As Carbon Black’s national security strategist, Eric O’ Neill is a thought leader on a wide range of issues, including counter terrorism and national security matters. He is a practicing attorney who specializes in cyber-security vulnerability assessments, counterintelligence and counter terrorism operations, investigations into economic espionage, internal investigations and security risk assessment consulting.
O’Neill served as an operative for the FBI, where he conducted national security field operations against terrorists and foreign intelligence agents. His role in the investigation and capture of the most notorious spy in U.S. history, Robert Philip Hanssen, became the subject of Universal Studio’s movie Breach, released to critical acclaim in 2007.
Carbon Black’s editorial team asked O’ Neill a few questions regarding phishing awareness training.
Does phishing awareness training always work, or can it create over-confident employees?
Phishing awareness training (and proper email hygiene techniques in general) are only as good as the instruction that is provided. A necessary component of that instruction often overlooked by trainers is the use of real-life phishing examples that caused significant breaches. However, there is an apathy to cyber security and the threat that cyber espionage and terrorism presents.
After the Sony attack, every executive was placed on notice that a cyber spy could feasibly compromise an email account and not only use credentials to access an employer’s systems, but also place the entire contents of that email online for journalists to pick over like buzzards around fresh carrion. The initial shock wore off and it wasn’t until John Podesta’s gmail account was compromised through a simple phishing attack (not even a targeted spearphishing attack) that the national consciousness was reminded of the importance of good email security practices.
Training also focuses on phishing attacks – those attacks that are broad spectrum and cast a wide net. These are your common email service provider, PayPal, eBay, bank, etc. “reset your password” emails (and others) that use normal business practices to trick an individual into linking to a spoofed website that either steals credentials or loads malware.
One blind spot for training is the targeted attacks that create the most damaging compromises. You may train an employee not to click on links in emails, but rather to delete the email that purportedly comes from their bank asking for a password reset, and then open a browser directly to the known bank address. That employee may diligently ignore links in these standard phishing emails we all receive daily, but what about targeted attacks by spies?
Spies will carefully research the individual, exploit what they can learn about him on social media, or about past or current business practices on sites like LinkedIn. The spy will then craft a “spearphishing” email that seeks to recruit the employee without her knowledge. The email may look like it comes from her best friend, talking about the running group they belong to and asking her to log into a run tracker site. If the employee trusts that her friend would send something like this to her, and does not understand that email addresses can be spoofed, or how to check, the spy will win.
Poor training can create overconfidence. Apathy toward cyber attacks can also contribute. Many of us won’t believe that we can be compromised until our entire accounts are published online.
Is this issue of over-confidence a common one?
The culture of how we use and abuse email needs to change. Email has become an impersonal means of communication, overladen with advertisements and suffering from an information deluge that studies have shown increases stress instead of encouraging efficiency. The common business person has multiple accounts for multiple email engagements – social, office, entrepreneurship, community, etc. Often, accounts are linked to a large number of places and share a common password. At some point monitoring these accounts and carefully screening email and social media becomes a tedious chore. Spies are most successful when the target is mired in monotony and complacency.