Security firm RSA may have blamed a nation state when its servers got breached, but the technique used by the hackers were not revolutionary (a boobytrapped .XLS spreadsheet attached to a poorly-worded email was emailed to a small number of employees, leading to a Trojan horse gaining access).
And phishing attempts against West Point cadets who had completed four hours of security training successfully tricked 80 percent of the targeted cadets (and, even worse, 90 percent of freshmen) into clicking on an embedded link.
It all begs the question, “Why bother with security training?”
We shouldn’t, argues Dave Aitel, CEO of security firm Immunity Inc. and former computer scientist for the National Security Agency.
PCWorld on Wednesday published an article by Aitel in which he argues that, based on his firm’s experience and on examples like those cited above, training employees in “how not to infect the company” is a waste of time.
He writes:
...do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?
Aitel’s firm consults with large financial services and manufacturing enterprises, all of which conduct sophisticated employee awareness and security training, he writes.
In spite of that conscientious approach to security training, his clients still have, on average, a click-through rate for client-side attacks of “at least 5 to 10 percent.”
Immunity also conducts social engineering attacks against corporate phone banks, including help desks, that likewise demonstrate the ineffectiveness of security training, he writes:
While each of the personnel in these security sensitive rolls has extensive training and are warned against social engineering attacks, the only thing that stops our testers are technical measures. In other words, if a help desk employee can technically change your password without getting a valid answer from you about your mother's maiden name, then a company like Immunity will find a way to convince them to do so.
And perhaps the most embarrassing finding of all: “glaring flaws” such as SQL injection and cross-site scripting – the two most common vulnerabilities in OWASP’s Top 10 list of application security risks – in the actual training software that many of his clients use.
“This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent,” Aitel writes.
Should organisations just give up? No, actually, what they should do is get their IT people off their butts and take on the onus of securing the environment and segmenting the network, he writes:
Fundamentally what IT professionals are saying when they ask for a training program for their users is, 'It's not our fault.' But this is false - a user has no responsibility over the network, and they don't have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank. After all, is an employee really any match against an Operation Shady RAT, Operation Aurora or Night Dragon? Blaming a high infection rate on users is misguided - particularly given the advanced level of many attacks.
Is Aitel right? Is security training an epic fail?
His commenters found Aitel’s examples unrepresentative of their experience. One, CNeskey, noted that he’s seen positive results from security training:
The two Fortune 500 firms I worked with were very successful with the training program and for many trials had no clicks at all, only users reporting the suspicious email. I think what may be at fault here is poor training or reasonable phishing emails.
Another commenter, AnupNarayanan, noted that smart attackers will always wiggle past security controls, be they technical or human, but that still leaves a lot of not-so-smart attackers who can be stopped:
I don't think we can assume that there is always a guy who is smarter than us around, who will trick people [who will] thus ignore [their] security awareness training. While it may not offer 100% security, it does provide a certain amount of resilience that is worth the money being spent.
In particular, social engineering attacks are one of the most efficacious focii of security training, given that such attacks target human error – a category of vulnerability that technology finds difficult to prevent.
Even Aaron Ferguson, the man who designed and unleashed West Point’s cadet phishing exercise (code-named Carronade) summed up lessons learned by pointing to the need to reinforce training concepts, not to do away with them entirely:
It is extremely important to reinforce the e-mail security awareness message after the exercise has been deployed. Giving the students immediate feedback will make them more cautious in the future and help enhance the network security posture in general.
In the latest Chet Chat podcast, Chester Wisniewski and Paul Ducklin discuss two recent examples of where security training clearly paid off.
The first example was the electoral commission in Ontario, who lost a brace of USB keys with 2.4 million voters’ details on them. Luckily, the data on the USBs had been encrypted, stopping anyone who accessed the USBs from seeing the personal information.
In the second example, employee awareness at a Dutch life sciences company helped avoid an attempted compromise after the company was apparently hit with a “poisoned USB key in car park” attack. An alert employee took the first key found to IT who rumbled the crooks, searched the car park and it was game over. You can listen to the podcast here:
(19 July 2012, duration 12:46 minutes, size 8.8 MBytes)
You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 95, subscribe on iTunes or our RSS feed. You can see all of the Sophos Podcasts by visiting our archive.
Thus, Aitel’s claim that security training is fruitless is a bit drastic.
Nonetheless, he makes a valid argument that IT shouldn’t point the finger at clueless users and should instead shoulder the burden of securing the technology.
