Risks Of Simulated Phishing Campaigns

Is there any doubt that phish­ing is a major threat to all of us? Here’s what Verizon’s 2015 Data Breach Inves­ti­ga­tions Report (DBIR) said about phish­ing:

In the 2013 DBIR, phish­ing was asso­ci­at­ed with over 95% of inci­dents attrib­uted to state spon­sored actors, and for two years run­ning, more than two-thirds of inci­dents that com­prise the Cyber-Espi­onage pat­tern have fea­tured phish­ing. The user inter­ac­tion is not about elic­it­ing infor­ma­tion, but for attack­ers to estab­lish per­sis­tence on user devices, set up camp, and con­tin­ue their stealthy march inside the net­work.

Or, drop a bank­ing Tro­jan on the com­put­er in the hopes of steal­ing some mon­ey.

What’s the suc­cess rate for phish­ing attacks? The 2015 DBIR said:

23% of recip­i­ents now open phish­ing mes­sages and 11% click­ing on attach­ments.

Clear­ly, we need to increase employ­ee resis­tance to all forms of social engi­neer­ing attempts. But how? And, what are the risks of tak­ing action?

Aside from imple­ment­ing some email and web fil­ters, you can buy phish­ing test­ing ser­vices. I’m most famil­iar with PhishMe and KnowBe4.

Run­ning your own sim­u­lat­ed phish­ing cam­paigns seems like a great idea. The effec­tive­ness data pub­lished by the ven­dors is com­pelling. Judg­ing from what I’m see­ing and hear­ing from IT peo­ple over the years, though, there’s an objec­tive miss­ing from the project and oper­a­tions plans: The cam­paigns need to be done in a way that trust between employ­ees and man­age­ment is enhanced, not dam­aged.

Here are the top risks that I can see:

  • Whether it meets the legal def­i­n­i­tion or not, could employ­ees feel the sim­u­la­tion is a form of entrap­ment?
  • Will employ­ees feel resent­ful of man­age­ment if the cam­paign is “decep­tive­ly” launched on them with no warn­ing? Will any feel­ings of shame or embar­rass­ment cause resent­ment?
  • How effec­tive will fur­ther coach­ing or train­ing to resist phish­ing be if the employ­ee feels resent­ment?
  • Should employ­ees who repeat­ed­ly fail sim­u­lat­ed phish­ing exer­cis­es be coached or dis­ci­plined? If so, who should do it? Their super­vi­sor? The CISO?
  • What if an employ­ee actu­al­ly caus­es a data breach by being phished, and you have records of that per­son repeat­ed­ly click­ing on the sim­u­lat­ed phish­ing links over a peri­od of sev­er­al weeks or months with no action tak­en by man­age­ment. Will that under­mine management’s abil­i­ty to dis­ci­pline or fire that per­son?
  • Could an employ­ee, who gets dis­ci­plined for click­ing too much on the sim­u­lat­ed phish­ing links, be able to suc­cess­ful­ly defend them­selves against man­age­ment based on how you con­duct­ed the cam­paigns? Such as a man claim­ing he was unfair­ly tar­get­ed by a mes­sage that would nat­u­ral­ly  appeal more to men than to women?

In the course of research­ing for this post, I was unable to find any doc­u­ment­ed cas­es of peo­ple being dis­ci­plined due to phish­ing, either real or sim­u­lat­ed. So as an indus­try we don’t appear to know the answers, but we def­i­nite­ly need to find them before the attor­neys and courts fig­ure it out for us.

Did you talk with your HR and legal teams before imple­ment­ing a sim­u­lat­ed phish­ing cam­paign? How did you deal with these risks?

End User Security Is A Management Problem

We all know that every­one needs to do their part to keep their orga­ni­za­tion being pwned. Yet secu­ri­ty aware­ness train­ing and anti-phish­ing exer­cis­es don’t seem to help very much. Why is that when there’s no short­age of ven­dors to sell them to us?

The $47 mil­lion recent­ly stolen from Ubiq­ui­ti Net­works was a result of social engi­neer­ing via email com­bined with weak inter­nal pay­ment sys­tem con­trols. How much high­er do the stakes have to get?

