Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Infosec training / On phishing tests and deception

Infosec training / On phishing tests and deception

For LIS 510 "Human factors in information security"

Dorothea Salo

April 19, 2022

More Decks by Dorothea Salo

Other Decks in Technology


  1. Infosec training

  2. Why training? ✦ The motivation is usually not improving security.

    Maybe it should be, but it isn’t. ✦ The motivation for workplace infosec training is usually COMPLIANCE, legal or standards-based. ✦ Legal: if some law constrains an organization to meet minimum security standards, it will usually stipulate some kind of employee training. HIPAA, for example, requires training all employees as part of the hire/onboarding process. GDPR also has training requirements. ✦ Standards: PCI, for example, requires documentation of security practices and procedures, including in employee manuals. ✦ It may also be cleanup after an incident. ✦ With all the hasty ill-considered panicky fl ailing that implies. ✦ And the one-person-messed-up-but-we’re-all-stuck-doing-this problem.
  3. This has implications. ✦ Viewed as unimportant check-the-box exercise ✦

    Including by org-internal infosec folks! They could treat this as an opportunity, but more often they roll their eyes at it. ✦ If training is developed internally, it’s often done by people who… don’t teach well. ✦ So it’s too techie, or condescending, or communicated ineptly, or… ✦ Teaching, like most work, is a set of learned skills not present at birth. ✦ If training is outsourced (as it often is), there’s no connection to the local environment. ✦ Production values are likely higher, but it’ll be easy to sco ff at because the examples will feel farfetched and the systems discussed won’t be familiar (or named according to local practice).
  4. No, really, terminology matters here! ✦ Generic, non-localized training will

    talk about “video-conferencing apps.” Ring a bell? ✦ But you know what Zoom is. Of course you do. ✦ The jargon problem is exponentially worse with infrastructure most folks don’t think about. ✦ Would you have known what a “multi-factor authentication system” was before this class? (If you did, go you!) ✦ Training must use “Duo” (or whatever’s actively in use at the org) to be even minimally understood. ✦ (There are reasons I rely on UW-Madison examples in this class!)
  5. The eternal 101 ✦ I have never taken a required

    infosec training that went anywhere close to the richness and usefulness of the CR Security Planner. ✦ It’s always Infosec 101. Passwords, phishing, yawn. ✦ While I understand the need to raise the fl oor, repeated 101-level training does not help people learn more advanced (and useful!) concepts, tools, or behaviors. ✦ It sure does teach them to despise infosec, though. How remarkably counterproductive! ✦ Moral: let people “place out” of basics ✦ e.g. through quizzing them up-front and exempting those who pass
  6. Okay, larger moral: ✦ For all kinds of education and

    training, not only infosec! ✦ MEET PEOPLE WHERE THEY ARE. ✦ This is an ideal, of course. Whenever you’re dealing with a lot of people (hi there, y’all!), they’ll be in lots of di ff erent places. ✦ But you can still be explicit about the audience(s) you’re aiming at, and you can (and should) apologize to everyone else. ✦ A much better structure than “lecture, then test” is “check, then teach as needed.” ✦ If I were in charge of infosec training, I’d start with a pre-test, divided into modules (“email/phishing,” “passwords,” “BYOD,” etc). ✦ Pass a module? You either get to skip that training OR (my preference) you get more advanced content. ✦ You view only the 101 modules you actually need to.
  7. This also means knowing people’s practices. ✦ As we’ve discussed,

    people’s approach to many infosec matters falls into known patterns. ✦ Infosec training rarely takes that into account. ✦ “Choose a strong password!” instead of “Here are common password practices that are easily breached, so don’t:” or even “here’s why the system’s password tester rejects certain kinds of passwords:” ✦ “Don’t click on links in emails!” when that’s clearly impractical advice. ✦ (I’ve seen the above in UW trainings. UW constantly sends out emails with clickable links. Sigh.) ✦ Infosec training rarely if ever starts with ethnographic-style inquiry into the org. ✦ It should, though. It sure should.
  8. One size fits no one ✦ Typically, everybody in the

    org gets the same old Infosec 101 training. ✦ This completely ignores di ff erent behaviors, threats, and risks associated with di ff erent roles. ✦ Example: As an instructor here, I don’t need to know about infosec in hiring. Not my problem! I don’t do hiring paperwork! ✦ Do I need to know how to keep student emails to me secure? Heck yeah I do; if I don’t do that, I risk harm to students and violating federal law (FERPA). Our HR person also needs to know this, because we hire student employees. ✦ And because people (wrongly) think that the same old Infosec 101 is everything they ever need to know… they’re vulnerable to role-based attacks.
  9. Focusing too much on tech ✦ What use is the

