Better computer training for members of the Democratic National Committee (DNC) could have prevented the phishing attacks that led to stolen emails, famed hacker turned security consultant Kevin Mitnick said.
Image: Jari Tomminen
Phishing attacks, in which users are baited into clicking on malicious links or providing personal data to fake websites, are a common method used by black-hat hackers to infiltrate a network or commit financial crimes. White-hat researchers, working everywhere from companies like Mitnick’s firm to major corporations, are emphasizing user training methods to prevent such incidents.
“It sounds like people at the DNC would be easy to phish and very easy to exploit,” Mitnick speculated in an interview with TechRepublic. “There’s no such thing as 100 percent security. Even people that take training can be exploited,” he said. (Almost anyone, but what about the man himself? “Me? No,” he joked.) “You could have had training, and you’re stressed for the day… you’re thinking about your kids or your school. You could still fall for stuff.”
Macros hidden inside seemingly legitimate messages are an old-school yet still very popular way of committing a phishing attack, Mitnick explained. In one scenario, a user might receive an email that appears to be from a trusted peer at another company. The peer asks for the user’s signature on an attached non-disclosure agreement. Upon clicking the link or attachment, the user is brought to a page explaining that a username and password need to be configured in order to decrypt the document. Thus the user is trapped.
“That works really well because it’s actually so legitimate. Even in my business, I get clients all the time asking for NDAs,” Mitnick explained. Fake versions of enterprise-focused social media such as HipChat and Slack also work very well, as do attacks on unsanctioned home computers innocently connected to company networks, he said.
A possible solution
Mitnick started working with KnowBe4, in Tampa Bay, Florida, a year ago to offer user training to corporations. Customers use the software to send customizable fake phishing attacks to their own users and then analyze the results for who clicked on the links and in what contexts they did so.
Knowbe4‘s Vice President Greg Kras said recently added user tests include Java applets that pretend to install software, tracking of USB drives that IT staff can leave around an office, “vishing,” which is phishing applied to voicemail, and analysis of vulnerable plug-ins such as obsolete versions of Flash, Java, and Shockwave. Also recently added is a mark-as-phishing button for Microsoft Outlook, which works similar to spam buttons—a user can click it when a message seems suspicious. A congratulatory message is displayed if they’re correct.
Kras said more features will be added throughout 2016, such as Gmail and Lotus versions of the mark-as-phishing button, versions of the software in many languages, Microsoft Active Directory integration, and the ability for managed service providers to customize the program.
“We actually demo the kinds of exploits being used. It becomes a very teachable moment,” Mitnick added. “The same type of attack—the type of phish—is likely not going to work on that person in the future.”
“There’s no such thing as 100 percent security.” Kevin Mitnick
KnowBe4 isn’t the only organization working on training products for end users. SANS Institute’s Securing the Human group this month updated their five-stage training roadmap. Updates include new definitions of impacts to organizational culture and new ways to measure compliance, program director Lance Spitzner said. The update coincides with the SANS Security Awareness Summit, held Aug. 3-4, 2016 in San Francisco, he said. Elsewhere, the IEEE Computer Society is planning a user-focused training initiative later this year, spokeswoman Katherine Mansfield stated.
I wouldn’t do that, Dave…
Jane Wright, analyst with Technology Business Research, said user training along with security applications that perform automated response are known collectively as user behavior analytics (UBA). IBM, Hewlett-Packard Enterprise, Splunk, LogRhythm, and EMC’s RSA division are among the leaders in that field, she said.
IBM’s recent QRadar update stands out for having better communication links to other enterprise systems, she added. (IBM is already using the product internally, although details aren’t being disclosed, officials said.) Within a year the industry will see more combinations of UBA software with artificial intelligence and machine learning, Wright said.