Phishing Training Without Recurring Fees

I’m sure you know that phish­ing is a lead­ing method of exploit­ing peo­ple by online crim­i­nals. In fact, it’s the way $47 mil­lion was stolen from Ubiq­ui­ti Net­works in 2015 and $54 mil­lion was stolen from Austria’s FACC (a parts sup­pli­er to com­pa­nies such as Boe­ing and Air­bus) in 2016.

Chances are, either you or your orga­ni­za­tion has suf­fered a phish­ing attack. The ques­tion is, what should you do to keep from becom­ing a vic­tim?

More than any­thing else, you need to train all your peo­ple, includ­ing (par­tic­u­lar­ly?) the CEO and their direct reports. And the best way I know to do that is to actu­al­ly send them test phish­ing attacks. There are com­mer­cial ser­vices you can sub­scribe to like Phishme or KnowBe4. Obvi­ous­ly, these ser­vice cost real, green dol­lars. And, you need to test peo­ple in a way that will encour­age them to trust man­age­ment. (I guar­an­tee that sur­prise test­ing fol­lowed by pub­lic sham­ing will destroy trust.)

But now there’s anoth­er way that I just dis­cov­ered: gophish an open source phish­ing test frame­work that was launched in ear­ly Jan­u­ary 2016. gophish appears to be espe­cial­ly good for orga­ni­za­tions that have a “do it your­self” cul­ture and an intense desire to avoid spend­ing mon­ey with­out a “no-brain­er” busi­ness case.

By the way, in case you need help to make your busi­ness case, here are some cur­rent phish­ing stats I found over at the PCI Secu­ri­ty Stan­dards Coun­cil blog:

  • 13% of the annu­al cyber­crime cost glob­al­ly for com­pa­nies is due to phish­ing and social engi­neer­ing.
  • Phish­ing costs the aver­age U.S. orga­ni­za­tion more than $3.7 mil­lion annu­al­ly.
  • Every day 80,000 peo­ple fall vic­tim to phish­ing scams from 156 mil­lion phish­ing emails sent glob­al­ly ‒ 16 mil­lion of which cir­cum­vent spam fil­ters ‒ result­ing in 8 mil­lion scam emails being opened.

Any­one out there want to take gophish out for a spin? Let me know what hap­pens…

Five Data Breach Trends For 2016

A few day ago over at the CFO Net­work group on LinkedIn, Scott Ernst (VP at Wells Far­go Insur­ance Ser­vices) post­ed a link to an arti­cle by Michael Bruem­mer, VP of Exper­ian Data Breach Res­o­lu­tion. The arti­cle, based on Expe­ri­an’s annu­al Data Breach Indus­try Fore­cast, sum­ma­rizes five data breach trends busi­ness lead­ers need to be on the look­out for head­ing into 2016.

Data Breach Word Cloud

It’s worth a few min­utes to read the arti­cle, but in case you’re pressed for time, here’s Michael’s list:

  1. The EMV Chip and PIN lia­bil­i­ty shift will not stop pay­ment breach­es.
  2. Big health­care hacks will make the head­lines but small breach­es will cause the most dam­age.
  3. Cyber con­flicts between coun­tries will leave con­sumers and busi­ness­es as col­lat­er­al dam­age.
  4. 2016 U.S. pres­i­den­tial can­di­dates and cam­paigns will be attrac­tive hack­ing tar­gets.
  5. Hack­tivism will make a come­back.

These trends make sense to me so I won’t be sur­prised to see them emerge over the com­ing year. And, Micheal’s right that the best way to pre­pare is to

update … response plans accord­ing­ly

Aside from the large expense of a data breach, orga­ni­za­tions also need to be ready for the most­ly suc­cess­ful attempts at steal­ing mon­ey via busi­ness email com­pro­mise (BEC), which exploits peo­ple and process more than tech­nol­o­gy. This tech­nique has result­ed in about $1.2 bil­lion stolen in just the last cou­ple of years world­wide. For one high pro­file exam­ple, see the sto­ry Bri­an Krebs pub­lished about the $46 mil­lion stolen from Ubiq­ui­ti Net­works in 2015.

The good news is all these risks can be sig­nif­i­cant­ly low­ered with a rea­son­able amount of effort. There are many good risk man­age­ment frame­works you could choose to help guide the work. Right now I real­ly like the NIST Cyber­se­cu­ri­ty Frame­work (CSF) which I’ve been using a lot late­ly.

What cyber­se­cu­ri­ty trends are you watch­ing?