We’re in this sit­u­a­tion large­ly because on the job peo­ple do things their super­vi­sors ask them to do. So if super­vi­sors don’t place a high val­ue on get­ting some­thing from the aware­ness train­ing and don’t prompt dif­fi­cult con­ver­sa­tions when some­one falls for a phish­ing lure, your org is doomed.

So, rather than define it as an IT prob­lem, user secu­ri­ty educ­tion and aware­ness should be defined as a man­age­ment prob­lem.

If you are respon­si­ble for get­ting your net­work end­point users to up their secu­ri­ty game, the best way for­ward is to recruit all the super­vi­sors across your orga­ni­za­tion to sup­port your train­ing pro­grams. Work through your man­ag­er to do this.

Hav­ing super­vi­sors on your side will make all the dif­fer­ence when a dif­fi­cult con­ver­sa­tion with a work­er must hap­pen because he will not sup­port the InfoS­ec pro­gram. After all, a care­less user isn’t like­ly to take a ran­dom IT per­son seri­ous­ly, are they?

Which Companies Encrypt Your Data Communications

As a cyber risk leader, with all the NSA snoop­ing going on, you need to know which ser­vice providers are pro­tect­ing your data as it scoots around the Inter­net.

Good news! The Elec­tron­ic Fron­tier Foun­da­tion (EFF) has pub­lished a use­ful info­graph­ic to help you fig­ure out where you stand. Note:

  • Dou­ble-check miss­ing and planned items with your ser­vice providers.
  • Cur­rent­ly, only 8 of the providers offer all five encryp­tion strate­gies rec­om­mend­ed by the EFF.
  • Com­pa­nies that have firm plans with dates have been award­ed a green box.
  • There are quite a few notes at the bot­tom that you should look at.
  • AT&T, Com­cast, and Ver­i­zon have imple­ment­ed none of the strate­gies. Is there some indus­try rea­son?

(Click the graph­ic below to enlarge.)

crypto-survey-graphic-20141104

Here are short def­i­n­i­tions and links for each strat­e­gy:

The EFF pub­lished their info­graph­ic as part of an arti­cle. They’ve updat­ed it many times already.

Did any­thing you see in the info­graph­ic make you want to switch providers? Which ones?

How To Use Google Authenticator

Ready for the next step to up your Inter­net secu­ri­ty game? Our goal with this step is to keep your pass­word from being a sin­gle point of fail­ure.

Not too long ago, Google launched a free two-fac­tor authen­ti­ca­tion ser­vice, called “2‑Step Ver­i­fi­ca­tion” (2SV). The Google Authen­ti­ca­tor app is one way to use 2SV.

GoogleAuthenticator

I took a cau­tious approach to imple­ment­ing Google Authen­ti­ca­tor (GA). I was con­cerned about lock­ing myself out of an account, so I invest­ed a lit­tle time up front to study it.

GA is just one option with­in Google’s 2SV pro­gram. You can make a choice of how you want to get the codes (each con­sist­ing of a six dig­it num­ber) when you need them:

  1. Sent to you by text mes­sage (SMS)
  2. By receiv­ing a phone call
  3. Via the Google Authen­ti­ca­tor app
  4. Using a list of pre-print­ed codes you can car­ry in your wal­let

Also, dur­ing sign in, you can tell Google not to ask for a code again on that web brows­er. This will cut down on your work­load and is fine if you don’t share your com­put­er.

I went to the iPhone App Store, searched for “Google Authen­ti­ca­tor” and installed it. There are also Android and Black­Ber­ry ver­sions.

Then, I fol­lowed the instruc­tions to enroll my Gmail account. As a pre­cau­tion to los­ing my phone, I set a back­up phone num­ber (my wife’s) and I also got some pre-print­ed codes that I’ve put in a safe place.

