Gamified Training for Security Teams Can Raise Vigilance and Advance Skills to Defend Against the Latest Attack Exploits.
By Chloé Messdaghi, VP of Strategy, Point3 Security
The SANS Institute, established in 1989 as a cooperative research and education organization, has helped train and inform more than 165,000 security professionals around the world – from auditors and network administrators to chief information security officers and security experts across the global information security community.
A deeply trusted source for information security training, security certifications and research, the SANS Institute also operates the Internet’s well-regarded early warning system – the Internet Storm Center.
So when the SANS Institute reported it was the victim of a phishing attack that led to the theft of 28,000 records, the cybersecurity community echoed with the question: how could that have happened?
We don’t know if the SANS employee who clicked the bad link (or links) was on the security team or if they were in another function such as sales, marketing or operations. If they were not on the security side of SANS, there’s the strong potential that they were apathetic about cybersecurity because they’ve never had an attack targeted at them before. If the phishing target was someone not on the SANS security team, it begs questions about what kind of training they had. Many companies train hundreds or thousands of “civilian” non-technical employees virtually and dryly, with multiple-choice questions and very basic content, rather than employing ongoing training and testing.
And as we’ve seen, if the employee is checking their email on their phone or a smaller device, they’re more likely to click on a bad link – both because the visual acuity to the bad link is very poor and because of the sense of immediacy that these devices drive in us all.
It’s so important to train employees never to click on an embedded link from a stranger, and never click on a short URL such as a Bitly. Email recipients must be trained and regularly reminded to look for and identify the entire link before clicking on it – every time.
We might not ever know exactly how the person fell into the trap – SANS might not share that – but the malicious payload could have been within any incoming message. A bogus sales or prospect email, a message purporting to be from the recipient’s manager, or some intriguing topic of broader interest are common ploys, as are urgent company security warnings, employee bonus and holiday notifications, and even messages claiming to hold confidential personnel data.
Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails compelling. They also know when to send a phishing email to drive immediate responses. That why we counsel that if a supposed work email comes in after work hours, it’s best not to respond – especially from a mobile device. Or if there’s a time-sensitive, must respond email, the sender should also text the receiver both to let them know and to help the recipient know that the email is legitimate.
And if the phishing victim at SANS actually IS someone on the security team, it’s important to realize that they’re likely not apathetic to security practices but that the organization either may not be investing in their own security teams, or team members may be suffering from burn out.
It’s important to realize that burn-out is a natural by-product of both the transition to WFH and the urgency of the current situation. This means it’s more important than ever to gain an unbiased and equitable performance measurements and to invest in the security team’s development and up-skills training, and do so in ways (such as gamification) that are personally engaging as well as professionally helpful. Otherwise, we’re at risk of depending on security teams who are both under-equipped and under-motivated to protect their colleagues.
The objective assessment of skills that gamified training provides is also a wellspring of useful, unbiased information on some of the inherent strengths and weaknesses of individual employees, and helps both team members and employers address skills gaps in positive ways.
At the core, gamification is play – it’s also an assessment means that offers benefits without injury to data or concern to talented team members. It’s proving to be a great way to cultivate talent, both security pros and those they serve, growing their skills in ways that hit the temporal lobe, actually rewards participants, and keeps vigilance against phishing and other attack methods front of mind.
As the latest findings from Juniper Threat Labs on the continually evolving IcedID trojan and malware dropper show, the sophistication level of exploits is growing constantly, and bad actors are investing heavily in innovation.
And unfortunately, too many companies aren’t following suit in investing in either their teams or defense strategies. For example, recent IBM findings showed that only one-third of companies had a breach playbook, and of those having playbooks, most applied them inconsistently. Given that the average breach costs the organization $8.9 million, not counting the opportunity costs of lost business, it’s clear that proactive, ongoing cybersecurity awareness is imperative.
At this point, the only two things that we know are that we are seeing more phishing attacks this year than ever before and that SANS was fast and forthright in responding to this attack. While some personal information was disclosed, it could have been far worse – Fortunately, no financial information was leaked.
The takeaway is: we all need to stay aware, humble and prepared – if a phishing attack can snag someone at the SANS Institute, it can happen to any of us who let our guard down.
About the Author
Chloé Messdaghi is vice president of strategy at Point3 Security, president at Women of Security (WoSEC), founder of WeAreHackerz, ethical hacker advocate, podcaster, and is an expert in the cybersecurity industry. She is a frequent speaker at cybersecurity conferences and events and is a trusted source to business and security media.
Chloé Messdaghi, VP of Strategy, Point3 Security
Chloé can be reached online at @ChloeMessdaghi and at our company website Point3.net (ittakesahuman.com).