Awareness lessons from the Sony hack

As more information is disclosed from the Sony hack, it demonstrates that awareness concerns go well beyond phishing.

The now infamous Sony hack was the culmination of a variety of technical and non-technical vulnerabilities. While the attention tends to focus on the fact North Korea was the attacker, and that is important, from a practitioner’s perspective, it is more important to understand what let the attacks to be successful. I previously did that on a comprehensive scale.

However, as an awareness practitioner, the recent identification of spearphishing messages as the first step in the attack actually demonstrates many awareness-related failings that need to be addressed. It is all too easy to say that the attack exploited phishing, so people need phishing training. That is true, but that doesn’t help with the other exploited human failings, and frequently doesn’t help with many phishing attacks.

When you look at the description of the attack, clearly there were issues related to phishing involved in the attack. However, upon further analysis, there were also vulnerabilities related to oversharing on social networks, as well as password reuse. Those are issues that go beyond phishing, and most can be addressed by any competent awareness program.

First, it is appears that the North Korean attackers first scoured LinkedIn and other social networks for employees who might have administrator privileges. Even people with low-level privileges are targets as they at least provide a foothold inside the organization. While you cannot tell people not to post on LinkedIn, they do at least need to be aware that their social network exposure represents the fact that they can be a target.

The article describes how phishing messages targeted Apple account passwords. That implies that people with personal iPhones and other Apple products need to understand that they are potential targets, as Apple products are becoming more common. There is a belief that Apple products are immune from security concerns. That is clearly false, and people need to understand that any technology can be targeted, directly or indirectly.

Another aspect of the phishing attacks is that you have to assume that some users detected the phishing messages, but didn’t report them. If they did report the offending messages, then there was an issue in reacting properly. While it is important to detect messages, it is as important to ensure that employees report potential phishing messages, which is also an aspect of a good security awareness program.

Password reuse was also a vulnerability targeted by the North Korean hackers. In a good security awareness program, password reuse would be addressed as part of a Password Security Awareness campaign. The attackers exploited the likelihood of password reuse by not just the average users, but by administrators as well. And if an administrator reuses passwords between his personal and corporate administrative accounts, there are likely other accounts that are similarly vulnerable. So in this case it is clear that you cannot just classify the phishing messages as being due to “stupid users.”

The last issue is actually pretty critical as I see many awareness programs ignore the technical staff, since they assume the technical staff is somehow already aware of the behavior related issues, like password security. All employees need to be targeted in awareness campaigns.

When I ask security audiences how many people have clicked on a phishing message in the last two years, I generally get less than a 2% response rate. I believe that rate to reasonably accurate, as security professionals are generally aware of how to detect phishing messages. However, they rarely receive a phishing simulation message or formal training, when I ask the follow up question. The reason is that they are generally aware of most security-related issues, and as the expression goes, a high tide raises all boats. People who are aware of physical security generally become aware of phishing concerns as well, because they are aware to be suspicious.

I use the analogy of driving. You cannot prepare everyone for every possible road hazard. However with general driver safety, drivers become aware of how to react to most hazards, even if they have never been trained for that specific hazard. Similarly, awareness programs should be as comprehensive as possible, so that employees will actually become aware of even more issues than they are exposed to.

The Sony hack can be put to good use to many organizations. However to make the best use of the attack as a learning tool, and to generally improve security programs, awareness professionals, CISOs, and everyone involved in creating and maintaining security programs have to look beyond the obvious attack vectors. As you can see, even the phishing attack has more implications than phishing. This is why awareness programs need to be as comprehensive as possible.