diagram to help visualize the problem (note: this makes a great slide to show management when explaining the human factor). Image that the blue dot in the center is the average computer in your organiza?on. This is ground zero for cyber warfare. As we just men?oned, organiza?ons have invested a tremendous amount in securing that computer. In addi?on, most organiza?ons have done much more then just focusing on the opera?ng system, they have created layers of security for a defense in depth approach. They have technologies such as Intrusion Detec?on Sensors, Encryp?on, Dual-Factor Authen?ca?on and other mechanisms in place. Each layer mi?gates risk. However nothing has been done to secure the Human OS, the person sifng at the computer. This makes no sense. Organiza?ons have leb a huge gap in their defenses. With simply an email, SMS message or malicious website aAackers can simply slice through ten years of hard work and penetrate the organiza?on. Whey hack computers and infect them when you can just ask someone on the inside to infect the computer for them. This I feel is the very heart of the challenge we face today. No maAer how much technology we throw at the problem, we are at the point of diminishing returns. We have to focus on the real problem today, and that is the human factor.

I feel these two sta?s?cs do a tremendous job demonstra?ng just how big the human problem has become. The rst is an interes?ng quote from Zulkar Ramzan, technical director of Symantec Security Response. He stated that over 90% of the malware Symantec captures today u?lize human interac?on for the infec?on to happen. By human interac?on that can mean the person has to click on a link, open an aAachment or insert a USB s?ck. This compares to the old days when worms could simply nd vulnerable systems on their own. I have talked to members of the CERT community and Shadowserver who agree on similar numbers. I think this is amazing. You can nd the original quote yourself at hAp://www.networkworld.com/ news/2010/060210-windows-mac-or-linux-its.html. A second source is Mandiants APT report from early 2010. Mandiant is a security consul?ng company that specializes in forensics and incident response. They are a highly trusted organiza?on in the United States that works mainly for the Defense Industry Base. One of the primary threats they work with is APT (Advanced Persistent Threat). These are highly mo?vated threats with the skills and resources to penetrate the most heavily defended organiza?ons. These aAacks are usually na?on state sponsored. These are also the types of threats the defense industry base faces. As a result, Mandiant responds to and inves?gates a tremendous number of successful APT based intrusions. In their APT report they documented all their ndings based on these inves?ga?ons. In 100% of the APT based incidents they responded to, every single ?me the ini?al hack was against a human. In most of these cases the method was spear phishing. This shows that organiza?ons that have the skills and means to launch the most technically advanced aAacks know that

We have just demonstrated that humans are vulnerable and bad guys are ac?vely targe?ng and exploi?ng this vulnerability. But just like typical opera?ng systems, to patch the vulnerability we have to understand the vulnerability. So what makes humans so vulnerable, what makes humans so suscep?ble to clicking on links or falling for email scams? Well, it turns out that we as humans are preAy bad at judging risks. What worked for us 100,000 years ago in the plains of Africa do not work in 21st century cyber space. Back then we had to worry about risks such as being eaten by lions. The risks we face today and the environment we are opera?ng in are radically dierent. There are several reasons why humans are so bad at judging risk, but the biggest two is we overes?mate risk for highly visual aAacks and when we are not in control. One of the best examples is ying. Sta?s?cally speaking, ying is far safer then driving [1,2], yet many people avoid ying, preferring to drive their car. Yet over 35,000 people die in automo?ve accidents every year in the United States alone, that is almost 100 a day. Yet how oben do you hear about those deaths in the news? Almost never, that is because they are common. However, when do you hear about a airplane crash? Absolutely every ?me it happens simply because it is so rare. So why the irra?onal fear? Because when a plane accident happens it is very visual, the plan going up in ames. Also, people are not in control, there is someone else ying the plane. It does not maAer that the person ying the plane has literally years of training and thousands of hours of experience, people s?ll are afraid. Lets take one more look at just how bad humans are at judging risk.

