When reports came out last week that a breach of an unclassified but sensitive White House network was the result of spearphishing, Director of National Intelligence James Clapper said in a speech that government officials and private businesses needed to teach employees what spearphishing looks like.
Having been following the story closely, KnowBe4 CEO Stu Sjouwerman and KnowBe4 Chief Hacking Officer Kevin Mitnick agreed with that statement, with Mitnick tweeting, “White House hacked via social engineering. I’d be happy to provide our KnowBe4 social engineering training for free. It sounds like [they] need it!”
Of the discovery that the hackers had been inside the State Department systems for months before the White House incident, Sjouwerman said, “We are confident our training would reduce the threat from social engineering and would be happy to train the White House staffers for no charge. We have a panoply of tools that would assist them to increase their ability to spot and handle phishing attempts. Social engineering is often used by threat actors as it preys on uneducated users and is the cause of as much as 91 percent of all data breaches. Security awareness training is one of the most effective solutions to combat these attacks and mitigate risk.”
KnowBe4 aims to take that weak link, the employee or contact susceptible to spearphishing, and turn him or her into a strong link, through a web-based security awareness training program that encompasses “employee security education and behavior management.”
It’s a risk management tactic that not enough companies are taking seriously, while the threat grows daily. His firm, says Sjouwerman, focuses on serving small to medium-size enterprises (SMEs) because they are actually often the preferred target.
“Cybercriminals have gone pro in the last three years. It’s a $3 billion industry. There has been a significant improvement in sophistication and skills. It’s an arms race, and the bad guys have the advantage. What businesses are really looking at is that they feel they are not catching up, and they can never get ahead,” says Sjouwerman. “Different types of attacks, such as phishing and spearphishing, have taken off exponentially. High-value targets are much more often attacked, with focus and frequency. Especially in SMEs. The preferred target is not the Fortune 5000, because they have money, resources, time, people. The attacker prefers a relatively easy target. They can take the CFO or CEO, and start with spearphishing. They just let the CFO or one of their contacts click the link, penetrate the machine, lurk for a couple of months. Only one machine is compromised, the keylogger is placed. At the chosen time, they make the transfer with normal protocols and get, say, $200,000 out of the country, often while the CFO is on vacation.”
As with many similar cyber attacks, the White House/State Department penetration was carried out by suspected Russian hackers with an assumed state connection.
“These are usually Eastern European cyber mafia, some Chinese,” says Sjouwerman.
And is there ever any chance of recovering funds, once they’ve been taken? “It depends on how fast an unauthorized transfer is detected. Within a few hours, you can sometimes claw back some money. After a couple of days, the money will have been transferred 12 times, and then taken out in cash and distributed by money mules.” Likewise, data, when gone, is just gone.
Next page: What Doesn’t Work Anymore
What Doesn’t Work Anymore
“SMEs haven’t confronted the fact that cyber criminals have gone pro,” says Sjouwerman. “They seem to think they’re small fish, and that it’s not going to happen. But one criminal can rob 500 banks.”
Firms are not up to date, he warns, on the realities of cyber crime and the weakness of existing defenses. Anti-virus software, for example, is generally six hours to two days behind on malware. Cyber criminals, though, are very well-funded, have their own labs, and have current versions of filters and firewalls. “They test it, change malware, change strategies until they get through, then send it.”
Defense in Depth
Sjouwerman strongly recommends companies familiarize themselves with the defense in depth concept, which calls for multiple layers of protection. “Don’t have simply a security policy, procedures, then training only once a year — death by PowerPoint.”
A recent survey carried out by Osterman Research and sponsored by KnowBe4 found that almost 80 percent of responding organizations see no improvement in the phishing problem. A third say the problem is getting worse. Only 22 percent reported getting “good” results from training users on phishing threats.
These results can be turned around, says Sjouwerman, with a layered strategy that includes a human firewall on the outer layer. Without it, the perimeter is porous, full of vulnerable mobile devices and data and inconsistent users. With it, the organization becomes a hard target, and the attackers move along to easier ones.
His firm offers a three-step approach to training on phishing and spearphishing. All employees, including IT, go through the same steps:
- Baseline test: The initial tests indicate how many people in the organization are click happy, often 15 to 20 percent. This is the company’s “oh crap moment.”
- Training: Covering “30 years in 30 minutes,” everyone is trained on what phishing and malware are and how to evaluate messages with an educated eye. Sometimes, IT plays fast and loose, and they need to understand what everyone else got in training, says Sjouwerman.
- Reinforcement: Training is followed by frequent simulated phishing attacks, one or two per month. Integrated training and phishing tests are the key to success, says Sjouwerman. Once per year training, as for compliance requirements, doesn’t hack it. Employees receive immediate feedback if they click on a test message that they shouldn’t have, and a dashboard tracks click-prone employees.
Training is always advancing, says Sjouwerman, based on both technology (mobile devices, texting, voice calls), new varieties of attacks, and current events that phishers are utilizing. Anything from the Apple Watch to notices of child predators in a neighborhood can be fruitful in phishing attacks.
Investing in hands-on, ongoing training for employees, the first line of defense in phishing and spearphishing, is much more cost-effective than dealing with the consequences of a data or financial loss, Sjouwerman notes, as the attacks just keep coming.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+