Word Notes 9.6.22
Ep 115 | 9.6.22

Simulated Phishing (noun)


Rick Howard: The word is: Simulated phishing.

Rick Howard: Spelled: Simulated as in an imitation of something and phishing as in a social engineering technique in which a trustworthy person or organization is impersonated in order to trick a targeted user into performing a malicious action. 

Rick Howard: Definition: A security awareness training technique in which authorized, but fake phishing emails are sent to employees in order to measure and improve their resistance to real phishing attacks. 

Rick Howard: Example sentence: The employee clicked on a link in a simulated phishing email, which took them to an educational page on social engineering. 

Rick Howard: Origin and context: Early in the history of cybersecurity, one bad habit that emerged was blaming the user for clicking on that phishing link that allowed some cyber bad guy to gain a foothold inside the network. Common phrases in the industry included "you can't fix stupid" and "if we didn't have any users, our jobs would be a lot easier."

Rick Howard: This all presupposes that the user did something wrong instead of the infosec team keeping phishing emails away from employees or preventing phishing email from doing any damage. I don't know about you but I've been in the business for over 30 years and I still get fooled by phishing email. How can I expect Kevin, down in the HR department, from clicking those links when an industry veteran like me gets fooled all the time. If the InfoSec team can't keep the phishing emails out, then maybe the next best thing is to better train Kevin, and me on what to look for. 

Rick Howard: Organizations use simulated phishing to train employees to recognize real phishing emails by using convincing but harmless replicas to trick users into clicking on a link or downloading an attachment. This helps educated users who fall for them, and allows the organization to measure how vulnerable it is to a phishing attack. Ian Muscat at PhishDeck explains, "while phishing tests alone are not a replacement for technical defenses, such as email security gateways, phishing filters and anti-malware solutions, they can be invaluable in improving an organization's security awareness and posture. Additionally, when paired with an effective security awareness program, phishing simulation can serve as a powerful tool to promote security best practices," end quote.

Rick Howard: Tom Pendergast in an article for CSO online, notes that there can be drawbacks to stimulate in phishing though if it isn't done properly. For example, emails impersonating the IRS and other organizations can cause users to report them as real fraud, swamping the impersonated organizations with false reports. Additionally, many real phishing emails contain content that isn't appropriate for a company to send their employees, such as sextortion, profanity, and just plain porn. One piece of advice from Defense Works says organizations should be transparent that they're implementing a phishing simulation program, so employees don't feel like they've been deceived by their employer.  

Rick Howard: Nerd reference: You're listening to Snake Charmer written and performed by Eagle Eye Williamson. One of the tracks played in the 2015 movie, Blackhat, starring Thor himself, Chris Hemsworth, and let me tell you, hackers have never looked so good and directed by Michael Man best known for the 1980s TV show, Miami Vice. Hemsworth plays a Blackhat hacker who the U.S. Government breaks out of a 15 year prison sentence to help them track down some hackers. They apparently use code that Hemsworth wrote as a kid, as a terrorist attack, directed at a nuclear power plant in China. In this scene, Hemsworth needs to access an NSA's server called Black Widow. He crafts a phishing email and sends it to a Mr. Donahue from the security guy, Ben Hitchings. It says in light of the fact that you were contacted by an FBI agent working on a joint task force with Chinese cyber specialists, we've become concerned about the security of your Black Widow remote logins. We strongly suggest you change your password, and attached to the emails is a PDF entitled "password security guidelines," and a link to download it. Donahue hesitates for just a second, but finally clicks the link. 

Tang Wei: You asked him to change his password.

Chris Hemsworth: When he downloaded the PDF, what he downloaded was the key logger.

Rick Howard: That's Donahue typing his new password, twice and the key logger picks it up. Hemsworth uses the top secret, No FORN Black Widow web client to log in as Donahue with the new password. And just between you and me, I would've fallen for this attack too, but maybe if Donahue would've received more simulated phishing emails, he might know to suspect any security recommendations concerning the super secret Black Widow network, I'm just saying. 

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.