Phishing Can’t Be Fixed (Or Can It?)
“Phishing can’t be fixed.” - A statement often heard when discussing human security. Phishing, which essentially boils down to someone trying to trick a victim into revealing credentials or downloading malware, is the largest security problem that enterprises face. All the major breaches you’ve heard in the news? I’m willing to bet they started with a phishing attack. An attacker sent Jones in accounting a link to a Dropbox file. Jones clicks the link, enters his credentials into a fake login page, and doesn’t realize that the attacker now has his password. Jones, being the not-so-security savvy guy that he is, uses this password everywhere. Game over, friends.
Solving a problem that focuses on the human psyche is difficult. How do we teach someone to not react on his or her instincts? Someone is in trouble, someone creates a sense of urgency, or the “boss” asks for something - you’re going to want to help. Education doesn’t work. Especially not in an environment where people are working. They need to do their job; they can’t spend 4 hours a day learning the ins and outs of phishing attacks. There has to be a better way.
A layered approach to phishing, like Shrek and onions. You have to start at the top and go deeper. The good news is that there’s a way to go deeper without going through each layer. That is Differential Security. Differential Security means not everyone is equal. Different people with different skillsets need to be treated and reacted to differently.
Differential Security starts by base lining. In order to know how to secure and to what extent, we need to know where everyone stands. By understanding and scoring the risk of every individual in a company, you can start to visualize how things need to be different. The accounting department doesn’t have the same access as HR. The CFO doesn’t have the same business needs as IT. Additionally, those people all have very different levels of security understanding. So that’s step one - find the security understanding.
Once we’ve identified and scored, we can move to mitigate the discovered risk. This is where we drill deep into the onion without peeling back each individual layer. Once you have identified where someone is weak, you can address him or her individually. Different policies, different actions, and different learning lessons. Take our example, Jones in Accounting, for instance. Jones has been identified as being vulnerable to phishing through various collection methods. We come to find out he’s especially terrible when it comes to social media and SMS phishing. Maybe Sally isn’t. Sally is just terrible at e-mail based phishing. What do we do? We create different procedures for both Jones and Sally. Jones can no longer store corporate data on his phone - we inform the MDM solution that his access is restricted. Further, Jones needs to secure his social media accounts and can’t access them from work. The WAF and some delivered materials solved that problem. Sally now has to do Two-Factor Authentication to internal and external email - the IAM was informed of this by her risk. Two different people with two different levels of understanding. Two different proactive responses.
The result? Time and money saved. We’ve locked down the weakness and in the process; both Jones and Sally have to spend less time doings things other than work, like training and phishing exercises. The other thing that occurs is that as time goes on, risk reduction is tracked. How much have we secured using these security measures? How much time has been saved? What’s the ROI? All of these are easily tracked because we created a baseline and fixed the problem areas. No more guessing on what’s working.
Phishing can be fixed but it’s hard. There’s no silver bullet. Thankfully, though, I think we’re at least creating the forge for that elusive bullet.