He offered this list of tasks to which IT departments should devote the time they’d save by not bothering with so much security training:
- Audit the periphery
- Monitor and test perimeter defense
- Isolate and protect critical data
- Segment the network
- Limit unnecessary access
- Proactively examine important boxes for rootkits
- Grant security leaders the power to throw a kill switch on projects that fail to properly account for security
Fair enough.
Please let us know in the comments section how successful your organisation’s security training is, and IT professionals, let us know if you think Aitel’s call for you to stop blaming bad security on employees is fair.
Teacher and boy at blackboard, USB stick, padlock with login and phishing images, courtesy of Shutterstock
Maybe the problem isn't that all training fails, just *bad* training. I'm appalled by what passes for security training these days. It's only slightly better than those "duck and cover" civil defense movies from the 1950's. Universities and educators have been exploring alternatives to the traditional lecture format, because studies have shown that these one-way methods are a failure for our academic institutions. So why does the security industry continue to utilize some of the same antiquated methods? Users aren't the enemy and we need to start integrating better techniques in order to become successful with our training.
I feel that training users has significant value, without keeping the visibility up the person who spotted the USB stick may not have thought to turn it over to the IT dept.
With that said, I feel that relying on every person to never ever click on a reasonable-sounding email is insufficient and more technology is needed to fill that gaps. Enforced policies that prevent a non-encrypted USB drive from being usable would go a long way to making sure any lost USB drives are encrypted. Email filters that don't just look for keywords but stop any mail with a link that points to a different place than the readable text, etc.
I completely disagree with the PC World article. No measure is 100% effective, security is all about “defense in depth.” I just did some security awareness training at my company and from the conversations that followed, I can tell it did some good.
Some exploits attack, some are invited in. Remember the Trojan Horse? A perimeter can only stop the attacks that have no insider assistance. No firewall can prevent bad choices. Only knowledge and good judgement can do that.
I'll post here a comment I made over at ShackFOO on this issue…
Clearly, MOST of what is being done in IT security today isn’t working – from AV to IDS to NAC to WAF to Policies to “security awareness”. It’s almost trivial for hackers to get around ALL of it on a daily basis.
Security awareness IS a critical component of any IT security plan. But we must distinguish between that as a GOAL and that as a TACTIC to be implemented by half-ass corporate training – which as everyone knows always sucks.
A better way to build security awareness in employees is to embed it in the processes they have to do to complete their staff function. By requiring employees to take specific steps as part of their function procedures to verify security, we can make them think about security at every point.
People need to realize – not just in IT operations but in life in general – that THERE IS NO SECURITY EXCEPT security awareness. That’s not too hard to express to people in general but it’s hard to get employees to develop that same awareness in a corporate setting, especially when most people really don’t care about the companies that employ them (mostly because they rightly know that most companies don’t care about them except as replaceable “carbon-based units”.)
Silly question. It’s like saying why bother having people learn to drive a vehicle if there are so many that don’t drive properly!
Personally I think that Security training is incredibly important. I also think that IT needs to take steps to reduce scope of attack and implement the latest technologies for prevent hackers to gain access. With the right intrusion prevention systems in place you can make a system nigh impossible to brake into without social engineering or insider information. The biggest problem I see in IT is budgeting, IT security doesn't generate any return on investment. Also on a side note you need to train your users or you will never get any sleep.
Of course some attacks will get through. That's why my department is called IT Risk *Management* and not IT Risk Elimination.
The point is to have defense in depth and that includes educated end users so they become less likely to click on things they shouldn't. It also includes AV and proxies and IDS and firewalls and monitoring.
Security has never been a technical problem *or* a personnel problem. It is both.
With social engineering, there are plenty of motivated people who will take the time to study and learn enough about the target to get through the defenses. Nothing short of call backs or some other out of band authentication can solve that. And even *that* can be conquered with enough time and money.
And any time someone tells me that everything that I've been doing is wrong, I wonder what product they are getting ready to sell.
The only secure system is the one that doesn't exist.
As MrsYisWhy implies there is such a thing as bad awareness training and I suspect Aitel's company delivers plenty of it. There are awareness techniques which have shown to be hugely succesful in protecting users from phishing for example, such as actual phishing exercises combined with education.
It sounds like Aitel's awareness training consists of just telling users to 'be secure'. If this worked there would be no obese doctors or divorced marriage counsellors.