Risks Of Simulated Phishing Campaigns

Is there any doubt that phish­ing is a major threat to all of us? Here’s what Verizon’s 2015 Data Breach Inves­ti­ga­tions Report (DBIR) said about phish­ing:

In the 2013 DBIR, phish­ing was asso­ci­at­ed with over 95% of inci­dents attrib­uted to state spon­sored actors, and for two years run­ning, more than two-thirds of inci­dents that com­prise the Cyber-Espi­onage pat­tern have fea­tured phish­ing. The user inter­ac­tion is not about elic­it­ing infor­ma­tion, but for attack­ers to estab­lish per­sis­tence on user devices, set up camp, and con­tin­ue their stealthy march inside the net­work.

Or, drop a bank­ing Tro­jan on the com­put­er in the hopes of steal­ing some mon­ey.

What’s the suc­cess rate for phish­ing attacks? The 2015 DBIR said:

23% of recip­i­ents now open phish­ing mes­sages and 11% click­ing on attach­ments.

Clear­ly, we need to increase employ­ee resis­tance to all forms of social engi­neer­ing attempts. But how? And, what are the risks of tak­ing action?

Aside from imple­ment­ing some email and web fil­ters, you can buy phish­ing test­ing ser­vices. I’m most famil­iar with PhishMe and KnowBe4.

Run­ning your own sim­u­lat­ed phish­ing cam­paigns seems like a great idea. The effec­tive­ness data pub­lished by the ven­dors is com­pelling. Judg­ing from what I’m see­ing and hear­ing from IT peo­ple over the years, though, there’s an objec­tive miss­ing from the project and oper­a­tions plans: The cam­paigns need to be done in a way that trust between employ­ees and man­age­ment is enhanced, not dam­aged.

Here are the top risks that I can see:

  • Whether it meets the legal def­i­n­i­tion or not, could employ­ees feel the sim­u­la­tion is a form of entrap­ment?
  • Will employ­ees feel resent­ful of man­age­ment if the cam­paign is “decep­tive­ly” launched on them with no warn­ing? Will any feel­ings of shame or embar­rass­ment cause resent­ment?
  • How effec­tive will fur­ther coach­ing or train­ing to resist phish­ing be if the employ­ee feels resent­ment?
  • Should employ­ees who repeat­ed­ly fail sim­u­lat­ed phish­ing exer­cis­es be coached or dis­ci­plined? If so, who should do it? Their super­vi­sor? The CISO?
  • What if an employ­ee actu­al­ly caus­es a data breach by being phished, and you have records of that per­son repeat­ed­ly click­ing on the sim­u­lat­ed phish­ing links over a peri­od of sev­er­al weeks or months with no action tak­en by man­age­ment. Will that under­mine management’s abil­i­ty to dis­ci­pline or fire that per­son?
  • Could an employ­ee, who gets dis­ci­plined for click­ing too much on the sim­u­lat­ed phish­ing links, be able to suc­cess­ful­ly defend them­selves against man­age­ment based on how you con­duct­ed the cam­paigns? Such as a man claim­ing he was unfair­ly tar­get­ed by a mes­sage that would nat­u­ral­ly  appeal more to men than to women?

In the course of research­ing for this post, I was unable to find any doc­u­ment­ed cas­es of peo­ple being dis­ci­plined due to phish­ing, either real or sim­u­lat­ed. So as an indus­try we don’t appear to know the answers, but we def­i­nite­ly need to find them before the attor­neys and courts fig­ure it out for us.

Did you talk with your HR and legal teams before imple­ment­ing a sim­u­lat­ed phish­ing cam­paign? How did you deal with these risks?

Good Cybersecurity Leadership Without Charisma

Nick Tasler recent­ly wrote an arti­cle over at Har­vard Busi­ness Review that is rel­e­vant to all cyber­se­cu­ri­ty peo­ple who are try­ing to make their orga­ni­za­tions more secure. And if you’re ask­ing peo­ple to change, that means you are try­ing to be a leader no mat­ter what your job title. But do you need to be a rock star to get the job done?

cheering crowd at concert

Here’s the intro to the arti­cle:

Vir­tu­al­ly every leader wish­es they had the pow­er to inspire peo­ple to change. That’s because every leader has expe­ri­enced times when they have iden­ti­fied a change that had to be made, devised a great strat­e­gy for mak­ing it hap­pen, but then strug­gled to get peo­ple mov­ing in the new direc­tion.

