Why you shouldn't train employees for security awareness

Dave Aitel argues that money spent on awareness training is money wasted

If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company. [Editor's note: See Joe Ferrara's recent article 10 commandments for effective security training.]

Dave Aitel, Immunity Inc, awareness training

You can see the reasoning behind it, of course. RSA got hacked from a Word document with an embedded Flash vulnerability. A few days later the entire company's SecureID franchise was at risk of being irrelevant once the attackers had gone off with the private keys that ruled the system.

But do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn't that suggest that even knowledgeable and trained people still fall victim to attacks?

One of the best examples ever of the limitations of training is West Point's 2004 phishing experiment called "Carronade." Cadets were sent phishing emails to test their security. Even after undergoing four hours of computer security training, 90 percent of cadets still clicked on the embedded link.

Fundamentally what IT professionals are saying when they ask for a training program for their users is, "It's not our fault." But this is false—a user has no responsibility over the network, and they don't have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank. After all, is an employee really any match against an Operation Shady RAT, Operation Aurora or Night Dragon? Blaming a high infection rate on users is misguided— particularly given the advanced level of many attacks.

I'll admit, it's hard to find broad statistical evidence that supports this point-of-view—not surprisingly, security firms don't typically share data on how successful or unsuccessful training is to an organizational body, the way West Point did. But I can share a few anecdotes from my company's own consulting work that should shed some light on this problem.

The clients we typically consult with are large enterprises in financial services or manufacturing. All of them have sophisticated employee awareness and security training programs in place—and yet even with these programs, they still have an average click-through rate on client-side attacks of at least 5 to 10 percent.

We also frequently conduct social engineering attacks against help desks and other corporate phone banks for customers. While each of the personnel in these security sensitive rolls has extensive training and are warned against social engineering attacks, the only thing that stops our testers are technical measures. In other words, if a help desk employee can technically change your password without getting a valid answer from you about your mother's maiden name, then a company like Immunity will find a way to convince them to do so.

We've also found glaring flaws—like SQL injection, cross-site scripting, authentication, etc.—in the training software used by many clients. This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent.

Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization. Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee—and if these measures fail, that the network is properly segmented to limit the infection's spread.

Here's what organizations should do instead of wasting time on employee training:

  • Audit Your Periphery — Websites, back-end databases, servers and networks should be thoroughly audited on a regular basis for vulnerabilities&msdash;both by internal security personnel and external pen-testers. They should be rigorously tested against current and most likely attacks. Had Citigroup's website been tested for basic web application flaws, it could have avoided the June 2011 attack that compromised 200,000 customer accounts. This is both cheap and easy to take off the table.
  • Perimeter Defense/Monitoring — Robust perimeter defenses should be in place, and regularly tested. These should be protecting the network from both intrusions and data exfiltration. Data exfiltration monitoring should also be ongoing.
  • Isolate & Protect Critical Data — What valuable information does your business store in online databases? Classifying business data should be near the top of the CSO/CISO's to-do list. He or she should thoroughly examine the information stored online and locate critical data offline or behind strict network segmentation.
  • Segment the Network — Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Had RSA done this, it might have prevented the theft of its SecurID tokens. If one employee's PC is infected it shouldn't be able to spread laterally through the entire system.
  • Access Creep —What level of access does each employee have to the network and critical data? How well is this monitored? Limiting unnecessary access is another key element of an effective security posture.
  • Incident Response — Proactively examine important boxes for rootkits. You'll be amazed at what you find. And finding is the first step to actually building a defense against "Advanced Persistent Threats."
  • Strong Security Leadership — For a company to have a CSO/CISO isn't enough. The chief security executive should have meaningful authority too. He or she should have "kill switch" authority over projects that fail to properly account for security, and real say over security's percentage of the budget. A strong security program should have at least the same budget as the marketing department.

There's a lot of money and good feeling in running employee training programs, but organizations will be much better off if the CSO/CISO focuses instead on preventing network threats and limiting their potential range. Employees can't be expected to keep the company safe; in fact it is just the opposite. Security training will lead to confusion more than anything else.

By following an offensive security program, companies can keep their networks, and employees, protected.

Dave Aitel, CEO of Immunity Inc., is a former 'computer scientist' for the National Security Agency. His firm specializes in offensive security and consults for large financial institutions and Fortune/Global 500s. www.immunityinc.com

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies