KnowBe4 Security Awareness Training Blog

How To Phish Your Employees

I wrote a new article that is also available in the resources section on our website:



More and more, the bad guys are bypassing your firewall, endpoint protection and other technology-based security measures by going after your users, and you have (reluctantly) come to the conclusion that now your employees are the weak link in your IT Security. Augh! Is there a patch for stupid? (I didn't really mean that).



Welcome to the club. Now what.



Well, phishing your own employees and finding out who the culprits are is a logical course of action. Find out who they are and exterminate. OK, plan B. Let's phish our own employees and then work out how to get them through Internet Security Awareness Training. But not like the yearly Sexual Harassment Training (SHT) they do in this outfit, because they forget about that CYA exercise in a few weeks. We need something that keeps users on their toes year-round.



OK but first, how are we going to phish our employees? We need to know the Phish-prone percentage of our end-users.



There are a few ways you can do this:

1) Raise a temporary webserver, and 'roll your own' phishing site. Then create your own phishing email that should lure the users to your fake site, using what (little) you know about Social Engineering. Work out how the tracking and reporting works, and code that. Make it all look acceptable. Takes a few days of work for someone who knows what they are doing. Next, send the email to all users using a mail server that allows you to spoof the From address. Then keep track, fend off users calling and emailing about this. Fend off your manager who is getting calls from other managers about this, despite the fact this was all announced well in advance. All this on top of my normal workload? Forget that, never gonna happen.

2) Get an outside security consultant to come in and do all the above as a 'mini PEN test'. Whoa Nellie, 40 hours at 250 bucks an hour? I don't have 10 grand in the budget and will never get that approved. And that's a one-time gig? No way, not much better than SHT if you ask me.

3) OK, there are the people of Phishme and Wombat. They have most of this automated that could save some time, and they compete with each other. So, for 600 users how much would that be? Ask both for a quote. Wow, that is more than I expected. And there is still a lot of manual work here. Hmm, if you really want to go this route, there is an open source project called Simple Phishing Toolkit (SPT) that allows you to do this for free.

4) Well, there are those guys from KnowBe4. New outfit but it's Stu, he's that Sunbelt Software co-founder, who wrote this newsletter for system admins when he was at Sunbelt... er, oh yeah: WServerNews for I don't know how long, 16 years? He usually knew what he was talking about. After building an antivirus / antispyware product he decided to move into end-user training. I wonder what he knows that I don't? Stu, get me up to speed quickly?

Stu: "Yup, sounds very familiar. That's actually why I started KnowBe4. Could have retired after selling Sunbelt but fighting cybercrime is way more fun. Now, to the point. Sorry to be blunt, but testing if users will click on a link, go to a phishing site and fill out a form is so 'last decade'. Both Wombat and Phishme started something like 7 or 8 years ago, when teaching people about phishing was still new. Cybercrime is moving at lightspeed and has gone pro in the last 5 years. Bad guys are now spear-phishing your employees, and all it takes is ONE CLICK and that workstation is infected with (possibly zero-day) malware and your network is compromised.



What you want to test and train on is JUST THAT ONE CLICK. Today, users need to be inoculated against social engineering. Forget about that whole fake phishing website, that's so old hat. What you want to do is - 1) Do a simulated phishing attack and get a baseline percentage of which users are Phish-prone. (You could skip this step if company politics get in the way). But what you absolutely have to do is - 2) Train them online about various vectors of social engineering for about 30 to 40 minutes, 3) Send them simulated phishing attacks once a week.



Once they understand that they will get tested on a regular basis, and that there are repercussions for repeated fails, their attitude changes, and with each email with will take a second or two and 'stop, look, think' if this might be a scam email. This is the ONLY effective way to train employees against social engineering. I have the statistics to prove this by the way. We see a dramatic drop in Phish-prone percentages at our customers, seen clearly in their KnowBe4 management console. KnowBe4 has these three steps fully automated, gives you a management console and the whole thing takes 15 minutes, set-it-and-forget-it, whether you have 50, 500 or 50,000 users.



I recommend you start with our free Email Exposure Check which shows you your email attack surface. Sorry, sometimes this is an unpleasant surprise, but great ammo to get budget approval.



Warm regards,

Stu

(Updated March 25, 2012)