- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Perhaps because corporate security training is boring as hell?
I worked up a training class over the course of a year. Ridiculous to take so long, but I wanted to nail it. I figured there were three key things.
-
The things I talked about had to be relevant to the employees. I pared the stories down to items they could actually encounter. This is how an attack can affect you, how it can affect us. Here are things I’ve seen right here at our business.
-
Anything I wanted to talk about had to come with actionable prevention techniques. Here’s the problem, here’s what you can do about it. They had to feel empowered, not helpless.
-
The class had to be entertaining and interesting, start to finish, no fumble fucking around, no baffling them with jargon. I rehearsed that entire year until I could do it in my sleep. Plenty of humor threaded throughout the talk.
Nervous as hell when the day finally came. I have no problem speaking to a group, love it in fact. But talking cybersecurity to non-technical people is about as boring as it gets. Business owners bought everyone lunch and we met in the conference room.
Timed it to run for 40 minutes, left space at the end for questions. Talk about a resounding success! Everyone in the room was engaged and had questions, some even staying beyond the allotted hour. Fuck me, I actually got applause! (Yes, and everyone clapped. Really.)
Phishing tests went from 25% failure to 4% failure overnight. I left a USB drive on the floor by the printer. No one touched it for three days, and then only to place it on the table.
My next job was at a software dev. Security training involved cutsie animated characters and multiple choice questions. Yeah, a live puppet show would have been more effective.
A good teacher builds their lessons around their pupils.
-
Ironic thing a company I use to work for would send out both email you need to click links to do your job then do training to not click links or even open the same kind of email. Then even test that by seeding in very realistic test email. Total stupidity. Your expected to tell the difference when there is no way to do so. The training was more CYA then anything, just blame the employee for shit company processes and security.
I got some emails about required training from outside the company. I needed to download and complete a PDF, which had links to other forms to complete, all offsite. I do know with certainty that the email was legit, but I reported as phishing. Still haven’t heard back about this critical training attestation, so I assume their tracking is as awful as the process.
It’s not my ass on the audit finding. Fix your shit.
I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.
Make your shit legit or I’m not gonna do it.
This is exactly it. Out sourced stuff that there is no way to verify. I stopped clicking on this stuff too unless I had to. Was still never sure.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
The real idiotic thing is a network where one client system compromise compromises the whole company. Bad network design.
That’s a shame, although I unfortunately have no problem believe that’s the case in general. I still personally benefit from the social engineering resistance training I’ve had over the years to this day though.
I still personally benefit from the social engineering resistance training I’ve had over the years to this day though.
Me too, I use it to get out of situations I don’t want to deal with. “Ohh you’re calling me asking for PII? Sorry, i can’t provide that information unless I initiate the conversation. I’ll call the number I have on file for you to provide that.” <hangs up and never follows up>
That’s the spirit! “I’m not at liberty to provide that information” is one of my favorite sentences.
My toxic trait is believing that not answering the phone from unknown numbers is protecting myself from outside attackers
My SIM provider has the option to not even route unknown callers to my device. Not that I get any, but just in case, even if it is not that common in Germany.
What some family of mine had to go through was social engineering harassment calls with some BS reasoning to get them to say “Yes”/“I agree” or something like that
It might be rudimentary, but I wouldn’t say you’re wrong.
Alternatively, pick up but answer the phone only with the word “Yes?”, “Speak” or “You may proceed” (preceded by ‘this line is now secure’).
Then, when they ask “who is this?” answer that “if you don’t know, you have the wrong number” and that “this call is currently being traced, pending review of a ‘military tribunal’.”
Do this with the flattest intonation you can manage.
That tends to get to them.
Nah, there’s AI that can clone your voice from a single word, not answering is the safest.
Point. Silence is good too.
Recently there were recruiters on LinkedIn freaking out that when they called someone, they would answer with “Hello?” and the recruiter thinks they’re too good to be greeted with that.
I would be more interested in a study of people entering credentials or taking other risky actions after clicking.
Yes, people whose job includes lots of link clicking are going to click links.
And one obvious but good conclusion: invest in mandating MFA for sensitive actions.
Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.
mfa is not going to help when people will literally transfer their money to a scammer, because the scammers convinced them that said money are in danger and only way to protect them is to transfer them to “secure account”. you can’t fix stupid with technical limitations.
Abstract from the paper itself:
This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
And the methodology:
Our study analyzes the performance of nearly 20,000 full-time employees at UCSD Health across eight months of simulated phishing campaigns sent between January 2023 and October 2023. UCSD Health is a major medical center that is part of a large research university, whose employees span a variety of medical roles (e.g., doctors and nurses) as well as a diverse array of “traditional” enterprise jobs such as financial, HR, IT, and administrative staff. For their email infrastructure, UCSD Health exclusively uses Microsoft Office 365 with mail forwarding disabled. On roughly one day per month, UCSD Health sent out a simulated phishing campaign, where each campaign contained one to four distinct phishing email messages depending on the month. Each user received only one of the campaign’s phishing messages per month, where the exact message depended on the group the user was randomly assigned to at the beginning of the study (§ 3.1). In total these campaigns involved ten unique phishing email messages spanning a variety of deceptive narratives (“lures”) described in Section 3.2. All of the phishing lures focused on drive-by-download or credential phishing attacks, where a user failed the phishing simulation if they clicked on the embedded phishing link.
I guess the point is that users who are taking training are not more likely to pass the phishing simulations but I think that’s missing point. In competently ran organizations the point of these trainings aren’t explicitly to teach people to not fall for tests but to be able to identify which users are your greatest risks and either give them more support or can them if they are to high of a risk that it outweighs their productivity.
Of course the people who are taking more training are failing tests. It’s because they lack the computer skills or cognitive ability to understand what they doing. But taking a five minute training that says “don’t click the link” isn’t going to magically make people not get phished, but it has usefulness in basic awareness (which is why we have the super basic cyber security awareness training as well)
The reality is that all human beings can be socially engineered if the attacker is motivated enough. You can’t stop it by training only by planning and being proactively prepared
deleted by creator
When the son of the deposed King of Nigeria emails you directly asking for help, you help. His father ran the freaking country, okay?
Isn’t any training better than no training?
no. training costs time and money, so if it has zero effect, then no training is clearly better.
I guess I don’t understand the metric of success. My training at work has helped me recognize risks more than most of my family that has no idea what root domain URL scam is. Did most of my family fail? Yes. Did 20% learn something and avoid risk? Yes.
In large companies the training is for liability purposes, “see they all passed their tests, we tried to warn them”. People are always going to be the attack vector, that’s unavoidable… but 20% success is better than 0% success. As an admin, if I received a 20% spike in phishing reports, that’s statistically significant and should be looked into and stopped (proxy violation).
Cost of training is unavoidable and budgeted for.
Yeah it’s been a few years and I don’t remember what at this point, but my training has taught me a new scam or two before.
I guess I don’t understand the metric of success.
i guess you will find if you read the study mentioned in the article.
it is certainly possible that the study, or its interpretation in the article, is bs - i did not read either one of them. i am just stating in the vacuum that if something does not work (which is what that headline presents as conclusion of the study), then wasting time and money on it is worse than doing nothing.
Maybe not if it only gives a false sense of security.
I wonder if the efficacy of training could be improved if employees were fired for failing phishing tests.
