Sunday, July 27, 2008

PhishMe's Cruel Intentions

The Internet is a den for hackers, crackers, thieves, thugs, tricksters, slicksters and con-artists. Corporate network, IT and security managers face an ongoing and all out assault on their systems, with the low-brows of the Net intent on stealing money, intellectual property and employee identities.

The sad reality is that no organization is truly secure. The goal is to throw up enough road blocks so the criminals move on to other targets.

Last year, endpoint security vendor Senforce Technologies asked Strategic Communications Group (Strategic) to handle the public relations launch for a new version of its security suite. Our challenge was one of time – there was a four month gap between the start of our campaign and the formal introduction of the product.

To create interest among journalists and analysts about endpoint security requirements, Strategic initially focused on educating the market about a new threat called thumb sucking ( This involves the use of a flash drive to steal documents from someone working in a public setting on a laptop computer.

To spread the word we sent security writers by overnight a package that included a thumb drive with malicious code to demonstrate how easy it was to execute a thumb sucking attack. Before handing the packages over to UPS, we gave a lot of thought about the ethics of our actions. Even with our best intentions and a clear explanation in the package of how to use the thumb drives, the very act of sending such corrupt code was questionable.

A respected security journalist agreed:

That’s one way to create demand for a solution
Government Computer News

Fast forward a year and I come across an interesting article in Informationweek about a new offering called PhishMe from NY-based security firm Intrepidus Group.

This service allows IT and security executives to simulate a real phishing attack against their own employees to identify those who are most easily duped. The company can then take the necessary steps to educate the employee about how to best recognize and discard a malicious message.

Like Strategic’s thumb drives, I recognize Intrepidus’ best intentions with PhishMe. Phishing, spear phishing and whaling attacks have run rampant, claiming more than 15,000 corporate victims in the past 15 months alone (iDefense Labs).

Yet, a company conducting mock phishing attacks on its staff just doesn’t feel right. My take is that it steps across the acceptable boundary of employer/employee trust. And is it not feasible for a company to achieve a comparable result through proactive training?

Phish Me


Adam Pridgen said...

Professional security services operate under this mantra when it comes to social engineering, and if they don't then the organization in question is not getting a good value from the assessment. We try to point out the BIG holes before
the "-----, crackers, thieves, thugs, tricksters, slicksters and con-artists" find them, and they will find them. Phishing is one of those GAPING holes in an organization, and its invisible because there is no real technical means of identifying it or preventing the attack when it starts. Besides phishing or social engineering exercises, there is no way to isolate and pin-point who in the organization is likely to become a victim, and I'll bet that even a battery of psychological testing won't help the organization identify the who's the weak one. Besides, bad guys don't say "Time out, we are crossing the line by sending deceitful or malicious emails to the users of this company." They actually think "Wow, I hope this exec bites, because it will be pay day." or whatever. Why should a major corporation take a passive stance on such an attack? They are held liable if the attack is successful, so why not be more proactive to identify the issues and then sort them out before they become serious?

When an employee becomes part of the organization, they become part of the attack surface, which means they are part of the Risk Equation. In the case of social engineering, the company now assumes a security risk associated with each person they employ. This risk can only be addressed through security awareness and education, but how does a company know how to educate their users or what to educate them about? They have to be tested thats a given, but it has to be objective and to the point. Polling will not work because people will generally say one thing and do another. Frankly. many people are not able to discern a valid email from a very good phishing one, so polling will add another injustice to the results in this regard as well.

If an organization is compromised by any attack and if they are a well sized organization, they can be looking from 6-7 figures for the response, documentation, and clean-up after the attack. From a business perspective, I would be at the door 50K can be significantly cheaper than 100K-1000K. This exercise can help identify issues that need to be addresses like user education and IT response education. The point of this exercise is not a joke and identify people who are not technical, or provide the office with something else to gossip about, but the point is to improve the organizations security posture and build the technical strength of that team. If a person is found not to have the the ability to discern a corporate email from a fake, they will need to be moved off the 'battlefield' either to a position where they do not need to use email or in the worst case, they will have to be let go. These exercises can also help identify the policies such how to review emails and what to do if you get something that looks like a phishing email, and it can also serve to identify technical measures that can identify legitimate email such as digital signatures, creating plugins to automatically resolve domains to check that they belong to the company, etc.

In summary, I don't see the line being crossed as clearly as you think its defined. Employers assume risk with each employee in their work force. If an employee is not trained to think securely during a social engineering attack, the employer will have a high liability to pay, and the liability will cost them in reputation, response and clean-up expenses, stock if they are public, and any other which way they can be cut. This type of testing is an added armament to any organizations prevention tools, and I think you are doing it a great injustice by saying it is crossing a line that has not existed since the early 90's. "-----, crackers, thieves, thugs, tricksters, slicksters and con-artists" do not abide by such an ethical line, and at least there are companies such as Intrepidus providing clever services like this to help shore up their defenses.

Marc Hausman said...

@Adam - thanks for your thoughts and I agree with you about the strong value proposition of the PhishMe service.

Yes...criminals on the Web have no ethics and will do just about anything to achieve their objectives. It creates a desparate situation for organizations.

However, I stand by my assertion that purposely misleading employees to teach them a lesson about social engineering is not appropriate. Companies do need to invest in training and ongoing education programs though.

Will it be as effective? Hopefully...yet it is the upfront and honest approach.

Mike Adams said...

PhishMe's press release said that these types of "mock phishing" exercises have been run by New York State in the past, recommended by SANS and found to be effective by researchers at CMU. As long as the purpose is education, I find nothing cruel about them....nor the organization's mentioned above.