Lets say you and your family decide to go on vaca?on. You want to spend some ?me in the beach then go for a swim in the ocean. What is one of the most common fears that people have about jumping in the ocean? Yes, that is correct, sharks. There is something very visual about being eaten by a great white shark. In addi?on if you think about it when you are swimming in the ocean you are not in control, a shark will strike whenever it wants. Just like ying in an airplane, people grossly over es?mate the risk of being killed by a shark. In fact, the odds of you are being killed by a shark are 1 in 250,000,000. [1] That is extremely low. Now, lets take a look at a risk people grossly under es?mate. What is something twice as likely to kill you at the beach, a risk you most likely under es?mate. [1] Source: http://www.bookofodds.com/content/view/full/252163

Yes, you have that correct, vending machines. You are twice as likely to be killed by a vending machine as you are by a shark. Specically, the odds are 1 in 112,000,000 [1]. This should put things in perspec?ve on just how bad humans are at judging risk. Now how can a vending machine kill you? Think about it. You put your dollar into the machine to get your can of coke. The machine takes your money but fails to give you something in return. Some people will then proceed to rock the vending machine in aAempt to either get their money back or force the drink to come out. In the process of rocking the machine they accidently ?p the vending machine over, some?mes directly on them. In some cases this will kill them. The reason people under es?mate this risk is because they are in control. They are the ones who decide to rock the machine. In addi?on, the image of being killed by a vending machine has far less impact then the image of being eaten alive by a shark. Now if you think about cyber space you can understand why humans under es?mate risks when using the Internet. They are in control, people decide what links they click on and when. Just like driving a car, since they are in control they under es?mate the dangers. In addi?on, when a person gets hacked it is similar to heart disease, it is the silent killer. There is no loud explosion or immediate feedback when your computer is compromised. Instead hackers go to extreme lengths to ensure that your system con?nues as normal. This is why humans are so vulnerable, this is one of the reasons why they are clicking on links and opening aAachments they should not be. They simple do not understand the risks involved. [1] Source: http://www.bookofodds.com/content/view/full/248157

Now that we understand human vulnerabili?es, we need to understand how they are exploited. The founda?on of most human based aAacks is social engineering, building trust with someone and exploi?ng that trust to get what they want. To beAer understand the method, and understand why it is so eec?ve on the Internet, lets start with a non-technical example. This is also a great way to introduce the concept of social engineering to end users. You are traveling and you just checked into your hotel room. As you walk into your hotel room the phone rings. You pick up the phone and there is a nice lady at the other end. She introduces herself as Rebecca from the hotel front desk. There is a problem with your check-in, she needs to conrm your credit card number. You give her your credit card informa?on, and she then tells you to hold on as she checks the informa?on. Aber a brief wait Rebecca tells you that everything looks ne and tells you to please enjoy your stay. The problem was, that was never really Rebecca that called you, that was really Natasha from Russia, she just tricked you out of your informa?on. She stole your credit card data by simply asking for it. She pretended to be something you trust (the front desk) then exploited that trust to get what she wanted. You have just been socially engineered. It is this same technique that cyber criminals are so eec?vely using on the Internet today. How would you protect yourself against aAacks like this? The two best ways would be to call the hotel front desk back, or actually walk down to the front desk. Unfortunately, in the virtual world these are oben not op?ons. In the virtual world there are very few ways to truly conrm the origin of a message, the validity of the

10

Here is an example of social engineering, but on the Internet. We see a message sent from what appears to be a friend. In this case the message was sent over Skype, informing the vic?m that their computer is out of date and needs to be patched. The goal is to get the vic?m to click on the link. What has happened is the vic?ms friends computer has become infected, and the infected computer is now sending this message out to every contact in the address book. This makes the aAack more eec?ve as the vic?m trusts the source. He believes it is his friend sending the message, when in reality it is his friends infected computer. Even more amazing is some malware can analyze the interna?onal keyboard sefng of the infected computer. It then sends out the messages in the local keyboard language assuming that the contacts speak the same language, making the aAacks even more eec?ve. If the user clicks on the link, it takes them to a malicious website that aAempts to exploit the end users browsers. It does this by rst determining the browser type and perhaps even version/patch level, then launching a variety of exploits un?l one works. Once exploited, the website then infects the computer with their malware of choice.

