Welcome to 2016, where malware is engineered to mutate to avoid detection, and 93% of all phishing emails contain ransomware.  If you were hoping for a quiet life in the field of information security, abandon all hope ye who subscribed to that fantasy.

Upon a time, infosec was casually patching holes in PCAnywhere and delicately shaming C-levels for opening the I Love You virus. Today, the difference between your healthy company’s very life and death is precisely two things: information security, and luck.

It’s abundantly clear that even with next-level compensating controls, you cannot stay ahead with technology alone.  Bad actors get it.  They know you probably spent a heap of money on a firewall that can hear pin a drop.  They’re not going anywhere near it, because it’s noisy and it’s too much work.  Why go through the trouble, when I can simply email everyone in your finance department a fake Amazon order receipt for a Bob Ross painting and hope someone clicks.

It’s not to say that perimeter and endpoint defense is useless, but this is about defense in depth.  It has to go all the way down.

Everything we can do with technology:

  • https everywhere
  • filter malware domains at the firewall
  • leverage anti-malware DNS
  • make our mail server attachment handling hypersensitive
  • tune group policy to neutralize the execution of risky file extensions
  • filter malware domains at the client
  • whitelist executables at the client
  • enforce the principle of least privilege
  • use separate accounts for administrative functions
  • we can pilot next-gen AV

is subverted the moment a user replies to a phishing email with their password.

We need a mandate to educate.  When we train our users, when we empower them to protect each other – and to protect the continuity of their very careers – we build a culture of impassioned, sustainable security that transcends technology.

We agreed as an organization that training was our highest value investment in the war on ransomware, and moved forward with KnowBe4’s phishing training solution.  KnowBe4 offers a simple, well thought out console containing a vast number of customizable email templates – spanning all sorts of different phishy sounding topics.  We can prepare campaigns that deliver any set of messages we wish at predefined intervals, target specific audiences, and have all the metrics we need to identify at-risk populations and drive compliance.

Users can be invited to view KnowBe4’s online training modules, which can then be linked to an acknowledgement of our own internal policy documents.  It’s a tight solution, and miles ahead of homegrown training that often grows stale and lacks the expertise to be truly effective.

When you have a user base of hundreds or thousands, it’s hard to know where to start when you pilot a tool like this.  It’s hard to determine who you should license, and who to start phishing first.

At least in terms of who to license, it’s hard for me to advocate anything other than licensing everyone.  By excluding certain populations, you risk making terribly dangerous assumptions.  The constituency you decided wasn’t worthy of education may very well be the one you wish you trained.

As to who to train first, this becomes a process of risk assessment.  There are no right or wrong answers here; if you think critically enough, a case can be made for any department.  We began with our IT staff: users who have the highest level of privilege.  Take nothing for granted here – admin rights do not confer infallibility, they only exacerbate the consequences of failure.  KnowBe4 offers phishing templates spanning a range of difficulty, so this group can start with the hard ones first.  When your DBA opens one, you can thank your stars you went down this road.

In time, I hope this is a catalyst.  A catalyst that sees us cultivate an awareness of phishing and malware techniques that our user community can leverage in their daily lives.  At night, when they’re home decompressing from the toils of the day, the indelible memory of how to spot malicious URLs and obfuscated attachments averts personal disaster.  We train the next generation of internet consumers, who create a groundswell of awareness, and deliver us from the present state of PII recklessness and IoT hell.

I want this for us here at the Academy, but I want it for everyone.  I want everyone to buy into the 2016 internet; a place where a heightened level of suspicion is mandatory.  And not operate as we did twenty years ago, when everything online was too new to consider dangerous.

I delivered DoD information security awareness training to my teams for the better part of a decade.  It was interesting for some, and visibly laborious for others.  It was only engaging if I made it interesting, and in the end, you sign an attendance sheet and you’re off the hook until next year.  Tools like KnowBe4, which permit you to automate information security education, change things.  They make social engineering front-and-center in a time where the practice is as devious and catastrophic as it has ever been.  Ransomware will evolve, but if your human defenses stay sharp, those two lines are going to take a lot longer before they converge.  May they never.

-cp