My first big sur­prise came when I tried to check my email from the Gmail app on my iPhone. With­in the app I got prompt­ed for my user ID and pass­word, and then for my 2SV code. Here are some tips:

  1. You can switch over to Google Authen­ti­ca­tor by dou­ble-click­ing on your iPhone but­ton and scrolling to the right.
  2. Or, you can press the but­ton once and then tap on the icon wher­ev­er it is on your iPhone desk­top.
  3. Note that the codes change every 30 sec­onds. The codes them­selves turn red when they are about to change. There is also a small count-down clock on the right-side of the screen (see screen shot below) so you can get an idea of when the codes will change.
  4. Quick­ly mem­o­rize the six-dig­it code, then switch back to the Gmail app, and enter it.

GoogleAuthenticatorScreen

The next day I noticed my Cal­en­dar iPhone app wasn’t updat­ing. I quick­ly real­ized 2SV was stop­ping me, but I didn’t know how to enter a code. Turns out I had to enroll my Mail and Cal­en­dar apps by using an appli­ca­tion-spe­cif­ic pass­word. It’s not very dif­fi­cult so just fol­low the sim­ple instruc­tions.

Are you ready to imple­ment Google Authen­ti­ca­tor? Why not? If you did already, how did it go for you?

A Better Approach to Password Reset Questions

Remem­ber when Sarah Palin’s email account was hacked in late 2008? Here’s what Wired said about it:

…the Palin hack didn’t require any real skill. Instead, the hack­er sim­ply reset Palin’s pass­word using her birth­date, ZIP code and infor­ma­tion about where she met her spouse — the secu­ri­ty ques­tion on her Yahoo account, which was answered (Wasil­la High) by a sim­ple Google search.

It’s far too easy to lose con­trol of your accounts due to weak answers to “secu­ri­ty ques­tions”. In a recent study, 17% of the par­tic­i­pants were able to guess answers to the “secret ques­tions” of peo­ple they knew noth­ing about.

HotmailPasswordResetQuestions

Here’s how I respond to these ques­tions now. Pass­word resets are typ­i­cal­ly han­dled auto­mat­i­cal­ly via email or by talk­ing with a per­son over the phone. So set up a strong sys­tem that will work well in either case.

First, get 1Password (or a sim­i­lar pass­word man­ag­er) to secure­ly store and retrieve the ques­tions and your answers. This elim­i­nates the need to use eas­i­ly remem­bered (and eas­i­ly guessed) answers about your­self. For each entry in your pass­word data­base, just put the ques­tions and answers the Notes field (or use cus­tom fields):

NotesIn1Password

Next, cre­ate an email account just for sup­port­ing pass­word resets. This will great­ly reduce the risk of some­one reset­ting your pass­word and inter­cept­ing the tem­po­rary new one. Here are some tips:

  1. Make sure the user name is not obvi­ous­ly con­nect­ed to you but is easy to say over the phone in case you ever have to do that. Exam­ple: xa939@yahoo.com
  2. Chose a free email provider dif­fer­ent from what­ev­er you use now. Wikipedia has a con­cise list of providers you can browse.
  3. Beware: Many email providers will dis­able and delete your account if there is no use after as lit­tle as 30 days. Set a reminder on your cal­en­dar to login 3 or 4 times per year.

Final tips:

  1. Make the answers eas­i­ly pro­nounce­able so you don’t con­fuse the poor cus­tomer ser­vice rep. Avoid using words that are dif­fi­cult to spell.
  2. When choos­ing answers, try to be as ran­dom as prac­ti­cal. You can use a word gen­er­a­tor to choose from sev­er­al thou­sand words.
  3. For great­est effi­cien­cy, use words that are easy to say clear­ly over the phone. I like the Pret­ty Good Pri­va­cy (PGP) word list.

Don’t for­get to change the ques­tions at web sites where you’ve already answered! Next week, I’ll cov­er Google Authen­ti­ca­tor.

Ques­tions for you: Can you see your­self using stronger answers to pass­word reset ques­tions? Why not?

How I Use 1Password

Having cho­sen 1Password and made my ini­tial con­fig­u­ra­tions, I now use it in my dai­ly work­flow.

