Security BSides will be hosting a conference in Washington, D.C. in October, and a fantastic lineup of speakers has been assembled by the organizers for this event.
The goal of BSidesDC is to provide a vibrant venue for local security professionals to engage with one another in an open, interactive, and community-oriented environment.
One of BSidesDC’s featured speakers this year is Kati Rodzon (@krodzon) of MAD Security, who will be presenting on employing behavioral science in the development of effective enterprise anti-phishing programs.
Rodzon, Manager of Security Behavior Design at MAD Security, has spent nearly a decade studying human behavior modification, exploring the power of social pressure on groups and analyzing the ability of contingencies – reinforcement and punishment – to change behavior.
When she is not measuring an organization’s culture and making a customized behavior modification plan, she helps with everything from curriculum development for The Hacker Academy to creating effective social engineering tools and testing scenarios for MAD’s penetration testing team.
Rodzon notes in her session abstract that numerous products have been developed over the past few years geared towards testing, training and preventing successful phishing attacks targeting private enterprises.
Unfortunately though, the majority of the products are not designed with the behavioral, cognitive and/or quantitative foundation needed for an anti-phishing program to succeed in making users less susceptible to attacks, and so these products fall short of several methodological requirements.
Rodzon’s talk will present an architecture grounded in behavioral science that will enable an enterprise to accurately assess the susceptibility of its users to phishing, measure the actual impact of phishing in relation to the real-world risk to the enterprise, and then effectively prevent employees from falling for a wide range of sophisticated social engineering attacks.
The majority of anti-phishing products focus on two main methods for preventing phishing: Sending simulated phishing attacks of varying efficacy to users in the organization and measuring their success, and providing some sort of ability-focused training that is supposed to enable the user to learn how to better identify phishing attacks.
“But issues with the simulation include measurement effects, test-taking effects and a large amount of variability in the quality of the given attacks and their cultural appropriateness make the vast majority of simulations an extremely poor predictor of real-world success,” Rodzon said. “In fact, inter-scenario variability in difficulty creates a significant obstacle to even obtaining valid measurements for many organizations.”
The difficulty with the training aspect is even more pronounced, Rodzon points out. Studies produced by independent researchers have shown that much of the training on phishing improves only the users’ performance on simulated phishing attacks, not real-world scenarios.
“This talk will dive deeply in to the cognitive and behavioral issues that allow phishing to be successful in different enterprises, drawing on my background in behavioral science and methodology and a whole pile of successful phishing and social engineering attacks,” Rodzon said.
“We will break down the issues with what is happening and investigate the behavioral reasons that phishing persists even with an overwhelming percentage of our security awareness budget dedicated to preventing it,” she continued.
“Attendees will learn how to build a methodologically sound program for benchmarking the organization’s susceptibility to phishing, about gathering metrics that tie back to the actual risk that real-world phishing attacks present to the enterprise, and methods based on solid behavioral science that actually reduce the susceptibility of the organization not only to the simulated phishing attack, but to unknown or as-yet-tried variants of phishing attacks,” Rodzon said.
Vulnerability to phishing attacks is one of the top three problems reported by organizations world-wide. While firewalls and the yearly training video are a step towards preventing phishing attacks, Rodzon believes the only real way to assess and prevent them is to understand why they work.
In her talk, Rodzon will go over the behavioral and cognitive tools behind a successful phishing attack so that attendees can walk away knowing how to successfully prevent becoming the victim of one.
“This information is important to every level from the individual user to the entire organization. There are certain roles which aren’t traditionally grouped into the people that need to realize the importance of being careful and cautious when it comes to navigating the internet,” Rodzon points out.
“Recent revelations prove that every single member of an organization – from the Administrative Assistant to the CEO – is a potential target and provides an entrance to an organization’s informational assets,” she said.
Rodzon emphasizes that while successful phishing attacks are more or less based on the same vulnerabilities in human nature, methods are continually changing which requires everyone to stay up to date.
“Attendees should take away the big picture from this talk rather than focus on the specifics presented,” she said.
What is going on in the world day to day is what really dictates what the future of phishing attacks will look like, Rodzon says.
“People are changing each and every day, and if, on any given day, a method doesn’t work, they’ll probably try something new the next day. We, as professionals, should recognize this and accept that training and awareness isn’t a stagnant thing, it’s very fluid,” she said.
And while the information in her talk will be focused on phishing, Rodzon says it really goes a lot further because knowing how to garner attention, create sympathy, and become trusted are core concepts used to interact and manipulate the world around us.
“All people, including you, are doing this every single day. Sometimes, it’s happening without us even realizing it. It’s interesting, but dangerous as well.”
- Exploiting SOHO Routers to Gain Root
- The Object Monitor for Enhanced Network Security (OMENS)
- Fun with WebSockets Using Socket Puppet
- Open Source Pentesting and Forensic Distribution
- Vulnerabilities in Application Whitelisting
- Effective Communication in IT Security
- Baking Assurance into Software
- Wireless Pen Testing and Assessments
- Using Machine Learning for Security Analytics
- Wireless Pen Testing and Assessments
- No Magic Bullets
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock