Defending the Enterprise Part 1: The Human Firewall
By Bob Thibodeaux, CISO, DefenseStorm
Some of you might be old enough to remember a movie called “The Sting.” It’s about con men in the 1930s who use a “pigeon drop” and phony off-track betting to steal vast sums of money from unsuspecting targets. Fast forward to today. Times have changed, but the world is still full of bad guys who want to take your money or your secrets. And now, because of the way we do business on the Internet, we’re exposed to new tactics—from phishing to ransomware.
In response, we have two lines of defense when it comes to protecting the enterprise and keeping the bad guys at bay: Strengthening the human firewall and patching vulnerable systems.
In part one of this series, I’ll focus on the former and, in part two, I’ll cover the latter. So, let’s dive in with some factors to consider regarding our human firewalls.
What makes people good at their jobs can also make them vulnerable.
Our employees are our most critical resource. Beyond our products and services, the humans we employ give us the competitive edge we need to succeed. But many of our best employees aren’t technical. They're the soft skills folks—salespeople, marketers, and the member service team.
You can have the most technically bulletproof email system in the world, but when a bad guy wants to attack an enterprise as a penetration tester or a cybercriminal, he or she is going to hit these soft targets.
Why? Because these people are on the front lines of the credit union and their jobs involve interacting with the public. They’re friendly, outgoing, and predisposed to help or troubleshoot—which makes them more likely to open an email attachment or click on a link.
C-level executives are particularly vulnerable to social engineering attacks because they’re often involved with charitable and nonprofit organizations. Here’s an example: An attacker goes on Facebook or LinkedIn to determine which organization an executive supports. Then, the attacker spoofs an email to the executive from that organization titled, “Here are some potential donors” and attaches a weaponized Excel spreadsheet. Naturally, the executive is curious about new donors to an important cause, so he or she opens the attachment. Boom—a good person trying to do good things has just provided a beachhead into the organization.
How can we protect our soft targets?
To protect against attacks, you need to implement very good security and awareness training for employees across your enterprise—with a subset of training specifically designed for your C-suite and soft skills people. Here’s the approach we’re taking at DefenseStorm:
1. Phish your own pond.
The best way to expose your threat vulnerabilities is to simulate real-world attacks. We do this with three groups of employees: Marketing and sales, engineering, and the C-suite. We target more sophisticated campaigns toward the engineering group and start at a basic level with the marketing/sales and C-suite groups.
When we first started simulating attacks, we created our own “dirty tricks campaigns.” Now, several high-quality services automate campaigns and can help you to manage the security challenges of social engineering, spear phishing, and ransomware attacks.
We use KnowBe4, a cloud-based subscription service that combines simulated attacks with security awareness training. We’re running their canned email and automated social engineering campaigns—and using additional features I’ll describe below.
2. Automate awareness training.
If someone in our organization clicks through one of the simulated attacks, they are automatically enrolled in an awareness training module that’s specific to the trick that caught them.
The training includes videos featuring Kevin Mitnick, the world’s most famous hacker. He does a 45-minute demo to illustrate what happens on the other side when someone clicks a phishing email. A picture (or in this case, a video) is worth a thousand words, and when our employees see how the bad guy operates behind the scenes, they become more acutely aware of the problem and the urgency to address it.
We also include “if you see something, say something” guidance as part of our awareness training. This goes beyond coaching employees to report suspicious emails or phishing attempts to include unusual phone calls or people hanging around the building. It’s all part and parcel of our security incident response program.
3. Track your risk scores—but don’t name and shame.
The beauty of a service like KnowBe4 is it provides a risk scoring mechanism within the platform. I can go in and check the risk scores to see how we are doing and where we need improvement.
But keep this in mind: You have to make sure there’s no retribution for mistakes. If someone clicks through an attack, you shouldn’t name and shame. These attacks can happen to anyone. In fact, I’ve been phished—and I have years of training, I’m very technical, and I’m highly suspicious!
The key is to build a process that promotes ongoing improvement. If you create awareness, provide individualized instruction, and test employees with phishing tools, your risk scores will improve—usually at a rate of about 60% in the first year.
Up next: In part two of this article, I’ll dive into another way to protect the enterprise from malicious attacks: Patching systems. Stay tuned!