Skip to main content

Strengthening the Weakest Link

Employees are frequently cited as being the weakest link in security. Rather than argue this point, I'm just going to reference a few articles here and move on (Fortune, Fraud-magazine, Forbes). Now, in general, employees are considered the weakest link because they don't always make smart decisions.


For example, in one company I was at, a phishing email was sent out to many of the employees. The email was from "Emily", the subject was "New Pics" and the body was simply "Check out my latest pics" with a link. I was amazed at how many people clicked on that link and consequently installed a virus. A similar attack came a few months later, but spread over chat instead. I felt that we needed to train our employees better.

I should note here that there is a good argument for security software that is idiot proof, that prevents employees from hurting their networks or losing information. I entirely believe in using such software, but hackers are very skilled at getting around defenses, and so I believe it is important to train your employees all the same. Every security layer counts!

So what's the best way to train your employees against phishing attacks? With more phishing, of course! So here's what I did:
  1. Spun up a publically accessible linux box outside of our networks
  2. Installed KingPhisher
  3. Bought a domain that was similar to our company's primary domain
  4. Set up DNS for a web page and email (KingPhisher hosts web pages to use with your phishing)
  5. Set up Postfix for sending and receiving email with the new domain
  6. Set up Thunderbird for interacting with Postfix
  7. Set up Postfix on my own laptop to forward outgoing emails to this phishing server (KingPhisher sends the emails from the machine you are working on)
  8. Got a list of company employees with their emails, and randomly selected 20% of the employees
  9. Crafted a phishing email that was in my opinion "medium" difficulty. More difficult than "Emily's pics" mentioned above, but not spear phishing to the employee level (some public knowledge of the company was assumed, but not much)
  10. Crafted a couple of web pages: A page for employees to lose their credentials on, and a training page that they see after they lose them (I never kept passwords, only usernames)
  11. Sent out a couple of test emails, and then...
  12. Sent out the email to my generated list
At this point, the training has begun. Employees who get the email will fall into one of a few different categories:
  1. They reported the email to security right away
  2. They ignored the email or deleted it
  3. They clicked on the link, but didn't give up their credentials
  4. They clicked on the link and gave up their credentials
  5. They replied to the email for some reason, and then fell into one of the other categories (these emails would appear in Thunderbird, and I would respond as a hacker might)
If they fell into the first group, they were to be put into a drawing for a gift card. The other groups received additional training based on what they did or didn't do. In short, we wanted everyone to report the email as soon as they got it and to not click the link. 

This training was to be done on a monthly basis. Making sure to include those who had failed the previous months training in the next one as well as another set of 20% of the company employees. Because of the frequency of the tests, we felt it wise to give some motivation for doing the right thing, and hence the drawing for the gift cards. Prior to doing the drawing, we had started to see some apathy from certain users who had been among those who previously reported the phishing emails. 

After doing this for about a year, each employee had received at least a couple of phishing tests, and the ongoing exercises had created something of a buzz in the office regarding security. It's difficult to quantify exactly how much improvement there was because with employee turnover, and the need for a longitudinal study for good data, we just couldn't know exactly how much progress we were making. But there was ample anecdotal to suggest that we were making headway. Employees who had previously not been reporting phishing to us started reporting, any many people were talking to us and to each other about these tests.

This was a very low cost way to decrease one of the largest threats every company faces and to improve the company culture around security. After the initial setup, the whole process took me only a few hours each month, and maybe an hour or two more if purchasing a new domain. I believe this should be part of every security training program. 

Comments

Popular posts from this blog

An Open Letter to My Friends in Sales and Biz Dev

To my Friends in Sales:
I get a lot of sales calls, and I don't mind it, but it means that I've got to keep them quick or they quickly take up too much time. So I created this list of tips for you so we can make the best of your time and mine: I will ask questions on the introductory call about features and prices. Please be ready to answer those. I want that information so I can decide if it would be worth your and my time for a demo. If you don't have the information or can't give it to me, then that's probably as far as the call will go.I appreciate that you are trying to be friendly by talking sports and weather etc., but I'd rather get to the point. Keep it on topic please.Please don't use leading questions like: "If you could succeed in this difficulty, how would that help you?" and such. I know my own situation just fine, what I don't know is your product. So let's keep the conversation on that please.If I decide to get your product,…

Remote two-factor authentication, with ssh public keys, and google authenticator

Installing and using the Google Authenticator was pretty easy. I give credit to howtogeek.com for their straight forward instructions on using it. However, I wanted to change some things about their setup. You'll find my instructions to be similar to theirs, but with some important differences. This was done on Ubuntu 14.04.

Install the google auth pam module:
sudo apt-get install libpam-google-authenticator Login as the user you will be using the authenticator with, and run the following command:
google-authenticator Set up Google Authenticator on your phone using either the QR code it generates, or manually type it in.

Now, this is where I diverge a little from the howtogeek version. Open up the /etc/pam.d/sshd file on your machine. Put this at the very top of the file:
auth sufficient pam_access.so accessfile=/etc/security/access-local.conf auth sufficient pam_google_authenticator.so And then comment out the following line in the same file:
#@include common-auth  Now, open up y…