11

Tricking vic?ms into visi?ng malicious websites is one type of social engineering. However several years ago several cyber criminals decided to take these social engineering aAacks one step further. Instead of asking people to invest their computer for the aAackers, they gured out a way to trick people into paying criminals for the privilege of infec?ng their computer. The aAack is called rogue an?- virus. This shows you just how eec?ve hacking the human can be. Just like in malicious websites, the vic?m receives a link which they are fooled into clicking. Once they click on it they are taken to a website, but instead of hacking the vic?ms browser the website pretends to be scanning the vic?ms computer, looking for infec?ons. The website lying, it is not really scanning the vic?ms computer, in reality it is simply a pop-up window pretending to nd malware on the vic?ms computer. The goal is to get the vic?m to think their computer is infected. The site creates a sense of urgency by repor?ng mul?ple infec?ons, and that they have to x their computer right away. To x the computer, they need to click on the link, which takes them to a website that has security sobware that will x the problem. Lets follow the link and see what happens.

12

Here is a website adver?sing GreenAV. This site is pretending to sell legi?mate an?- virus sobware, when in reality this is nothing more then malware designed to infect a vic?ms system. The bad guys have invested a tremendous amount of ?me and eort into this site. It looks highly professional, has numerous pages and even quotes from sa?sed customers. In addi?on, they call themselves green as they contribute a percentage of prots to the environment. We have some environmentally concerned criminals on our hands here. However, there are two points that should tell us right away that there is something very wrong, that the site is run by criminals. Take a moment and look at the site, what do you see? Ques%on: Determine how you can tell this website is a fake, what are warning signs that you and others should look for? 1. _______________________________________

13

Here is one more example of how human vulnerabili?es can be exploited, this example is on twiAer. Social networking sites are a growing area for aAackers to launch their aAacks. If you think about it they are the perfect place. The purpose of social networking is to get as many people around the world sharing as much informa?on as possible about themselves. It is a social engineers dream. As such we are seeing an explosion of new aAacks in this area. Many of the aAacks are similar to what we have seen in email, but adapted to the Facebook/TwiAer world. In addi?on, sites like TwiAer and Facebook are constantly changing and adding new func?onality, so it is easy to get confused by the technology. Even the best of us can make mistakes. Here is an example of how I got phished on twiAer. Ed Skoudis is a highly trusted friend of mine and one of SANS most experienced instructors. Both Ed and I share a passion of Mac laptops, so we were excited to see the new MacBook Air come out. In fact, Ed tweeted about the new Air when Apple released it. Then some of Eds friends replied to his tweet, which I followed. First was Johannes, another trusted instructor at SANS. Then Eds friend Ryan posted how you can get $100 discounts on the new MacBook Air and supplied a link. Well since I was about to buy the new MacBook Air, and since this was Eds friend, I clicked on the link. Had I not had other security measures in place, I may have been hacked. This was an excellent human based aAack. This was not Eds friend but an aAacker simply replying to any Mac related tweet. In this aAack he simply built on the linked trust with Ed Skoudis, appearing to be his friend and it worked.

14

You should have a good understanding of the problem now, specically why humans are vulnerable and how aAackers are exploi?ng those vulnerabili?es. Just like any other opera?ng system, we need a way to patch those vulnerabili?es. We will now discuss what does and does not work in securing the human.

15

To keep opera?ng systems secure organiza?ons build patching programs. These are organized programs with processes and procedures to ensure that every month all computers are updated with the latest patches or updates. A security awareness program is no dierent, but for the Human OS. A security awareness program is a long term commitment to con?nually upda?ng and securing the Human OS, but instead of using code to do this, for humans we change their behavior. Tradi?onally the goal of awareness has been compliance, standards such as PCI DSS, HIPAA and ISO 27001. We recognize the value of compliance and understand it can oben be the only way to get the budget and support your needs. But we are going to go beyond just compliance, we are going to secure the human.

