It’s important to involve everyone in the organization when discussing security awareness. In this video, you’ll learn about phishing campaigns, anomalous behavior recognition, reporting options, and more.
So let’s say you’re working for a company, and you’re wondering, how many employees would click a phishing link inside of a corporate email? If you’re not sure, there is a way to figure this out. You would run your own phishing campaign. You would send emails to your user community and see who clicks on those emails. This might be a phishing system that you’ve built internally, but there are also many third-party sources who can provide this phishing campaign for you.
This is usually an automated process that reports opens, clicks, and any interaction with that phishing email to a central reporting console. If a user does click a phishing link, they receive an automated email stating that they made a mistake when they clicked that link, and they would need to go to additional training. This training may be something the user can perform online, or there may be in-person training at the corporate facilities.
We want our users to recognize when a phishing link might be inside of an email. They should be looking for any spelling or grammatical errors within the message itself and within the link that they’re clicking. We want our users to look at the domain name associated with that link, and they should look to see if there are inconsistencies in how this email is constructed. There might be unusual attachments connected to the email, which would certainly be a sign of phishing, and we should see if the email is requesting any personal information or login credentials.
If you’re receiving these phishing attempts from outside, this is also a good chance to see if your email filtering process is working the way you would expect. Ideally, that filter would be blocking any of these phishing attempts before they ever made it into a user’s inbox. We should also make sure that our users know to never click a link inside of an email and to never run an attachment from inside of an email. We want to make sure that everyone in the organization understands what a phishing email looks like and are able to recognize if they happen to see one in their inbox. There should also be a well-known process within your organization for reporting any suspected phishing emails to the IT security team.
If your email filter is working properly, then your phishing attempt will probably look something like this. This phishing attempt was pulled directly from my spam folder, and you can see it’s from the United Nation slash IMF, the International Monetary Fund. You can also see that the email associated with the “United Nation” is reservebankogindian@gmail.com, and in this case, the Gmail filter has successfully identified this as a phishing campaign, and it clearly says that this message seems dangerous.
Not only are we looking for phishing attempts, we’re also looking for anything that might be unusual on a user’s workstation. We refer to this as “Anomalous behavior recognition,” and we can start with looking for any type of risky behavior. This could include a person or a service modifying a host file on that device. Perhaps, it’s replacing a core operating system file, or perhaps, sensitive files may be uploaded from that device.
We’re also looking for behavior that would be unexpected. Someone logging in from another country is certainly something that’s not normal, and an increase in the amount of data transfers from a device would certainly be unexpected. And then, of course, we want to look for any behavior that may be unintentional.
For example, someone typing in the wrong domain name would simply be an unintentional mistake. The same thing might apply to someone who had their USB drive and now has misplaced where that drive happens to be, or perhaps, the security settings on a device have been misconfigured. All of these are human error and would clearly be put into the category of unintentional behavior.
A security team is not going to be aware of these issues, unless they’re constantly monitoring and reporting on these types of events. This needs to be an automated process, where alerts are automatically sent to the security team, and reports are generated automatically, every day. This might include information about phishing click rates, password manager adoption, multifactor authentication use, and other important security metrics.
The first time someone clicks a phishing link or does some other type of risky behavior, we can address that with user training. The goal would be to make the user aware of this particular issue, so that they don’t have that issue occur again. And if we’re constantly monitoring, we could see if these particular security events occur again. This would point us towards users that need extended training, and we might want to add or change security configurations for that particular user.
The process of monitoring, reporting, and training the users would commonly be done by the security awareness team. This would be a specialized team in IT that focuses on these types of user issues. The security team is responsible for letting everyone in the user community know about these security issues. So they might create emails, posters, or some type of training to let people know where these security problems might be.
They can also create customized training depending on the job function for that particular individual. If the organization has a group of mandated compliance requirements, they can create customized training that focuses on that specific compliance, and they can use these automated reporting systems to create detailed metrics that can be tracked over time. That way, they’ll know if their efforts are making a difference in the security of the organization, or if there’s a particular area where they need to have an extra emphasis.
The security awareness team would be responsible for creating the training materials for IT security, and they’ll present them online or in person. They’ll also create detailed metrics that show the rest of IT how our security controls may be working. There’s usually a group of managers or stakeholders that are associated with the success of the security awareness team, and they’ll want to know how these metrics associate back to the overall security of the organization. You’ll see the results of these efforts in many office buildings, where you’ll find classroom training, posters, and information that tells you more about security concerns for that organization. And since there are detailed metrics for all of this information, you’ll be able to correlate your training efforts back to the overall security of the company.