Security Smackdown: End-User Awareness Programs vs.

Technology Solutions

Justin Klein KeaneChristine Brisson

University of PennsylvaniaSchool of Arts & Sciences

Analogies only work if they're accurate

Except in the case of car analogies, which always suck

*Let's try to keep this discussion free of car analogies

Proven Technical Solutions

http://www.darkreading.com/blog/240151108/on-security-awareness-training.html

Security Luminaries agree:● Bruce Schneier● Dave Aitel, Immunity● Richard Bejtlich, Mandiant

N.B.: Detractors of security awareness training have no financial stake in the correctness of their argument.

Gizmodo -- The 10 most popular passwords of 2012:

1. Password (Unchanged)2. 123456 (Unchanged)3. 12345678 (Unchanged)4. abc123 (Up 1)5. qwerty (Down 1)6. monkey (Unchanged)7. letmein (Up 1)8. dragon (Up 2)9. 111111 (Up 3)10. baseball (Up 1)

What about Pa$$w0rd?

Simulated Phishing Campaigns

● New York State employees (2005)– 10,000 people – decline in response rate to fake phishing

emails● from 15% to 8% over two trials

● PhishMe at Emory (2012)– 40,000 people -- decline in response rate to fake phishing

emails – From 13.7% overall to 8.1% over three trials.– No overall decline in number of successful phishing attacks

● Operation Carronade (West Point, 2004)– 80% of cadets (small sample size, 400) clicked on the link;

90% of freshmen– “There is a culture at West Point that any e-mail with a

"COL" (abbreviation for Colonel) salutation has an action to be executed. To a cadet, the action/request is to be executed regardless of its nature or rationale. The e-mail sought to exploit this culture.”

Phishing Education is Misguided

Careful where you Click

Be careful where you click?

Human Cognition is Exploitablehttps://online.citiban.k.com/US/JSO/signonhttps://online.C|T|BANK.COM/US/JSO/signonhttps://online.citibank.com/US/JSO/signon:/accounts/login@evil.comhttps://online.citibänk.com/US/JSO/signonhttps://online.citibaņk.com/US/JSO/signonhttps://online.citbank.com/US/JSO/signonhttp://bit.ly/JQ9RChhttp://translate.google.com/#auto/en/https%3A%2F%2Fevil.com

Some tricks are invisible:

http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique

Privacy/Sensitive data

Effective Training (Developers)

Effective Training (Users)

NCSAM Campaigns in SAS

Two main messages●Information Security is an issue●Know who to contact if you have questions

We chose themes based on pain points●Data and privacy●Be careful where you click●Securing mobile devices 

Different methods of outreach●Posters●Web site●Events (shredding day)●“Security and Donuts” -- school wide but locally-based 

Shared material/ideas with other Penn schools/units

References● West Point:

● http://www.educause.edu/ero/article/fostering-e-mail-security-awareness-west-point-carronade ● New York State phishing:

● “You Won’t Believe How Adorable This Kitty Is! Click for More!” by Geoffrey A Fowler, Wall Street Journal, 3/27/2013.

● Emory University phishing:● http://www.educause.edu/events/security-professionals-conference/phishing-ourselves-raise-awareness

● Top 10 Passwords:● http://gizmodo.com/5954372/the-25-most-popular-passwords-of-2012

● Anti-Phishing Phil:● "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish." by Steve Sheng, Bryant Magnien,

Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Elizabeth Nunge. Symposium On Usable Privacy and Security (SOUPS) 2007, July 18-20, 2007, Pittsburgh, PA, USA.  Available at http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf

● West Virginia University training effort:● “Information Security Training - Lessons Learned Along the Trail” by Michael Cooper. SIGUCCS ’08, October 19-22, 2008, Portland,

Oregon, USA

● Arguments in favor of security training::● http://www.csoonline.com/article/705639/ten-commandments-for-effective-security-training● http://searchsecurity.techtarget.com/news/2240162630/Data-supports-need-for-awareness-training-despite-naysayers

References (cont.)● Proven technical controls

● "Strategies to Mitigate Targeted Cyber Intrusion," Australian Defense Signals Directorate. http://www.dsd.gov.au/infosec/top-mitigations

● "20 Critical Controls," Center for Strategic and International Studies. https://www.sans.org/critical-security-controls/guidelines.php

● Phishing resources:

● https://crypto.stanford.edu/antiphishing/

● https://www.mozilla.org/en-US/firefox/phishing-protection/

● https://community.opendns.com/phishtank/

● Security training is a waste:

● “On Security Awareness Training,” by Bruce Schneier. Dark Reading http://www.darkreading.com/blog/240151108/on-security-awareness-training.html

● “Why you shouldn't train employees for security awareness”, by Dave Aitel. CSO Online, http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness

● “Security Awareness Training: A Waste of Time?,” by Richard Bejtlich. Tao Security, http://taosecurity.blogspot.com/2005/11/security-awareness-training-waste-of.html

● Malware obfuscation techniques

● “Soft Hyphen – A New URL Obfuscation Technique,” by Samir Patil. Symantec Official Blog, http://www.symantec.com/connect/blogs/soft-hyphen-new-url-obfuscation-technique