Ini­tial­ly, this change wasn’t easy. But, Cyber Risk lead­ers need to be good at chang­ing their atti­tudes and behav­iors. If noth­ing else, you must be able to set a good exam­ple for oth­ers.

1Password

Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered.

Rather than do tuto­ri­als and read the help doc­u­ments, I learned how to use 1Password by play­ing around with it in my web brows­er: Cre­at­ing new accounts at a few sites. I want­ed to judge how eas­i­ly I could pick it up just through using it.

I tried easy things first: Migrat­ing some exist­ing pass­words from my Chrome pass­word cache (which I stopped using and delet­ed all the records). Then, I fig­ured out how to gen­er­ate new, strong pass­words using 1Password.

I quick­ly learned I need­ed to install the brows­er exten­sions. This is for con­ve­nience as well as a bit more secu­ri­ty against key­stroke log­gers. With­out the exten­sions, you have to either man­u­al­ly type the pass­words at each site (which I’m not going to do) or use your browser’s pass­word man­age­ment fea­ture (bad idea).

Here are some oth­er tips:

  1. While 1Password will offer up to 50 char­ac­ters for a pass­word, you quick­ly real­ize which sites won’t allow sup­port more than 8 char­ac­ters or strict­ly lim­its the kinds of char­ac­ters you can use. I sus­pect these sites are either using a main­frame on their back end or have cod­ed their own authen­ti­ca­tion. So, I use the most char­ac­ters I can.
  2. Because I got bit a cou­ple times in the begin­ning, I always copy 1Pass­word-gen­er­at­ed pass­words into a tem­po­rary text file until I’m sure it’s safe­ly stored in the data­base.
  3. Make sure you can find all the spe­cial char­ac­ters on the soft key­boards of all your devices. Iso­late any prob­lem keys or reject them by enabling the “Avoid ambigu­ous char­ac­ters” fea­ture in the Strong Pass­word Gen­er­a­tor.

StrongPasswordGenerator

With 1Password inte­grat­ed into my dai­ly work­flow, I moved on to some oth­er new behav­iors to up my online secu­ri­ty game: Pass­word reset secu­ri­ty ques­tions, two-step ver­i­fi­ca­tion, and a cou­ple of oth­ers. More next week.

Ques­tions for you: Are you using 1Password? How well does it work for you?

How I Got Started With A Password Manager

I use 1Password to keep my online secu­ri­ty game strong.Cyber Risk lead­ers need to set a good exam­ple for oth­ers, so you should use a pass­word man­ag­er, too. Let me show you how I got start­ed.

1Password

Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered, am will­ing to use, and has been bat­tle-test­ed.

After spend­ing some time play­ing around with 1Password, I com­mit­ted to this approach:

1. I use one unique pass­word for each web site.

2. Each of my pass­words is long and com­plex with a good mix of upper/lower case let­ters, num­bers, and sym­bols. Like this:

U$8k4C*43;zB!^x

3. Typ­ing pass­words like these sev­er­al times each day isn’t prac­ti­cal, so I use the auto­mat­ed pass­word entry fea­ture via the web brows­er plug-in.

4. I installed the app on my iPhone and all of my com­put­ers so my pass­words are avail­able every­where I work.

5. I make my cur­rent pass­word data­base avail­able on all my devices by using the built-in file sync fea­ture of Drop­box.

6. Final­ly, although this isn’t a pass­word man­ag­er func­tion, I’ve add two-fac­tor authen­ti­ca­tion using Google Authen­ti­ca­tor at those web sites that offer it.

Play­ing with 1Password was easy because of their 30-day tri­al. Then I bought the 1Password Mac + Win­dows Bun­dle. I also bought 1Password for iOS through the App Store. (There are Android and Win­dows ver­sions, too, but I haven’t used them.)

After installing 1Password, the first step is to set a mas­ter pass­word. Over the course of a day I thought about what my mas­ter pass­word should be. Since I would be typ­ing it a lot, I want­ed to choose some­thing secure but would­n’t be too tough to enter on my iPhone key­board. Ulti­mate­ly, I took a passphrase approach and cre­at­ed an obscure sen­tence that nice­ly bal­ances strength against the effi­cien­cy of typ­ing it.