    strongest password there is, if people aren’t prepared to resist attempts by social engineers to get them to reveal it? ✦ PHISHING. Phishing phishing phishing. ✦ Did you know that business-email compromise (spearphishing aimed at conning people into various kinds of false payments) is collectively the most expensive infosec fail in the US? Now you do. ✦ Yet most Infosec 101 is all about tech stu ff . ✦ This is even worse because social engineering is… actually hard to make boring?! ✦ And it sets up a clear us-against-the-world feeling, which is socially useful for infosec folks and the org in general. ✦ (Though be careful to discuss insider threat also!)
  10. In fact… ✦ … in my experience, it’s a lot

    easier for people to understand attacks if they fi rst understand attackERS, and their techniques and motives. ✦ Would this have a lot to do with the topic sequencing in this course? Yep, you betcha. ✦ Use the fl uency heuristic (people remember and repeat what they’re familiar with) to help. ✦ Get people familiar with an “attacker” persona. ✦ Would this be why I teach you Alice/Bob/Eve and use the phrase “garbage human” a lot? Yep, you betcha, at least in part. ✦ (Alice/Bob/Eve is common infosec jargon; that’s another reason I use it.) ✦ And use real-world case studies, ideally from peer orgs in the same or similar industry.
  11. 2021 research on infosec training: ✦ “[E]mployee perceptions of [training]

    programs relate to their previously held beliefs about: ✦ “cybersecurity threats, ✦ “the content and delivery of the training program, ✦ “the behaviour of others around them, and ✦ “features of their organisation.” (This amounted to the usability of security measures and perceived necessity to work around them… which should sound familiar to you by now!) ✦ From: ✦ Reeves, Calic, and Delfabbro. “‘Get a red-hot poker and open up my eyes, it's so boring’: Employee perceptions of cybersecurity training” Computers & Security 106 (2021), https://doi.org/10.1016/ j.cose.2021.102281 ✦ Best article title ever, or best article title EVER?!
  12. What do people believe about infosec threats? ✦ We’ve seen

    a lot of it before. But for the record, here are themes the article found: ✦ “I already know all this, or at least enough to make my own decisions!” (Another pitfall of neverending Infosec 101… people have no reason to realize everything they don’t know, because they’re never shown anything beyond the 101 level!) ✦ “I don’t need to understand this, even if I could! The system needs to handle its own security! Usably!” (Attributed to “younger users.”) ✦ Password issues. (Including one org where the training recommended a password manager… which the org refused to let employees install or use.)
  13. Content and delivery ✦ Few surprises here: it ain’t great.

    (For the record: I very don’t love our trainings here.) ✦ People’s mood at training time also matters, unsurprisingly. ✦ Misery loves company: group training preferred to individual. ✦ I have sympathy! Of course I do. High production values take a lot more time and e ff ort than I have. ✦ Add in internationalization and accessibility requirements, and the workload multiplies by… a lot. ✦ I don’t have sympathy for: ✦ Measures that try to force attention — e.g. online trainings that won’t advance unless they’re the topmost window, video that only plays at 1x speed. Get over yourselves, trainers. ✦ Irrelevancies. Again, know the context and work within it! ✦ Unexplained or unnecessary jargon. Condescension. Scare tactics.
  14. The behavior of others ✦ We’re social animals, we humans.

    We behave as the others around us behave. ✦ In almost all organizations, “the others around us” are not infosec folks! ✦ And infosec folks tend to be pretty siloed. Those of you with jobs: do you know who’s securing your org’s systems? By name? I’d be surprised if you did. Who’s the current UW-Madison CISO, for that matter? I don’t think I’ve mentioned… ✦ So we enable each others’ poor infosec hygiene. ✦ Including spreading misunderstandings and broken mental models. ✦ It’s worse if the poor hygienist is our boss. They can demand that we do the wrong thing! ✦ Where training con fl icts with human social behaviors, training will lose. No question about it.
  15. With one caveat: ✦ People will bring infosec dilemmas to

    someone they trust, respect, and believe is knowledgeable. ✦ I’ve had it happen a fair bit, with colleagues as well as students. ✦ (Hey, I appreciate the trust and respect! I’m kind of proud of this.) ✦ For an org that’s serious about security… ✦ (rather than treating it as a pointless compliance exercise) ✦ … it makes a lot of sense to locate and leverage these people! ✦ Could they be involved in training somehow? ✦ Can they be recognized for their e ff orts?
  16. Okay, two caveats: ✦ People will use convenient, available, usually