16

Before we secure the human, we need to dene the goals of our program. This graph demonstrates how we can leverage awareness to reduce risk. In this graph, the X axis (horizontal line) shows level of security awareness and the amount of training and resources it took to get individuals there. The more resources and training you invest, the more secure aware an individual is. On the far leb are where many employees are at, very unaware. They are low hanging fruit, an easy target for even the most basic threat. On the far right is the highly trained security professional. The individual with years of training, who lives and breathes security and is probably a bit too paranoid. Our goal is NOT to make employees into security professionals. They have real day to day jobs to do. Our job is simply to arm them with enough informa?on to make the biggest impact, to ensure they are no longer the low hanging fruit. The Y axis (ver?cal line) represents the Return on Investment you get from your awareness program. The top of the curve demonstrates the point where we have invested the minimum amount of resources for the greatest impact. Any more eort, and we are going beyond good enough, we are star?ng to make them into security experts, which is not our goal. Any less eort and we s?ll leave them vulnerable to a the most common aAacks. Since so liAle has been done in the past to secure the human, we have the poten?al to make a huge impact here. Every organiza?on will have a dierent point for their maximum ROI. In reality this approach is not unique to security awareness but is how most organiza?ons approach risk management, just secure enough. We can only reduce risk, not eliminate it. People will say awareness does not work because aAackers can always nd at least one vic?m. Of course this will happen, we cannot make employees 100% secure. Then again, no technology or solu?on is 100% secure.

17

The key to any successful security awareness program is answering the three cri?cal ques?ons, WHO, WHAT and HOW. By answering these ques?ons, and in this order, you will iden?fy what it takes to build a successful program that makes an impact you can measure.

18

The rst step is deciding WHO you will target in your awareness program. Who is it that you are trying to communicate to, change behaviors, and track?. Dening your target in turn denes what you will teach them, and ul?mately how. Your awareness program may have mul?ple, dierent targets. Dierent targets require dierent types of training. Almost all awareness programs start with employees. Unfortunately that is where most end. Never forget there are many other poten?al targets, and each one of these need to be treated dierently.. The four most common targets are employees, management, IT Sta and customers. Other targets exists (especially in unique or specialized industries such as medical or classied government work) but these are the most common.

19

Next is determining what content you are going to communicate to each target. This is much harder then it sounds. In reality you have several limita?ons. First, humans can only store so much more informa?on. The more lessons you teach them the more likely they will forget. In addi?on you oben have very limited ?me to communicate your awareness training. For many organiza?ons thirty minutes is the standard. Finally, you need to limit your topics so you can focus on reinforcing them throughout the rest of the year. Reinforcement is one of the key processes to ensuring your lessons s?ck. As a result, it is cri?cal you analyze all your topics and priori?ze the ones that have the greatest Return on Investment. Here is what I consider the top ten topics. Consider this a star?ng point, obviously every organiza?on will have dierent priori?es and dierent requirements. But this is a common base.

20

We always recommend that organiza?ons start the awareness program with You Are The Target. This topic has several objec?ves. -The rst is many employees simply do not realize they are a target. They commonly believe that aAackers only target webservers or databases, if they think about it at all. Instead, as we all know it is the individual that is one of the most commonly aAacked. As such, we need to change this misconcep?on, we need to be sure they know and understand they are a primary target, both at work and at home. - The second point is far too oben awareness programs only focus on protec?ng the company. Yet, if you go back and look at the top ten topics, almost all of them can also protect the end user at home. One thing we have found that works well is start your awareness program with a focus on how this informa?on protects employees, their families, friends etc.. In other words, this is not only about the organiza?on, but about protec?ng them. This has the poten?al to mo?vate people far more, as they directly benet. The organiza?on benets as employees are not only more involved, but the changed behaviors work well both at work and at home. -Here we use the image of a cyber criminal website to demonstrate how everyone has value. In this case it is a website ran by cyber criminals selling stolen iden??es to either cyber criminals. Unfortunately, you and I are not worth much, in this case only

21

Finally, once you determine what you need to communicate in your program, you need to determine how. This is where most awareness programs fail. Security professionals are good at understanding threats, they are unfortunately very bad at communica?ng them. For an eec?ve program that reaches your end users, you have to think like marke?ng. We have found the following methods the most eec?ve for todays organiza?ons.

