“I will miss our conversations.”
—Nathan Algren, The Last Samurai
In the short time that it took Chris and me to write this book, the world has moved on. There have been a number of additional high-profile breaches reported, including eBay, The Home Depot, Sony, Chick-fil-A, and JPMorgan Chase & Co. I think it's safe to say that we haven't begun to see all of the fallout that will surely come in the form of stolen credit cards or identities or further attempts to perpetrate theft or infiltration through phishing.
The most recent report published from the Anti-Phishing Working Group (APWG), released August 29, 2014,1 reveals that the second quarter of 2014 had the second highest number of unique phishing websites reported—128,378. In addition, the number of unique phish reported in this same time frame was 171,801. These are just the numbers reported to the APWG, so I don't think it's a leap of logic to assume that this is only a fraction of phish and malicious websites circulating in the wild. The trend has been a continual increase over the last decade that the APWG has been reporting.
What's worse, phishers are becoming quicker, smarter, and more adaptive. In a recent study2 on manual account hijacking conducted by Google and the University of California, San Diego, it was determined that an attacker attempted to access 20 percent of accounts with harvested credentials within 30 minutes and 50 percent within 7 hours. In addition, attackers spent an average of 3 minutes searching accounts to determine their value based on e-mails containing information such as financial data or other account credentials. Finally, they found that a contact of a compromised account was 36 times more likely to receive a phishing e-mail, indicating that phishers use a victim's friends and associates to launch additional attacks.
Any way you look at it, phishing is going to continue to be a problem for people and organizations in the foreseeable future. The only real solution is staying educated and aware in all of your online activities.
It was not easy for us to try to come up with a final chapter that didn't just rehash all we said in the previous seven. Michele and I talked about how we would want to conclude this book for you, and we came up with a short list of reminders and topics that we think summarizes the concepts we've presented and what we hope you take away from this book.
Phishing is not a recreational pastime; it's real business for bad guys. One report estimated that the loss to phishing in 2013 was over $5.9 billion.3 Like any business, phishing continues to evolve and adapt to maintain its profitability. Although the Nigerian 419 scams are still alive and very well, there is a consistent trend toward phish that are more realistic and don't include the easy identifiers that we're accustomed to relying on as we try to spot phish.
In addition, phishers know what motivates people and have no issues using sensitive topics and human tragedy to get you to click.
Unfortunately, advanced phishing means having to think a little more about the e-mails you receive. Here are some simple rules I give to my non-tech friends and family:
Now, following these guidelines may mean you might not get an update from a friend or will miss out on an online deal. But the alternatives are consequences that range from a compromised computer all the way to stolen identity. If you have a good understanding of the scale of the phishing problem and potential outcomes, a little critical thinking now can go a long way toward saving a lot of grief later.
As I was writing this chapter, I had a meeting at a company where a user had clicked on a phish and downloaded some ransomware via e-mail. The ransomware encrypted the user's whole drive and also the entire network and connected drives. The technique the hackers used to create the application was solid cryptography, and there were no implementation flaws for breaking it. This means the user has to either pay the ransom or lose the data (if it's not properly backed up). Would not a few more seconds of critical thinking and having to open a browser instead of clicking the attachment been worth preventing that loss?
Unfortunately, the security professional's job just gets bigger and bigger. We find only a few organizations are willing to spend the money on consultants or larger teams, so the security pros in these companies have to be jacks-of-all-trades. Clearly, the best option is a phishing education and testing program facilitated by people who understand the ins and outs of the trade. But if you don't have that, there are still things you can do:
www.apwg.org and www.social-engineer.com. If you still think phishing is a low-threat vector perpetrated by uneducated thugs, it might be wise to update your knowledge. Hopefully this book helped you a little bit in establishing some basic knowledge.After you understand the nature and scope of phishing, the ultimate goal is to develop a coherent program that regularly tests and educates your organization on identifying and properly responding to phish in the wild.
In an ideal world, we'd catch all the bad e-mails coming in and conduct our daily business without interruption. Because that's never the case, what can you realistically accomplish? Goal-setting is a fundamental part of having a phishing program. If you don't know what you're shooting for, you won't know when you've arrived or how to correct your course along the way.
Goal-setting is highly dependent on your organization's culture and leadership. Do you have a company that constantly experiences high turnover? Are you lucky enough to work for a company where good communication is the norm? Are you in an environment with highly reactive management? Do you have any idea of where your organization currently sits with respect to phishing awareness? There are many factors to consider when setting realistic goals, but here are a couple of things to ponder:
Good goals are the foundation of an effective program.
There's a lot more to a coherent phishing-awareness program than just sending a random phish every month/quarter/year. You've set goals; how are you going to go about accomplishing them? Ask yourself the following questions:
All of these factors should be considered in your program planning. The more time you spend up front, the smoother the program will run. Even hitches will be more predictable, and you'll at least have an idea of how to adjust accordingly.
We recently had a jubilant client come to us to report a click rate that fell by 50 percent from one month to the next. Fifty percent! That's really great, right? Well, maybe. Here's the problem: They had decided to test only a portion of the population each month with the goal of testing the entire company over the course of the year. There were no groups who received repeat testing over that time frame. What did a month-to-month reduction mean? Perhaps people were talking to fellow employees and getting the word around that the company was conducting phishing testing. Or maybe the second group happened to get a phish that was easier to detect. Or perhaps that second group happened to be more tech savvy than the first. There's no way to know the reason for the fall in click rate.