I feel com­fort­able using Drop­box for sync­ing my pass­word data­base. Why? Because the data­base is strong­ly encrypt­ed and all the encryp­tion func­tions are done on my local com­put­er. So, even if Drop­box is hacked (again) my pass­words will remain safe. Alter­nate­ly, you can use iCloud or local WiFi for file sync­ing.

Next week, I’ll tell you how I use 1Password in my dai­ly work­flow. Lat­er, I’ll tell you more about Google Authen­ti­ca­tor.

Are you using a pass­word man­ag­er? Why not?

Why You Need To Step Up Your Password Game

In the sum­mer of 2012, Mat Honan’s sto­ry of being com­plete­ly hacked became my burn­ing plat­form to up my pass­word game. As a finan­cial exec­u­tive in your orga­ni­za­tion who wants to be seen as a great cyber risk leader, upping your pass­word game sets a good exam­ple for oth­ers.

password-123

What’s wrong with the way most peo­ple use pass­words?

  1. On the Inter­net, sim­ple, reusable pass­words are not secure enough for any­thing you can’t afford to lose: mon­ey; rep­u­ta­tion; access to the tools that sup­port your dai­ly work flow; even irre­place­able pho­tos.
  2. A sim­ple pass­word uses dic­tio­nary words, com­mon names, brand names, any­thing that’s very easy to remem­ber. Sim­ple also means eight or few­er char­ac­ters and stan­dard let­ter sub­sti­tu­tions (e.g., using a “3” instead of an “E” or a “$” instead of an “S”).
  3. With today’s stan­dard desk­top com­put­ing pow­er, broad­band con­nec­tions, and easy access to hack­ing tools, your pass­words can be cracked or stolen from you (or from anoth­er site you use) more quick­ly than you real­ize.
  4. Using the same pass­word at more than one site is a lead­ing cause of bad Inter­net days. The aver­age web user has 25 active accounts but only uses 6 pass­words to pro­tect all of them. 61 per­cent of Amer­i­cans admit to using the same pass­word on dif­fer­ent sites. Do you use the same pass­word at your online bank­ing or bro­ker as you do for Twit­ter? Bad idea.
  5. Even the best pass­word strat­e­gy can not pro­tect you against all attacks. Social engi­neer­ing was the main attack in Honan’s case. Oth­er tac­tics include trick­ing you into using a fake web site or slip­ping some spy­ware on your com­put­er.

The good news: Improv­ing my pass­word habits was eas­i­er than I expect­ed because of a tool called 1Password which I’ll talk more about next week.

My new pass­word habits include using:

  1. Pass­words with as many as 50 ran­dom char­ac­ters that are unique to each web site;
  2. Non-obvi­ous answers to pass­word reset secu­ri­ty ques­tions;
  3. An obscure email account just for pass­word resets; and
  4. Google Authen­ti­ca­tor for two-step ver­i­fi­ca­tion with Drop­box, Gmail, and oth­ers.

Over the next sev­er­al weeks, I’ll explain how I adopt­ed these spe­cif­ic meth­ods so you can, too.

Have you already upped your pass­word game? How?

How To Download Your LinkedIn Contacts

Tired of liv­ing inside the bound­aries of Linked­In’s Con­nec­tions inter­face? Want to sort your con­tacts in Excel? Or import them into your CRM? Or just know that you have a copy safe­ly tucked away just in case? I’ve bro­ken the bound­aries and so can you.

Here’s how you can down­load your LinkedIn con­tacts into a vari­ety of file for­mats:

1. Sign in to LinkedIn.

2. Click on the Con­nec­tions menu option under the search box at the top of the screen (avoid the options that drop down when you hov­er your mouse over it).

3. Click on the gear icon in the upper right hand cor­ner.

Screenshot 1

4. Click on the Export LinkedIn Con­nec­tions option on the right side.

Screenshot 2

5. Choose the for­mat you need and click on the Export but­ton.

Screenshot 2015-08-24 08.55.11

Enjoy!!