    informal comms channels to ask infosec questions. ✦ They come up not-infrequently on the UW-Madison subreddit. ✦ It can make sense to (discreetly and non-creepily) keep an eye on those. ✦ Setting up alerts on words (e.g. in a work Slack) may make sense. ✦ If there’s an infosec person (or a connector, as before) with very good social judgment and skill at explaining, answering questions or weighing in on situations may be a way to build useful social trust. ✦ But the good social judgment is vital!!!! Just horning in on every vaguely-relevant conversation (or worse, posting canned answers) won’t help — in fact, it’ll hurt. ✦ (I do answer infosec questions on the sub when I see them. My answers get upvoted, so my social acumen seems… mostly okay?)
  17. Summing up ✦ Infosec training sucks, but it doesn’t have

    to. ✦ Making it not suck involves: ✦ taking it seriously, and having goals for it besides compliance ✦ not putting people through endless rounds of the same old Infosec 101 stu ff ; letting those who are ready learn more! ✦ understanding and working with local context and human habits ✦ leveraging and building on org-internal social relationships, partly to hear and answer point-of-need questions ✦ o ff ering workable guidance, avoiding unreachable “don’t ever click links in email!” ideals ✦ helping people build mental models, threat models, etc. without which very little guidance (even when it’s workable) makes sense
  18. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.
  19. On phishing tests and deception LIS 510

  20. I’ve changed my tune on phishing tests. ✦ I used

    to be just eyerolly about phishing tests. ✦ I now think they are unethical, and not only ine ff ectual, but actively dangerous to an organization’s overall infosec posture. ✦ Don’t do them. Don’t pay for them. Protest them.
  21. Why these happen ✦ Compliance and “cover our butts,” again.

    ✦ Like training, phishing tests are construed as Doing Something. ✦ “Number go up” assessment mentality ✦ If 90% of employees pass the fi rst phish test and 95% pass the second, NUMBER WENT UP, so everything’s cool in infosecland, right? RIGHT?! ✦ Super fi cial, erroneous “they must be ignorant/ stupid” belief about why people fall for phishes ✦ If you actually ask people (what a concept, I know!), it’s because they’re overworked and rushed. ✦ Who has time to thoughtfully consider each and every link in an email?! Their boss would just yell at them for being unproductive. ✦ Phishing tests cannot fi x this root cause!!!!!!!!
  22. The “gotcha” motive ✦ A lot of infosec people enjoy

    puzzles, games, especially in competitive contexts. Nothing necessarily wrong with that, okay? ✦ Though I do think it’s a limiter for the broader infosec workforce. ✦ It becomes a problem when it turns into the wish to trick/con, embarrass, trash-talk, or laugh at other people. That’s garbage-human territory. ✦ Do I think phishing tests happen partly because some infosec folks get their jollies out of feeling superior to others? ✦ And build phish tests that give them maximum jollies? ✦ Yeah. I do. And that’s a bad, bad problem.
  23. (a digression) ✦ My dad was a university professor. Anthropology.

    ✦ He hated his students. HATED. Despised them. Genuinely loved putting trick questions on exams and laughing when his students fell for them. ✦ He also used students as pawns in fi ghts with his department. ✦ This is horri fi c pedagogy. When I accidentally ended up teaching, I swore to myself that I would do things di ff erently. I hope I have. ✦ It may seem obvious that instructors actually have to want their students to learn, but… my dad never did. ✦ … A lot of infosec trainers (infosec people in general, really) remind me of my dad. Not good.
  24. If I just speared you… ✦ … yeah, sorry. I

    have Feelings about all this. ✦ But I need you to fi x your heart, okay? We all need you to. ✦ A world where folks are all out to trick and laugh at other folks is… not a good world. ✦ It’s possible to change. It’s possible to do and be better. You don’t win by shoving others down. ✦ I’ve had to struggle with my own character defects too. I lived through it and did better. If I can, you can. ✦ Take joy in other people. Celebrate them! ✦ As a teacher/trainer, celebrate their learning.
  25. Randall Munroe, “Ten Thousand” https://xkcd.com/1053/ CC-BY-NC

  26. How phish tests work ✦ Internal infosec o ff i

    ce or external contractor designs test, including the pretext(s) it will use. ✦ Links in the email usually lead to some kind of “you got phished! don’t do that!” gotcha/training page. ✦ Test is fi elded against all employees, with little or no notice beforehand. ✦ Here there’s usually some kind of announcement, but it’s buried and easy to miss. ✦ Those who fall for the phish are individually identi fi ed and reported on. ✦ There’ll be an identi fi er in the link in the fake-phish email, tied to each email address the fake phish is sent to.
  27. Cost in time, productivity, and trust ✦ UW-Madison employs over

