FBI/DHS hack shows need for role-based security awareness programs

John Taylor (Creative Commons BY or BY-SA)

When a hacker released the contact information of 9,000 DHS employees, it was the result of several awareness failings. The reality is that these are failed awareness programs that are typical of industry as a whole.

Summarizing the attack, apparently a criminal compromised the user id and password of a random Department of Justice employee, reportedly through a spearphishing attack. The credentials did not however give the attacker the connectivity required, so the attacker called most likely a Department of Justice help desk number. The help desk gave the attacker credentials to some portal and/or VPN connection. From that point, the attacker was apparently able to access the unclassified Depart of Justice network, which led to the compromise of FBI and DHS telephone directories, and 200GB of unspecified data.

There were two apparent awareness failings. The first was likely the first employee clicking on a phishing message. The second failing was the help desk providing credentials to the attacker to access the network remotely. I am sure that some phishing vendors will claim that if there was more simulated phishing messages that this would not have happened. Those claims would be foolish. The Department of Justice already engages in phishing simulations. The best they can do is reduce the incidents, and not the inevitability.

However there is nothing phishing simulations would do to stop the social engineering calls to the help desk. Here is probably the most important aspect; the susceptibility to phishing was irrelevant if the person would not have been given the credentials to access the network.

[ MORE: The 7 elements of a successful security awareness program ]

When you have an organization the size of the Department of Justice, it is inevitable that credentials will be compromised through phishing, or social engineering. The only people who believe you can stop all attacks like that are fools or liars. Frankly, multi-factor authentication should have been in place, which would have prevented this attack. However there was almost a form of multi-factor authentication in place, as the attacker needed additional credentials to access the network remotely.

Again, that layer failed as a result of poor processes and awareness on the likely part of the help desk. Phishing simulations won’t mitigate that attack vector. Once a year videos, designed for a mass population would not be specific enough for the responsibilities of help desk personnel. Even when you have once a month videos, typically organizations run a different topic each month of the year, and the once a year social engineering video, which averages under 3 minutes, is not going to have a significant impact against all of the possible ruses a help desk employee might encounter.

Yet, when you look at what appears to be industry standard awareness programs, they rely on phishing simulations and monthly computer based training (CBT) modules designed for the general population. More has to be done.

The standard model works if you are checking a box. It does not work when you want to prevent actual incidents.

To improve this situation, you need to understand that just like people have different job functions, they might need role based awareness programs. You cannot expect to provide the same awareness materials to help desk staff that you would factory workers, and expect the results to be acceptable from both groups.

While you don’t have to provide different training and awareness programs for every conceivable role, it is clear that some roles, such as help desk personnel, engineers, IT, customer service representatives, among other high level categorizations, have specific awareness concerns.

[ Security awareness: Training moms and end users to spot a scam ]

To support role-based awareness, the appropriate policies and procedures must be in place. For example, when the Department of Justice criminal called up the help desk for assistance with access, there should have been clear procedures in place to authenticate callers.

As I previously wrote, awareness programs should represent The Department of How, not the department of no. When you tell people what not to do or, even worse, attempt to scare people, you are not instilling good behaviors, but trying to scare people from not doing the wrong thing. Awareness is about creating the right security related behaviors.

Instilling proper behaviors takes consistent education and reinforcement of all relevant topics. While phishing is a major attack vector on the part of malicious actors, you cannot ignore all other awareness concerns, which is apparently what many organizations are doing. Additionally, you cannot rely on a 3 minute video on a topic, once a year at best, and assume that people will significantly improve employee behaviors related to that topic.

The goal for awareness is to cost effectively reduce risk. This means that you save significantly more money by the incidents prevented, or more efficiently mitigated, than the cost that you invest in the program. It also implies that you have to address all vulnerabilities, created by user behaviors.

There is of course a need for phishing simulations and CBT as appropriate. However by themselves, they are no more effective than saying a network security program is satisfied by the presence of a firewall and anti-virus software.

As stated, focusing on the behaviors related to an individual’s role is what will enhance the effectiveness of awareness efforts. I fully understand that CBT and phishing simulations seem like a simple and easy solution to the problem. Unfortunately, the problem is not simple and the solutions will not be simple either.

Ira Winkler, CISSP can be reached at his company’s website at www.securementem.com

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.