The prob­lem is that most lead­ers believe that in order to inspire oth­er peo­ple, they must exude the uncom­mon charis­ma of some­one like Steve Jobs, Mar­tin Luther King, Jr., or John F. Kennedy. Those inspir­ing exam­ples don’t feel espe­cial­ly rel­e­vant or attain­able to lead­ers who are not try­ing to build the first iPhone, end racial seg­re­ga­tion, or send some­one to the moon. What if you’re just try­ing to change the way your peo­ple han­dle loans, man­age a sup­ply chain, or inter­act with cus­tomers?”

Or choose bet­ter pass­words? Or think twice about click­ing on that unex­pect­ed URL? You get the idea.

Let me tell you a dirty lit­tle secret: I was hav­ing a dif­fi­cult time real­ly under­stand­ing the point of the arti­cle until I read this syn­op­sis by the author down in the com­ments:

…what the research shows is that in order to inspire peo­ple to change how they think, a deci­sion has to be more than just “right” or “smart.” It also has to [be] unex­pect­ed or coun­ter­in­tu­itive. Elim­i­nat­ing a “good” thing with lots of pros and lots of val­ue, is unex­pect­ed, and that’s why it trig­gers that domi­no effect of inspi­ra­tion in our brains.”

This new insight is encour­ag­ing for a nerd like me! What about you?

End User Security Is A Management Problem

We all know that every­one needs to do their part to keep their orga­ni­za­tion being pwned. Yet secu­ri­ty aware­ness train­ing and anti-phish­ing exer­cis­es don’t seem to help very much. Why is that when there’s no short­age of ven­dors to sell them to us?

The $47 mil­lion recent­ly stolen from Ubiq­ui­ti Net­works was a result of social engi­neer­ing via email com­bined with weak inter­nal pay­ment sys­tem con­trols. How much high­er do the stakes have to get?

We’re in this sit­u­a­tion large­ly because on the job peo­ple do things their super­vi­sors ask them to do. So if super­vi­sors don’t place a high val­ue on get­ting some­thing from the aware­ness train­ing and don’t prompt dif­fi­cult con­ver­sa­tions when some­one falls for a phish­ing lure, your org is doomed.

So, rather than define it as an IT prob­lem, user secu­ri­ty educ­tion and aware­ness should be defined as a man­age­ment prob­lem.

If you are respon­si­ble for get­ting your net­work end­point users to up their secu­ri­ty game, the best way for­ward is to recruit all the super­vi­sors across your orga­ni­za­tion to sup­port your train­ing pro­grams. Work through your man­ag­er to do this.

Hav­ing super­vi­sors on your side will make all the dif­fer­ence when a dif­fi­cult con­ver­sa­tion with a work­er must hap­pen because he will not sup­port the InfoS­ec pro­gram. After all, a care­less user isn’t like­ly to take a ran­dom IT per­son seri­ous­ly, are they?

Which Companies Encrypt Your Data Communications

As a cyber risk leader, with all the NSA snoop­ing going on, you need to know which ser­vice providers are pro­tect­ing your data as it scoots around the Inter­net.

Good news! The Elec­tron­ic Fron­tier Foun­da­tion (EFF) has pub­lished a use­ful info­graph­ic to help you fig­ure out where you stand. Note:

  • Dou­ble-check miss­ing and planned items with your ser­vice providers.
  • Cur­rent­ly, only 8 of the providers offer all five encryp­tion strate­gies rec­om­mend­ed by the EFF.
  • Com­pa­nies that have firm plans with dates have been award­ed a green box.
  • There are quite a few notes at the bot­tom that you should look at.
  • AT&T, Com­cast, and Ver­i­zon have imple­ment­ed none of the strate­gies. Is there some indus­try rea­son?

(Click the graph­ic below to enlarge.)


Here are short def­i­n­i­tions and links for each strat­e­gy:

The EFF pub­lished their info­graph­ic as part of an arti­cle. They’ve updat­ed it many times already.

Did any­thing you see in the info­graph­ic make you want to switch providers? Which ones?

How To Use Google Authenticator

Ready for the next step to up your Inter­net secu­ri­ty game? Our goal with this step is to keep your pass­word from being a sin­gle point of fail­ure.

Not too long ago, Google launched a free two-fac­tor authen­ti­ca­tion ser­vice, called “2‑Step Ver­i­fi­ca­tion” (2SV). The Google Authen­ti­ca­tor app is one way to use 2SV.


I took a cau­tious approach to imple­ment­ing Google Authen­ti­ca­tor (GA). I was con­cerned about lock­ing myself out of an account, so I invest­ed a lit­tle time up front to study it.