22

Ask any marke?ng professional and they will tell you that images are one of the best ways to communicate a message. Security awareness is no dierent. However if you use imagery you have to be careful about the dierent cultures, na?onali?es, religions and languages in your organiza?on. For images to be eec?ve they have to connect to your end users. Oben images of people or environments do not work well as they have specic iden?ty. We have found computer generated images like the one you see here as the most eec?ve method. In images like this you cannot determine na?onality, culture or religion. In other words you do not have to worry about oending any of your end users. Instead you have a single program that any user can relate to. In addi?on, cyber based imagery plays well with the cyber related topic of security awareness. Not only does this save costs, but simplies your program as you have a single, unied method for communica?on.

23

In many ways onsite instructors are the most eec?ve means to communicate your message. However there are numerous challenges to onsite workshops. First your presenta?ons are only as good as the skills of the presenters, so it is dicult ensuring your program will have consistent, high quality message. In addi?on it can be dicult to get all members of your organiza?on to aAend onsite events at specic events (think also about contractors, part ?me employees or employees who were not on site). Finally it can be dicult to track who did aAend the event. This is why most organiza?ons have moved to videos, or computer based training. Videos easily scale for your organiza?on. It does not maAer if you have 100 employees or 100,000 people scaAered around the world, everyone can access the training on their own ?me and own schedule. In addi?on with videos you ensure that your program communicates a standardized message. You can also translate your videos into mul?ple languages so your message is communicated in your end users na?ve language. Finally video based training makes it much simpler to track who took the training which is oben required for compliance purposes. You can nd online an example of awareness videos at hAp:// www.securingthehuman.org/services/demo-training-lab

24

AAen?on to detail is important for your program, what you may not think is a big deal can mean success or failure to others. Here is an example. One of the concepts you oben convey in a security awareness program is that the end user is worth money. The more people a cyber criminal hacks, the more money they can make. One way to demonstrate this is use a video of money. The slide above is a snapshot of one such video used in a awareness program. The training and the money video worked ne in the United States as the imagery is US specic. However employees in the UK and Europe did not respond well, they did not like the US centric training. To be eec?ve, you need training that is local to the environment. The closer you can get to the local culture, the more eec?ve the training can be. One solu?on would be to create three separate training programs. One program would be American based and have images of US dollars. Another would be UK based and have Bri?sh pounds. A third program would be just for Europe and include Euros. Once again though, this solu?on will cost you more as you are maintaining three programs. Also, you dont know who will be using the training. What happens if you have a UK ci?zen who speaks French but living in New York?

25

The solu?on? Simply create a video or image that combines all the possible currencies of dierent employees, in this case Dollars, Euros and Pounds. The result, everyone is happy, they feel the training is customized to their culture and you only have to maintain one training program. In addi?on, what you may not realize but this image is actually computer generated. If you have to add addi?onal countries or cultures to the training, you can simply add new currencies to the image at the click of the buAon. You will be very surprised, but simple dierences such as this will have a huge impact on the success of your training.

26

For an awareness program to make a dierence you cannot train people once. Just like patching an opera?ng system requires new updates every month so to must you update, or remind, the human opera?ng system every month. There are a variety of mechanisms to use this such as posters, screensavers, lunch and learns, etc. An eec?ve method to easily reach and remind end users, or to reinforce your message, is newsleAers. NewsleAers are rela?vely simple to create on your end, yet you can include a tremendous amount of valuable informa?on. Even beAer, since you can customize them yourself you can included recent informa?on specic to your organiza?on. In addi?on there is very liAle cost in distribu?on, especially if you send them out via email.. Common distribu?on cycles are monthly or some ?mes quarterly. I highly recommend you do not generate newsleAers weekly as it becomes dicult to maintain good quality. One sugges?on, always be sure to include your security teams contact informa?on in every newsleAer. You can nd an example of free, monthly awareness newsleAers at Ouch! hAp:// www.sans.org/newsleAers/ouch/

