Is security training futile?

Phishing image, courtesy of ShutterstockSecurity firm RSA may have blamed a nation state when its servers got breached, but the technique used by the hackers were not revolutionary (a boobytrapped .XLS spreadsheet attached to a poorly-worded email was emailed to a small number of employees, leading to a Trojan horse gaining access).

And phishing attempts against West Point cadets who had completed four hours of security training successfully tricked 80 percent of the targeted cadets (and, even worse, 90 percent of freshmen) into clicking on an embedded link.

It all begs the question, “Why bother with security training?”

We shouldn’t, argues Dave Aitel, CEO of security firm Immunity Inc. and former computer scientist for the National Security Agency.

PCWorld on Wednesday published an article by Aitel in which he argues that, based on his firm’s experience and on examples like those cited above, training employees in “how not to infect the company” is a waste of time.

He writes:

...do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?

Aitel’s firm consults with large financial services and manufacturing enterprises, all of which conduct sophisticated employee awareness and security training, he writes.

In spite of that conscientious approach to security training, his clients still have, on average, a click-through rate for client-side attacks of “at least 5 to 10 percent.”

Immunity also conducts social engineering attacks against corporate phone banks, including help desks, that likewise demonstrate the ineffectiveness of security training, he writes:

While each of the personnel in these security sensitive rolls has extensive training and are warned against social engineering attacks, the only thing that stops our testers are technical measures. In other words, if a help desk employee can technically change your password without getting a valid answer from you about your mother's maiden name, then a company like Immunity will find a way to convince them to do so.

And perhaps the most embarrassing finding of all: “glaring flaws” such as SQL injection and cross-site scripting – the two most common vulnerabilities in OWASP’s Top 10 list of application security risks – in the actual training software that many of his clients use.

Padlock image, courtesy of Shutterstock“This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent,” Aitel writes.

Should organisations just give up? No, actually, what they should do is get their IT people off their butts and take on the onus of securing the environment and segmenting the network, he writes:

Fundamentally what IT professionals are saying when they ask for a training program for their users is, 'It's not our fault.' But this is false - a user has no responsibility over the network, and they don't have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank. After all, is an employee really any match against an Operation Shady RAT, Operation Aurora or Night Dragon? Blaming a high infection rate on users is misguided - particularly given the advanced level of many attacks.

Is Aitel right? Is security training an epic fail?

His commenters found Aitel’s examples unrepresentative of their experience. One, CNeskey, noted that he’s seen positive results from security training:

The two Fortune 500 firms I worked with were very successful with the training program and for many trials had no clicks at all, only users reporting the suspicious email. I think what may be at fault here is poor training or reasonable phishing emails.

Another commenter, AnupNarayanan, noted that smart attackers will always wiggle past security controls, be they technical or human, but that still leaves a lot of not-so-smart attackers who can be stopped:

I don't think we can assume that there is always a guy who is smarter than us around, who will trick people [who will] thus ignore [their] security awareness training. While it may not offer 100% security, it does provide a certain amount of resilience that is worth the money being spent.

In particular, social engineering attacks are one of the most efficacious focii of security training, given that such attacks target human error – a category of vulnerability that technology finds difficult to prevent.

Even Aaron Ferguson, the man who designed and unleashed West Point’s cadet phishing exercise (code-named Carronade) summed up lessons learned by pointing to the need to reinforce training concepts, not to do away with them entirely:

It is extremely important to reinforce the e-mail security awareness message after the exercise has been deployed. Giving the students immediate feedback will make them more cautious in the future and help enhance the network security posture in general.

In the latest Chet Chat podcast, Chester Wisniewski and Paul Ducklin discuss two recent examples of where security training clearly paid off.

USB image, courtesy of ShutterstockThe first example was the electoral commission in Ontario, who lost a brace of USB keys with 2.4 million voters’ details on them. Luckily, the data on the USBs had been encrypted, stopping anyone who accessed the USBs from seeing the personal information.

In the second example, employee awareness at a Dutch life sciences company helped avoid an attempted compromise after the company was apparently hit with a “poisoned USB key in car park” attack. An alert employee took the first key found to IT who rumbled the crooks, searched the car park and it was game over. You can listen to the podcast here:

(19 July 2012, duration 12:46 minutes, size 8.8 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 95, subscribe on iTunes or our RSS feed. You can see all of the Sophos Podcasts by visiting our archive.

Thus, Aitel’s claim that security training is fruitless is a bit drastic.

Nonetheless, he makes a valid argument that IT shouldn’t point the finger at clueless users and should instead shoulder the burden of securing the technology.

Teacher and boy image, courtesy of Shutterstock

He offered this list of tasks to which IT departments should devote the time they’d save by not bothering with so much security training:

  • Audit the periphery
  • Monitor and test perimeter defense
  • Isolate and protect critical data
  • Segment the network
  • Limit unnecessary access
  • Proactively examine important boxes for rootkits
  • Grant security leaders the power to throw a kill switch on projects that fail to properly account for security

Fair enough.

Please let us know in the comments section how successful your organisation’s security training is, and IT professionals, let us know if you think Aitel’s call for you to stop blaming bad security on employees is fair.

Teacher and boy at blackboard, USB stick, padlock with login and phishing images, courtesy of Shutterstock