A little while ago, Glenn posed the question: You do phishing tests? Why?
I was talking with someone earlier today who is selling something on the Internet, they forwarded me a message they’d received from a potential buyer and asked me, “is this a scam?” To which the answer of course is, “if you find yourself having to ask ‘is this a scam?’ then yes it is.” It’s the counterpoint to tabloid headlines posed as questions, the answer is always “no.” COULD CUMIN CAUSE CANCER? No (though it’s a nifty bit of alliteration).
Elsewhere on the intertubes today a discussion popped up around how a cybersecurity professional had received an email and was initially genuinely uncertain as to whether it was legit or not. It had all the hallmarks of a phish but passed all the tests he could throw at it.
Which rather begs the question: if we cannot tell the difference then how in the hell are we supposed to train our users? Moreover, how are our users supposed – nay, expected – to learn?
There was a time where I was of the opinion “how on Earth could you fall for this stuff, are you an idiot?” I once got flagged down when I was helping out in IT Support, a guy was having some issue or other with his computer. Whilst I was poking at it a malicious email arrived, I thought “ooh, a great opportunity for some impromptu training!” I explained what it was, deleted it, resolved his issue and left. I hadn’t made it to the door when he called me back, “my computer’s gone funny…!” It transpires, he’s removed the mail from Deleted Items, opened it back up, and run the attachment. I was absolutely incredulous, why would you do that after I’ve just told you… “Oh, I wanted to see what it did.” 🤷♂️
But that was then and this is now. Fast-forward to today, I’m no longer of this opinion. Prank emails aren’t the domain of mischievous young scamps in their bedrooms on a rainy Sunday. They are the work of large, organised criminal gangs. They are sophisticated. They are good. The “Dear Costumer” emails still do the rounds but they’re targeting low-hanging fruit.
“You do phishing tests? Why?”
I have a few opinions to share on this (are you new here?😁).
Firstly, robust training is near-impossible, it’s like King Canute(*) apocryphally setting up on the beach and shouting at the tide. Some people are simply just fools and it’s like trying to educate an omelette, but the situation today is way more nuanced than that. Professionals can get caught out. I’ve been caught out by a phish in a scenario where the company was set up to fail. It will never be, ahem, water-tight.
We can try to teach people to spot bogus URLs, to look out for micros0ft.com, to mouse-over links to see if the rug matches the curtains. To consider the ever-increasing list of shibboleths: an appeal to urgency; an appeal to the heart; an appeal to authority; and on it goes. And then to forward suspicious items to IT, to SecOps, to Bill Gates or whomever.
I say this:
RULE 1: LEAVE IT ALONE.
If you think something is wrong, it probably is. I don’t want you touching it. I want you to stick your hand up like a student in a GCSE exam who’s just run out of graph paper. I do not want you having to interact with it in any way shape or form. Because what you need to do is, just stop what you’re doing.
After giving a presentation one time I was asked “what’s the one thing we can do as a business to improve our security posture?” and I offered “amputate everyone’s right index finger.” Sadly this policy was never implemented.
“But Alan, how do I know something is wrong?” I hear you ask because you type too loudly. Simples. The question you need to ask yourself is, “was I expecting this?”
RULE 2: IS THIS EXPECTED?
It’s not infallible but really this is the beginning and end, and anything else is gravy. Never mind decoding obfuscated links or what have you, just “is this normal?” Did I expect this? No? Then stop. Just stop. It really is just that simple. IT departments the world over keep pushing Action when really the best solution is Inaction. Vanishingly few things ever went breasts skyward because you didn’t do anything for ten minutes (and if they did then you aren’t being paid enough).
Secondly,
As Glenn posited: why are we doing this? For our own self-promotion? It would be trivial to fudge results of a phishing campaign. We send out a professionally-crafted phishing email, everyone predictably clicks it, we then deliver training and have a follow-up campaign with a blatantly dog-egg quality email that everyone ignores… how great was that training, your InfoSec department is amazing!
Thirdly,
As security professionals we have a duty of care. Beyond scenarios outside of our control this should never happen, a corporate user should not be in a position where they have to wonder “is this real?” If they are then we’ve already failed; we have firewalls, we have endpoint security, we have perimeter security, we have intermediate security, we have email filtering, we have (gods help us all now) AI learning models. “User training” is immensely valuable as a Hail Mary defence when everything else has gone to mousse, but it’s insidious displacement at best to frame mistakes as their fault. My example above with the guy who pulled malware out of Deleted Items, 100% my fault for not purging it down properly.
You do phishing tests. Why? Because you do not – or cannot – trust your own systems.
(* – somewhat amusingly in a puerile sort of manner, he was actually King Cnut)