GA is just one option with­in Google’s 2SV pro­gram. You can make a choice of how you want to get the codes (each con­sist­ing of a six dig­it num­ber) when you need them:

  1. Sent to you by text mes­sage (SMS)
  2. By receiv­ing a phone call
  3. Via the Google Authen­ti­ca­tor app
  4. Using a list of pre-print­ed codes you can car­ry in your wal­let

Also, dur­ing sign in, you can tell Google not to ask for a code again on that web brows­er. This will cut down on your work­load and is fine if you don’t share your com­put­er.

I went to the iPhone App Store, searched for “Google Authen­ti­ca­tor” and installed it. There are also Android and Black­Ber­ry ver­sions.

Then, I fol­lowed the instruc­tions to enroll my Gmail account. As a pre­cau­tion to los­ing my phone, I set a back­up phone num­ber (my wife’s) and I also got some pre-print­ed codes that I’ve put in a safe place.

My first big sur­prise came when I tried to check my email from the Gmail app on my iPhone. With­in the app I got prompt­ed for my user ID and pass­word, and then for my 2SV code. Here are some tips:

  1. You can switch over to Google Authen­ti­ca­tor by dou­ble-click­ing on your iPhone but­ton and scrolling to the right.
  2. Or, you can press the but­ton once and then tap on the icon wher­ev­er it is on your iPhone desk­top.
  3. Note that the codes change every 30 sec­onds. The codes them­selves turn red when they are about to change. There is also a small count-down clock on the right-side of the screen (see screen shot below) so you can get an idea of when the codes will change.
  4. Quick­ly mem­o­rize the six-dig­it code, then switch back to the Gmail app, and enter it.


The next day I noticed my Cal­en­dar iPhone app wasn’t updat­ing. I quick­ly real­ized 2SV was stop­ping me, but I didn’t know how to enter a code. Turns out I had to enroll my Mail and Cal­en­dar apps by using an appli­ca­tion-spe­cif­ic pass­word. It’s not very dif­fi­cult so just fol­low the sim­ple instruc­tions.

Are you ready to imple­ment Google Authen­ti­ca­tor? Why not? If you did already, how did it go for you?

A Better Approach to Password Reset Questions

Remem­ber when Sarah Palin’s email account was hacked in late 2008? Here’s what Wired said about it:

…the Palin hack didn’t require any real skill. Instead, the hack­er sim­ply reset Palin’s pass­word using her birth­date, ZIP code and infor­ma­tion about where she met her spouse — the secu­ri­ty ques­tion on her Yahoo account, which was answered (Wasil­la High) by a sim­ple Google search.

It’s far too easy to lose con­trol of your accounts due to weak answers to “secu­ri­ty ques­tions”. In a recent study, 17% of the par­tic­i­pants were able to guess answers to the “secret ques­tions” of peo­ple they knew noth­ing about.


Here’s how I respond to these ques­tions now. Pass­word resets are typ­i­cal­ly han­dled auto­mat­i­cal­ly via email or by talk­ing with a per­son over the phone. So set up a strong sys­tem that will work well in either case.

First, get 1Password (or a sim­i­lar pass­word man­ag­er) to secure­ly store and retrieve the ques­tions and your answers. This elim­i­nates the need to use eas­i­ly remem­bered (and eas­i­ly guessed) answers about your­self. For each entry in your pass­word data­base, just put the ques­tions and answers the Notes field (or use cus­tom fields):


Next, cre­ate an email account just for sup­port­ing pass­word resets. This will great­ly reduce the risk of some­one reset­ting your pass­word and inter­cept­ing the tem­po­rary new one. Here are some tips:

  1. Make sure the user name is not obvi­ous­ly con­nect­ed to you but is easy to say over the phone in case you ever have to do that. Exam­ple:
  2. Chose a free email provider dif­fer­ent from what­ev­er you use now. Wikipedia has a con­cise list of providers you can browse.
  3. Beware: Many email providers will dis­able and delete your account if there is no use after as lit­tle as 30 days. Set a reminder on your cal­en­dar to login 3 or 4 times per year.

Final tips:

  1. Make the answers eas­i­ly pro­nounce­able so you don’t con­fuse the poor cus­tomer ser­vice rep. Avoid using words that are dif­fi­cult to spell.
  2. When choos­ing answers, try to be as ran­dom as prac­ti­cal. You can use a word gen­er­a­tor to choose from sev­er­al thou­sand words.
  3. For great­est effi­cien­cy, use words that are easy to say clear­ly over the phone. I like the Pret­ty Good Pri­va­cy (PGP) word list.

