No matter how much news coverage security gets on a daily basis, or how many hours we are asked to click through a security awareness course to show compliance, people are still the weakest link in security. I lovingly refer to people as layer 8 in this case, and just for those of you in need of a refresher on the OSI layers, they are: Physical, Datalink, Network, Transport, Session, Presentation and Application. “Layer eight” is represented by the flesh and blood sat behind the keyboard, touch screen or phone line. That is where it often goes wrong, as layer eight cannot be coded, is difficult to monitor and as it turns out is resistant to awareness. People are naturally curious and mostly willing to be helpful, these are our built in security vulnerabilities that cannot be patched.
As pointed out to me in a training course that I attended a week ago, the average hit-rate on a targeted phishing attack with three emails is 50 % on the first go. This goes up to 80 % on the second run of three emails to the same population. These were results from a campaign run by ThreatSim. What this means is that in a multi-message phishing attack more than half of the target population will click on a link or file which will trigger malware or guide the the unaware target to a less than reputable website to harvest valuable data, like passwords. The probability will vary dependent on the sophistication of the user-base, but still.
Now think about this proposition not as a hacker or geek, but as a businessman whilst putting yourself into the shoes of a cybercriminal. Surely with that kind of hit-rate a layer 8 attack, social engineering if you will, will yield a much better return than a technically more sophisticated attack? In reality social engineering is usually an activity to support a larger attack of course, and with this kind of success-rate it is quite easy to understand why. Businesses, bonafide and nefarious alike, love high yield returns. This is exactly the reason why significant investments are made by cybercriminals in perfecting the art of social engineering. The increase in the “quality” of phishing attacks is clear evidence of that.
Another interesting finding in the study of phishing is that roughly 25 % of a normal user population cannot be made aware by normal means. So if you were to run a test with bogus phishing attacks run over a period of time, combined with post-mortem communication you will only be able to bring the % of offenders down to about 25 % . After this it will probably flat-line, and more drastic measures like HR interviews with the threat of sanctions will be required to bring the % of offenses down into the single digits. So, layer 8 is not only unaware, but stubbornly unaware as it appears.
What’s the bottom line? Standardised “awareness” training with endless click-through web-based tools that people multi-task their way through is great for demonstrating compliance, but it will never be enough to combat phishing and other forms of social engineering. If you want to optimise awareness, provide a more hands-on approach and run real tests so that you can figure out which of your users are still lacking the required awareness.
Now, click here to collect your payment for reading this blog 😛