    20,000 people. ✦ Imagine that each person spends just one minute considering that fake phish. That’s over 20,000 minutes of work time, or 333 hours. ✦ I don’t have an average salary to hand (median would be better anyway), but let’s assume it’s something like $40/hour. That’s $13,320 plus the cost to build and fi eld the test and analyze the results, just for one dang phishing test. ✦ Notice that I’m not even counting (re)training time here. It adds up. ✦ Nobody likes phish tests. (I actively resent UW System for doing them.) Does your org need more reasons for employees to be mad at it?
  28. Is it worth it? ✦ No training or testing has

    been shown to eliminate successful phishes altogether. ✦ Research: counterintuitively, repeated phishing tests plus non-mandatory training can make people MORE likely to click on real phish. ✦ Lain, Kostiainien & Čaron 2021 ✦ Why? Not totally clear, but it appears the a ff ected folks think the training means the org is protecting them, so they don’t actually have to worry about phish as individuals. ✦ In other words, folks completely misunderstood the point of the test! That… doesn’t bode well for their infosec hygiene generally, and it also doesn’t say much for any training they’ve gotten.
  29. Cruel pretexts ✦ Money, sometimes life-changing money, aimed at folks

    who are poor and/or poorly paid ✦ Real-life examples: COVID bene fi ts, bonuses, health-care promises, discounts — that didn’t exist. ✦ I saw an infosec pro on Twitter point out that the root cause here is actually lousy pay and bene fi ts. That’s absolutely correct; treating people poorly and underpaying them creates a lot of infosec risk. ✦ Higher ed: grade- or disciplinary-action-related scare tactics ✦ Phishes ostensibly from the [Big] Boss, often designed to make person think they might be (or get) in trouble ✦ I’m waiting for somebody with anxiety to sue under the ADA over this. I am not a lawyer, but I have to think it’d be a workable case.
  30. Defense from phish testers: “But garbage humans are using these

    tactics to phish!” ✦ Yeah. They are. ✦ So what does that make you, exactly, O Phish Tester? ✦ Look. Infosec is not a get-out-of-garbage-human- stu ff -free card. Cruelty is cruelty. Lying is lying. ✦ Phish testers deserve every bit of the pushback they get over phishing tests. And more, frankly.
  31. Punishment over phishing-test results ✦ It’s happened. It shouldn’t. ✦

    It’s an absolutely sordid and unethical idea. ✦ One reason: phish people often enough, and everyone will eventually click. Yes, pretty much everyone. (Lain, Kostiainien & Čaron 2021) Di ff erent people fall for di ff erent pretexts, but everybody’s vulnerable to something. ✦ Another reason: disincentivizing reporting, again — if people are afraid to report infosec issues because they fear punishment, incidents are more likely, higher-severity, and longer-lasting. ✦ A third: disciplining people you intentionally deceived is just gross. It’s a garbage-humanny, unethical way to treat people. ✦ Keep in mind also that people perceive “you failed; go take another training” as punishment.
  32. Public blame-and-shame ✦ Are you kidding me?!?!?! I didn’t want

    to believe this even happens. ✦ Management 101: never, ever, EVER shame employees in public. ✦ Any conversation involving critique (much less discipline) must be held in private! And kept as con fi dential as possible! ✦ Anything else creates an organizational culture of terror and secrecy over mistakes… which is awful for the org’s infosec posture. ✦ Public shaming is also (one more time!) just an awful way to treat people. It won’t help them learn… but will make them leave!
  33. Lost trust in infosec people ✦ You DO NOT want

    the top association people have with infosec folks to be phishing tests. ✦ Like, this is actually super-dangerous!!!!! ✦ Will someone who associates infosec with deception and cruelty report infosec problems? ✦ Will they do what infosec says? (What if it’s mid- incident, and really important that they do?) ✦ Will they write o ff everything infosec-related because “those people are just JERKS”?
  34. Malicious “compliance” and lost productivity

  35. Better ideas ✦ (mostly from the Lain et al. piece)

    ✦ Make it easy to report suspected phish. Then take people’s reports seriously! ✦ It turns out that if reporting is easy enough, people will get in the habit of doing it (habituation for the win, for once!), and won’t get sick of it. ✦ Averaged over the organization, these reports are indeed good advance indicators of phishing campaigns. (I think it’s possible to improve on this, by evaluating who’s a good phish reporter, then paying extra attention to their reports. Future research!) ✦ Positive reinforcement: reward phish- fi nders! ✦ Including those who initially fall for a phish, but report it quickly anyway. ✦ Tell them when they detected real phish, so their phish-radar improves. ✦ Detect phish technically, and stop delivery.
  36. Address root causes ✦ Starvation wages and bene fi ts

    ✦ Poor fi nancial controls ✦ I cannot get over how long it takes organizations (of all sizes, small to gargantuan) to notice fake invoices!!!!! ✦ There are supposed to be PROCESSES for knowing who your vendors are, and that a given invoice is legitimate! ✦ Rushed workers ✦ Crappy systems that get in people’s way and force them to come up with workarounds ✦ Jerk bosses, intimidation at work ✦ (Notice how only one of these is technological? Yeah. Infosec is about people or it’s garbage.)
  37. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.