Phishing myopia strikes again
A piece in the Redmond Magazine Protecting Office 365 from Attack caught my eye today - specifically this chunk on "User-Awareness Training" [sic]:
"One of the most effective but underutilized strategies for defending your network against malware such as Osiris/Locky is user-awareness training. Because it's impossible to catch all malware, your users are the last line of defense for your network, and they should be trained as such. Accordingly, you should implement the following user-awareness training strategies:
- Threat awareness: Have your users take refresher courses on how to identify a phishing attempt and the importance of their participation in the fight to defend resources against malware once every quarter. Specifically, they must learn not to engage with any suspicious e-mail, report suspicious e-mail, and ensure that their endpoints are protected with anti-malware software and effective backups. It might sound simple, but many users still aren't aware of this.
- Phishing Simulators: A very effective method of user training is the implementation of a phishing simulator. There are several free phishing simulator options available that allow you to create a simulated phishing campaign that you can send to your users. Those who fall victim to the simulation will be impacted far greater than any passive training course could ever achieve. Of course, you must obtain the proper permission from all authoritative stakeholders before pursuing this type of training."
Skimming deftly past the fact that "User-Awareness" literally means being aware of users (as in IT users, presumably, but drug users is the usual implication), the author's conflation of training (as in dog-training) with awareness makes this rather lame advice. It's superficial at best, admittedly just a small part of an article about securing Office 365 - Microsoft's answer to Google's online creative/collaborative tools.
Aside from the naive but typical myopic focus on phishing, there are so many other angles to security awareness, even in relation to Office 365 specifically, that it's hard to know where to start. FWIW here's a quick brain dump:
- Security awareness for the managers responsible for enabling and authorizing use of online tools (e.g. helping them understand the risks and opportunities associated with various approaches and tools, the governance implications of using third party information services for business purposes, and how to measure this stuff through appropriate security metrics ...)
- Security awareness for the technologists responsible for the associated technologies, filling-in some of the stuff they probably weren't taught at college (e.g. network security and crypto key management, logging and alerting, cloud insecurity, click-to-run automatic patching and
security awareness ...) - Security awareness for customers, partners and other interested parties (e.g. how to spot and deal with phishing attacks using the organization's own brands, domains, people's names, project names etc. as lures ...)
- Confidentiality, integrity and availability aspects, including incidents other than "attacks" (e.g. taking care to avoid inadvertent or inappropriate disclosure, privacy aspects such as trans-border processing, typos and outages, spotting and dealing with fraud ...)
- Identification, authentication and access controls (e.g. online passwords, sharing files ...)
- Business continuity (e.g. the pros and cons of online and offline toolsets, identifying critical aspects, ensuring resilience and recovery plus true contingency preparation ...)
- Roles and responsibilities, plus accountabilities, plus compliance ...
- Intellectual property rights, piracy And All That ...
- Collaborative working and social engineering in general ...
- Bugs! plus design flaws, secure development, testing, change-, version- and configuration-management ...
- The rest of malware (just imagine the implications, for instance, if say Office 365, Google Docs and/or other online office services were hijacked by doomsday ransomware that affected all their clients simultaneously - not just individual clients infected with ransomware such as Cerbus ...)
Against that backdrop, do you see what I mean when I call phishing awareness myopic? Phishing is an important security awareness topic, just one of many. Ignore the rest at your peril.