Next Generation Security Awareness
HACKING METHODS such as phishing are becoming increasingly effective and targeted, according to experts. Phishing attacks, which use fake e-mails to spread malware or steal end-users’ credentials, can be an effective way for hackers to gain a foothold into an organization before penetrating further into systems and machines.
In recent years, Carnegie Mellon University (CMU) had seen a “steep rise” in phishing e-mails, says Mary Ann Blair, director of information security, particularly spear-phishing attacks, which are especially well-tailored to recipients. She wanted a better way to help students, faculty, and staff protect both themselves and the university’s network.
Blair already had some familiarity with security awareness programs but was looking for new options that could be more effective. She became aware of a company, Wombat Security Technologies, which had been started by executives and professors within the university.
She began researching the issue and the company, which has a full line of anti-phishing solutions, including online games and fake phishing software. Her research confirmed her sense that improved awareness would require more than just telling end users about threats; it would require getting them more actively engaged in the learning process. The fact that Wombat was based within the CMU community was also “a plus,” she acknowledges.
Go Phish. Blair and Wombat executives decided to begin by conducting a joint test of the vendor’s fake e-mailing service, called PhishGuru. The initial campaign would send messages to about 500 students.
The results of the effort were impressive, says Blair. Students who fell for a fake message in the first round were about 50 percent less likely to do so in the second, conducted about a month later. Students who fell for the traps were directed to a short cartoon that would pop up, driving home the security message. The tests and educational methods provided students with a “teachable moment,” says Blair. The messages and cartoons helped people “remember information longer and [provided] a deeper impact,” compared to more traditional training methods.
In a post-campaign survey, many students said they thought CMU should continue the campaigns. Blair decided to purchase a full license, which includes phishing tests and online games. Soon after the purchase, she began several campaigns involving groups of freshman students.
Blair says one lesson from those early efforts was that it is particularly important to ensure that helpdesk and other IT staff are aware of campaigns, because students will call about the messages they are receiving. IT staff must be ready with a response, she says. That response should include more details about the awareness program. For example, IT can then point interested students to additional educational resources, including the online games CMU also purchased from Wombat (more on these ahead).
PhishGuru is “very straightforward” to use, says Blair. A software-as-a-service solution, its interface is “fairly self-explanatory” and similar to “interacting with [many] other Web sites.”
The university simply had to set dates during which it wanted the fake phishing to occur. In addition, before launching the freshman messaging campaigns, CMU provided Wombat with e-mail addresses, says Blair. The university also provided Wombat with the texts of real phishing exploits, many of which had been successful against the university.
Wombat supplemented that with its own message database. An increasing number of phishing messages concern highly popular social media sites, like Facebook, according to the company.
Game on. Partly due to PhishGuru’s success, Blair also purchased Wombat’s two educational games, Anti-Phishing Phil and Anti-Phishing Phyllis. At CMU, extremely well-regarded for computer science, students “have a lot of experience with online games,” says Blair, so that’s a good way to engage them. Lasting about 10 minutes each, the games can be challenging and stimulating, she says.
Phil challenges players to identify 32 suspicious URLs (Web addresses) out of an extensive Wombat database. Phyllis asks users to identify a broader array of threats, including fake links, malicious attachments, messages with cash prizes, and “respond to” e-mails.
Both games were recently incorporated into the university’s core curriculum; students are required to play them as part of the course “Computing at Carnegie Mellon.”
Both PhishGuru and the games have extensive reporting capabilities, says Blair. She can learn, for example, who opened messages and whether or not links were clicked. She can also see who played the games and how well people performed.
Blair says she’s just about to begin using the reporting capabilities. One reason she’s held off so far is that she wants to avoid making the solutions seem “scary” or punitive. There’s also sensitivity on campus about “Big Brother-type issues,” which she also wants to avoid.
Blair and other staff may begin contacting students who seem to have particular difficulty with PhishGuru. Contact will likely be by phone and will be relatively confidential, akin perhaps to an “attorney or physician-type relationship,” she says. “You can imagine folks can feel pretty embarrassed or duped.”
It’s important to improve security awareness without excessive intrusion or interference, notes Blair.
One relatively small PhishGuru limitation is that, to view statistics and data on messages, users must open e-mail in HTML (HyperText Markup Language), she says. As HTML messages can sometimes contain malicious code, some experts advise e-mail users, in some cases, to read their messages in “text only” mode. Though just a small portion of people use text-only, “I don’t like the idea of encouraging anyone to use HTML,” says Blair. But she calls this characteristic minor compared with the product’s benefits.
Blair has plans to roll out campaigns to faculty and staff in the near future. Preparing for a possible campaign, she’s met with faculty and staff on several occasions, she says, and hasn’t found any significant objections. During the discussions, she’s described the importance of traditional penetration testing, in which technological systems are tested for weaknesses. “I describe this as the human version of that.”
CMU has, of course, numerous technical security controls in place. But Wombat’s solutions are relatively inexpensive for their security benefits, Blair says.