Don’t for­get to change the ques­tions at web sites where you’ve already answered! Next week, I’ll cov­er Google Authen­ti­ca­tor.

Ques­tions for you: Can you see your­self using stronger answers to pass­word reset ques­tions? Why not?

How I Use 1Password

Having cho­sen 1Password and made my ini­tial con­fig­u­ra­tions, I now use it in my dai­ly work­flow.

Ini­tial­ly, this change wasn’t easy. But, Cyber Risk lead­ers need to be good at chang­ing their atti­tudes and behav­iors. If noth­ing else, you must be able to set a good exam­ple for oth­ers.


Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered.

Rather than do tuto­ri­als and read the help doc­u­ments, I learned how to use 1Password by play­ing around with it in my web brows­er: Cre­at­ing new accounts at a few sites. I want­ed to judge how eas­i­ly I could pick it up just through using it.

I tried easy things first: Migrat­ing some exist­ing pass­words from my Chrome pass­word cache (which I stopped using and delet­ed all the records). Then, I fig­ured out how to gen­er­ate new, strong pass­words using 1Password.

I quick­ly learned I need­ed to install the brows­er exten­sions. This is for con­ve­nience as well as a bit more secu­ri­ty against key­stroke log­gers. With­out the exten­sions, you have to either man­u­al­ly type the pass­words at each site (which I’m not going to do) or use your browser’s pass­word man­age­ment fea­ture (bad idea).

Here are some oth­er tips:

  1. While 1Password will offer up to 50 char­ac­ters for a pass­word, you quick­ly real­ize which sites won’t allow sup­port more than 8 char­ac­ters or strict­ly lim­its the kinds of char­ac­ters you can use. I sus­pect these sites are either using a main­frame on their back end or have cod­ed their own authen­ti­ca­tion. So, I use the most char­ac­ters I can.
  2. Because I got bit a cou­ple times in the begin­ning, I always copy 1Pass­word-gen­er­at­ed pass­words into a tem­po­rary text file until I’m sure it’s safe­ly stored in the data­base.
  3. Make sure you can find all the spe­cial char­ac­ters on the soft key­boards of all your devices. Iso­late any prob­lem keys or reject them by enabling the “Avoid ambigu­ous char­ac­ters” fea­ture in the Strong Pass­word Gen­er­a­tor.


With 1Password inte­grat­ed into my dai­ly work­flow, I moved on to some oth­er new behav­iors to up my online secu­ri­ty game: Pass­word reset secu­ri­ty ques­tions, two-step ver­i­fi­ca­tion, and a cou­ple of oth­ers. More next week.

Ques­tions for you: Are you using 1Password? How well does it work for you?

A Strategy To Fill Your Open Cybersecurity Jobs

There’s a short­age of cyber­se­cu­ri­ty experts. Three of my cur­rent cus­tomers are strug­gling with this, even at the CISO lev­el. You can see it by watch­ing how long the post­ings sit gath­er­ing dust on their job boards. I just came across a new report out that puts some num­bers on the prob­lem.

How will you fill these seats with cybersecurity experts?

How will you fill these seats with cyber­se­cu­ri­ty experts?

Job mar­ket ana­lyt­ics firm Burn­ing Glass recent­ly exam­ined near­ly 40,000 online job sites and then issued this report: “Job Mar­ket Intel­li­gence: Cyber-Secu­ri­ty Jobs, 2015″.

Here’s one insight­ful stat:

Cyber-secu­ri­ty jobs account for 11% of all IT jobs, and they have grown three times faster than IT jobs over­all from 2010 through 2014.

You can get the entire report at the link above with­out hand­ing over your con­tact info. But while the report does a good job of quan­ti­fy­ing the prob­lem, I did­n’t see any good sug­ges­tions for deal­ing with it. So here’s an strat­e­gy that’s worked for me: Recruit from the IT ranks in your com­pa­ny.

Why? In most cas­es, back­fill­ing the IT job will take less time. And, you’ll have cyber­se­cu­ri­ty peo­ple who are famil­iar with your own IT prac­tices, not to men­tion they will bring their own infor­mal net­work of com­pa­ny con­tacts with them. It could be a great pro­fes­sion­al growth oppor­tu­ni­ty for the can­di­date, too.

A word of cau­tion: Before you start talk­ing seri­ous­ly with your inter­nal can­di­dates, be sure to work close­ly with their super­vi­sors so you don’t dam­age your own rela­tion­ships.

Have you tried this approach? How well did it work?