27

Finally metrics. To manage a program we need to measure a program and for that we have inocula?on. Inocula?on is another term for awareness assessments, recrea?ng the very same aAacks that real threats launch against criminals. For example, sending out emails to your employees every month that replicate phishing and seeing how many click on the email. There are two general ways to approach inocula?on. - You can use it purely for metric gathering. By sending out emails every month and tracking how many people click on the emails, you have metrics to measure the impact of your program. The more eec?ve your program and the more peoples behaviors you are changing, the greater the impact. - You can also use this as a training method. Not only can you measure the number of people who click on a link, but when they do click you provide immediate feedback. For example a website that explains to the end user that they just fell vic?m to an assessment, and had this been a real aAack the vic?m would have lost their informa?on, perhaps even provide addi?onal training to the vic?m.

28

Here is an example of one such email. No?ce how simple this email, it was in no way customized or targeted against the organiza?on. And yet an email like this can result in 10-20% failure rate. If you are considering star?ng an inocula?on program this is the type of email you want to start with. This email is unlikely to oend anyone. This is compared to more spear phishing like emails. These are emails that are customized for your environment and most likely result in far higher failure rates. However emails like this can easily upset employees, making them feel they were taken advantage of. Yes, a highly skilled and mo?vated hacker could nd the same informa?on, but in the end you most likely did far more harm then good. At least for the rst phishing aAacks start simple so no one gets upset. If you want to get more targeted then that go ahead, but at least build a solid founda?on rst. Also, a basic email assessment may have greater impact on management. Say you send out a basic email and only 15% fall vic?m. You send out a spear phishing assessment and 60% fail. When you tell management about the 15% failure, you can add that this was the most basic, simple aAack. If it had been targeted more would have fallen vic?m. If you tell them that you launched a highly sophis?cated spear phishing aAack, then management may not consider the numbers valid as they dont perceive themselves targets for spear phishing aAacks.

29

Here are three organiza?ons demonstra?ng the eec?veness. Each one had training for end users and each organiza?on measures the awareness of users. In each case these were rela?vely short term research projects. Several long term projects are currently under way. NY State In 2006 NY state ins?tuted a program of awareness training. At the beginning of that training they sent out an email to 10,000 employees, of which 17% failed. Aber several months of training another email was sent, of which 7% failed. PhishGuru This was a research project led by Carnegie Mellon University in Portugal. CMU led several research projects on the eec?veness of combining inocula?on with training. In other words sending out phishing emails, and if an individual fell vic?m direc?ng them to a website with immediate feedback. This training was conducted over one month with failure rate dropping from 45% to 15%. West Point The United States Military Academy conducted several awareness assessments with similar results, failure rates of 80% dropping to 40%. It may appear odd at rst that USMA had such high failure rates, however this is not a reec?on on the students but a reec?on on the type of emails sent. USMA uses far more targeted emails in their tes?ng, customizing them so they appear to come from ocers in the organiza?ons or events targeted for cadets. This fact also demonstrates the fact that the type of email you send will have a drama?c impact on how many end users fall vic?m and click on the link.

30

This presenta?on was a very brief overview on how to secure the human. We covered why humans are so vulnerable, how aAackers exploit those vulnerabili?es and how we can x them. If you are interested in learning more about how to establish an eec?ve awareness program, SANS oers a two day class called MGT 433 Securing The Human. [1] To summarize, humans are really nothing more then another opera?ng system, just like computers we store, process and transfer informa?on. However, unlike computers nothing has been done to secure the human in the past ten years, as such humans are the weakest link. By inves?ng in an awareness program with a focus on changing behaviors, you can have a tremendous impact and reduce risk. [1] hAp://www.sans.org/security-training/securing-human-building-deploying- eec?ve-security-awareness-program-1277-mid

31

If you have any ques?ons or any sugges?ons for Securing The Human, contact Lance Spitzner at the informa?on below. In addi?on, if you would like to stay current on human issues of informa?on security, follow Lance at both his blog and on twiAer. Lance Spitzner Technical Director, SANS Securing The Human program Email: lspitzner@sans.org Skype: lspitzner TwiAer: @lspitzner Blog: hAp://www.securingthehuman.org/blog

32