Phish me once, shame on you. Phish me twice…
What should we make of the most recent announcements of government “awareness campaigns” about phishing? The National Counterintelligence and Security Center (NCSC) is the latest to say it will launch such a program, following damaging breaches this year the Office of Personnel Management and other agencies.
NCSC director Bill Evanina told the audience at a recent conference that the vast majority of significant breaches in both the public and private sector have started with spear phishing, where malware-laden emails are sent to specific people in organizations. Even keeping just a few people from clicking the links in those emails, Evanina said, may prevent a massive breach in the future. The NCSC, he said, has begun a four-part campaign to make people more aware of cyber threats, including spear phishing.
Earlier this year, the Defense Department’s CIO Office said it was “drawing a line in the sand” about users with poor cyber hygiene, meaning those who didn’t follow basic security practices would be thrown off DOD networks. That follows a March memo from CIO Terry Halvorsen specifically warning DOD personnel and their families about phishing dangers.
However, it seems we’ve been here before. Phishing threats have been known for some time. The National Institute of Standards and Technology has published cybersecurity guidelines highlighting the dangers and, broadly, what agencies can do about them. Federal Information Security Management Act policies also mandate that agencies provide comprehensive awareness and training programs for their workers.
Getting from there to an actual increased defense against phishing is a another matter, however. Telecom provider Verizon, in its 2015 Data Breach Report, found overall that some 23 percent of recipients of phishing emails open them, and nearly half of those actually click on the attachments that contain the malware. A campaign of just 10 phishing emails has a greater than 90 percent chance that at least one user will become a victim.
And training may not be the answer. Security company KnowBe4 made its own study and found that educational and awareness campaigns deliver significantly less than they promise. Too many organizations “still rely on a once-a-year breakroom ‘death by PowerPoint’ training approach or just rely on their filters, do no training and see no change in behavior,” the firm said.
Anecdotal evidence from both current and recently retired government employees seems to confirm that. Agencies provide those training sessions, for sure, but there’s little or no follow-up in the time between them. In too many cases, awareness and educational training seems to be just one more box to tick on agencies’ compliance list.
It’s not that government employees willfully disregard the dangers, but when they have so much to do during the day just to get their jobs done, and when the awareness isn’t reinforced, those dangers tend to recede in the face of more immediate needs. Clicking on an email that has been artfully designed to look like it’s from an official source is then an easy mistake to make.
The proof of the NSCS’s campaign and Halvorsen’s tough talk will be in the eventual application of consequences. For example, despite the March CIO memo and later crack-down comments, the Pentagon found itself in July investigating an attack on its senior officers’ unclassified email network, prompting a temporary shutdown of the Joint Chiefs of Staff’s 4,200 email accounts.
The hack was believed to have come through a phishing attack. The usual suspects –in this case Russia – were thrown out as possible sources of the attack, but it was surely also a case of “bad cyber hygiene” on the part of the Pentagon brass. So, when can we expect the Joint Chiefs to be thrown off that particular part of the DOD network?
Posted by Brian Robinson on Sep 11, 2015 at 10:47 AM