With Halloween fast approaching, it’s a great time to discuss some of our favourite things in life: the creation of chocolate peanut butter cups and what these can teach us about phishing. Hard to imagine a time when before the “age of the cup” because there are many that never got to know the delicious glory that accompanies the unification of chocolate and peanut butter. Prior to that time, people walked around in total ignorance thinking that they had to make an “either/or” decision related to these two approaches to snack-based nourishment. And then a lightbulb moment occurred happened in the 1970s that led to the creation of a certain peanut butter cup product that would go on to revolutionise our taste buds forever.
Now, here’s the funny thing. Somehow even in a world that has been graced by the peanut butter cup, many people still believe that decisions have to be binary. Such people believe that, because they are naturally drawn to one of the ways of addressing a problem, then other ways of addressing the problem must be invalid.
IT vendors and security pundits also fall into the trap. There are those that claim technology, not training, Protects Users from phishing while muddying the water to up-sell their products as a way to protect against phishing. They may even use the term phishing very broadly to make sweeping statements about where technology can assist in mitigating the phishing threat. But it turns out that they are really only discussing “credential harvesting” phishing attacks… and that the true answer is to use multifactor authentication (MFA) instead of training.
Here’s lies a big problem. If organisations ditch all phishing training and adopt MFA, what can organisations do about protect against phishing attacks that aren’t after a user’s credentials? MFA doesn’t help with that.
What about phishing attacks that are all about tricking users into clicking links or downloading attachments with the intent of infecting their computer with malware? What about phishing emails with no links or attachments whatsoever (BEC, anyone???) And what about situations where users are working in situations where MFA isn’t an option, like some of their home systems? Or when users forget their MFA key, so the app then allows for knowledge-based authentication (KBA)?
Here’s the thing: MFA is a great help. It can drastically reduce the effectiveness of credential harvesting attacks. But it is not – and will likely never be – a full ‘fix’ for phishing and social engineering. In fact, Roger Grimes, who is well-known for his work on uncovering the many, many ways that MFA can be hacked or bypassed. BTW – Roger is currently up to 38 ways to hack and bypass MFA, and at least 5 to 7 apply to any MFA solution. On top of that, even Google’s own stats admit that MFA doesn’t work nearly as well against targeted attacks as they do on bulk, generic attacks…and that’s before attackers have even begun to concentrate on hacking MFA as they surely will as it becomes more popular.
What we’ve seen throughout history is that criminals are persistent. When they are stymied by technology-based defences, they will find a way to go around the technology and exploit a human vulnerability. The way that they do that typically involves social engineering (phishing).
And so, having MFA is something recommended… but it doesn’t mitigate the impact of phishing. Because as an attacker, the attack can be adjusted with different types of phish.
Luckily, not every technology vendor falls into the techno-centric trap. Here’s a great example from a recent Microsoft blog post. In the blog, Girish Chander Group Program Manager, Office 365 Security, outlines the Top 6 email security best practices to protect against phishing attacks and business email compromise. One of his points is all about the importance of training your users.
Here’s what he says:
Your users are the target. You need a continuous model for improving user awareness and readiness. An informed and aware workforce can dramatically reduce the number of occurrences of compromise from email-based attacks. Any protection strategy is incomplete without a focus on improving the level of awareness of end users. A core component of this strategy is raising user awareness through Phish simulations, training them on things to look out for in suspicious emails to ensure they don’t fall prey to actual attacks. A quote from the introduction to Bruce Schneier’s book Secrets & Lies
comes to mind: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
The answer for phishing isn’t technology or training in the same way that the answer for snacking doesn’t have to be chocolate or peanut butter. A layered approach to security is the key to making your organisation a hard target. And your human layer is critical to the success of that strategy.