By Sameer Shelke
CISSP, CISA, BS7799 LA, ITIL
According to the “Phishing Activity Trends Report – 2nd Half 2010” published by the AntiPhishing Working Group (APWG), 80% of phishing attacks target financial institutions and payment services. But, with more and more companies using the Worldwide Web to exchange and process confidential/sensitive information and move money, the scope for cybercriminals has expanded widely. In recent years, gaming, e-commerce and social network sites have become hot targets as they continue to grow in popularity.
|Forums / Newsgroups
|Non-profits & NGO
|Fashion & Beauty
|Leisure & Recreation
|“See who has viewed your profile”
|“Free Facebook Credits”
|“Osama Bin Laden Dead – Actual Video”
As with advancements in any other sphere, cybercrime has also become more organized and refined. While phishing emails are generally indiscriminate, victimizing recipients randomly, attackers are now making more targeted phishing attacks aiming at specific groups or individuals.
Tackling phishing attacks can be immensely challenging as phishing emails are usually very convincing, and it is hard to distinguish them from genuine emails. Risk management and control mechanisms against such social engineering attacks need to be dynamic in order to keep up with evolving security risks.
The security industry has used the concept of “build”, “test” and “fix” since inception. A lot of time and money is spent on identifying vulnerabilities in technologies and processes. The idea is that the flaws would be found and fixed. However, there aren’t too many ways to test people, which is why people (users) have been called the weakest link in security. While upgrading to advanced security solutions is crucial, educating people about phishing is also equally important.
The most effective people control against phishing is user education. Users are educated on the risks of phishing, how it happens, how to identify phishing attempts etc. But more often than not, these tend to be generic training. Such training is not as effective as those tailored specifically to the user’s behavior pattern. This is where solutions such as Phishnix that assist organizations in evaluating the readiness of employees against phishing and social engineering attacks could make a difference.
Phishnix is a phishing diagnostic solution that helps organizations in protecting their most valuable assets — their employees, from becoming phishing victims. It proactively educates users and helps them identify phishing attacks so they can avoid becoming phish baits in the future by simulating a phishing attack and capturing user’s potential reaction to a real attack.
Phishing solutions can be highly effective as they leverage the teaching moment created based on the user’s response, and generate an action plan that can be implemented to avoid future pitfalls. Phishnix focuses on the “Fall rate” and “Fail rate” based on actual employee behavior and helps organizations in developing specific control measures to address potential problem areas.
In a typical phishing attack, the target is enticed to read an email, visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he can get based on user actions, even when there are no major revelations of private data. For instance, just by the mere act of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets.
The Fall Rate is defined as the percentage of users (targets) who “fall” for the attack and visit the fake website.
The Fail Rate is defined as the percentage of users (targets) who “fail” in the attack, visit the fake website and reveal sensitive information.
Following is an example of statistics of Fall and Fail rates analyzed using Phishnix:
The two ends of the spectrum- Best and Worst- are results for specific tests, whereas the Average is computed across all tests. All percentages are computed based on total target users in the test.
Average fall rate of 61% would be startlingly high considering that a certain percentage of users have taken no action at all. Mostly, this inactivity on the user’s part is not because they have spotted an attack. It is more likely that they have an email back log or may not have had the time to see the email yet. As mentioned earlier, visiting a malicious website itself provides attackers enough knowledge to plan their next move.
Average fail rate of 21% would be a huge concern as these users have revealed sensitive information like passwords. 65% of the users who “fell” didn’t “fail”, which means that either they realized it was an attack (most likely the case) or just didn’t proceed further due to other priorities. This highlights the need for tailored education to users by leveraging the “teaching moment” created. If users are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic trainings.
These statistics change as follow-up tests are performed or the parameters of the tests are changed. For instance, the fall and fail rate increase as the services (e.g. social networking) and end devices (e.g. mobiles) change. They also increase if the tests are conducted around specific incidents (e.g. 9/11 memorial or company specific events). Organizations can learn about user behavior and modify their control strategies by fall and fail rate benchmarks. As an example, if the fail rate is high in a specific department or location and it doesn’t decrease after education, then technology or process controls would need to be enhanced.
So, benchmarking is the first step in analyzing and improving metrics. As you can’t improve what you can’t measure, tracking ‘Fall’ and ‘Fail’ Rates becomes critical for an organization which is interested in introducing positive changes in user behavior.