You need to understand what the numbers mean and don't mean. For a set of numbers to be statistically significant—that is, the difference between groups is attributable to a manipulated variable as opposed to chance—certain conditions have to exist. That's a problem for you stats guys to get into, and it's well beyond the scope of this book, but it's something you have to consider.
There are too many things that can affect the outcome. Chances are that if we asked the right questions, these groups might also be noticeably different in other meaningless ways, such as favorite types of music, IQ, and number of kids. See my point? So I would be very hesitant to say that a big difference from one month to the next is very significant. But if that trend continues month to month, then we can start to make some more positive conclusions, even without bringing in your resident statistician. The point we are trying to make is that if you are consistently hitting 80 percent click ratios and have hardly any reporting, and next month you get a 10 percent click ratio, before you rejoice and determine you can be done with phishing education, understand why that happened.
Was it that all your people were on vacation? Did the reporting ratio also go up? Was the phish something that more people paid attention to? What was the reason for the massive spike? If it is a one-off occurrence, then you will see the numbers change for the worse the next month. When you see continual improvement, then you can rejoice.
One final point: The context should also include the point of your program. We understand that some metrics are important to help you measure change over time and, frankly, to provide management with justification for the program, but keep in mind that your program should theoretically be about teaching your folks to recognize and deal with phish—not create pages and pages of metrics.
By now we hope it's pretty clear that we're all about fixing security issues by creating a secure culture and educating your people—not getting rid of them. Good education has lots of benefits for both the employer and the employee. By creating smart and aware staff, you're teaching them good habits that will carry over to their personal lives as well. The only downside to a good security education program is that it will cost in terms of time, effort, and resources. Unfortunately, we've gotten past the point that spending on security is anything other than mandatory. The risks are too great to not make the investment. The good news, though, is that the benefits to your organization far outweigh the cost.
However, there are some people who just don't get it. Despite training and numerous warnings, these people still click every link they get through e-mail. They post on forums using work e-mail addresses. They make announcements on social media that detail internal workings of your company. Unfortunately, these people really do put your business at risk.
If you have a person in your organization who does these things and you've already tried multiple ways to educate this person, your choices become fairly limited. You can move the person to a different—and hopefully less damaging—part of your organization (think of Milton in the movie Office Space), or, as a last resort, you can dismiss them. The downside to letting the person go, of course, is that you will likely have to replace the individual and will need to conduct all security training from the ground up with the new employee.
Here's one last thought about responding appropriately: Organizations expect their personnel to support them by using safe practices and making wise choices. But it's even more important that the reverse is also true: The organization must support its personnel by creating policies and procedures that encourage safe behavior and don't place people in the position of having to choose between courtesy and giving inappropriate information away. Here are some things to ask at the organizational level:
Help your employees help you. And while you're at it, make sure your management and C-level execs are participating in the program. Although they may not like the idea of being phished, they likely hold critical information and most certainly need the practice.
Recently, I had the chance to speak in front of a group of people who were very interested in phishing programs. One question that came up was about how much time it actually takes to run a program. Of course, I can't really say exactly how much time it takes, but the following outline gives you an idea of what is involved:
As you can see, this is not a part-time job, so assigning these tasks to an existing employee who already has a full-time job (and maybe has little to no skill in phishing or social engineering) can make this program ineffective and will hurt your chances of showing ROI (return on investment).
Maybe you can hire someone to help you run this program internally or you might have someone on staff that is perfect for the job. If so, that is an essential piece for a successful internal program.
But if you now realize that you don't have the staff, skill, or desire to run a phishing program internally and you want to search for a consultant to help you out, how should you get started? Of course, you can go to Google and search for “phishing consultants.” You might get a few hits, and you certainly will find more than a handful of companies that will claim to have expertise in phishing, so how can you decide? One thing you can do is ask consultant candidates the following questions:
In addition to asking the preceding questions of the consultants you're considering working with, make sure you talk to clients who have already worked with them. Try to get a sense from these other clients about whether the consultant's are in it just for the thrill or they are really interested in seeing their clients succeed.
Why would those criteria matter? Well, when you choose a consultant, you are agreeing to give that person the e-mail addresses of all your employees so that he or she can send phishing e-mails to your staff. Some of those e-mails may ask for credentials or contain personal details, so you want to be able to trust that any consultant you hire will handle these situations properly.
It is estimated that 145 billion e-mails are sent every hour. I have read some reports that state 50 percent of all e-mail is malicious, others say 30 percent, others say 20 percent. Let's just say that if 20 percent is malicious, we can estimate that in the last hour 29 billion malicious e-mails hit inboxes around the globe. Twenty-nine billion, which is 29,000,000,000! Staggering.
This problem is not going away, but you can fight back. You can help your company defend itself and mitigate phishing attacks. As we've tried to explain in this book, there is no magic pill or one-stop solution to make this happen, but with hard work, persistence, and good planning you can succeed.
By now you know that Michele and I feel that phishing is a major problem that everyone must focus on, but we realize that this is not the only issue you have to fix. I know, all too well, that you also have to worry about all aspects of security awareness—networking, human, and everything in between.
Michele and I hope that this book will help you with your job. And if you are reading this but are not in a corporate IT department, then I hope this helps you understand why phishing education is vital to staying secure both at work and at home.
Stay a critical thinker, don't trust those links, slow down, and inspect a little more closely. If you do these things, you can give yourself a much better chance of not getting caught in the hooks of a phisher.
Stay secure.