The Ivory Tower Syndrome
Don’t click on the link! Simple? That’s our security awareness done, and now we can focus on the implementation of technology controls. Well not quite. This approach to user awareness formed the basis of a recent keynote presentation I did at the ITSecurity Summit in Johannesburg.
In the presentation I used a well known case study from West Point, entitled ‘Fostering Email awareness’. In the case study I presented the key findings to the audience, where following a security induction presentation a bogus e-mail message with an embedded hyperlink that linked to a “bad” URL was sent to a random sample of recipients. The results found that “80 percent (more than 400) of the cadets in the sample clicked on the embedded link. Even with four hours of computer security instruction, 90 percent of the freshmen clicked on the embedded link.”
The audience, that incidentally were compromised largely of security professionals found this statistic rather unsurprising, and somewhat amusing. Typical users, eh! We would never fall for such techniques ourselves.
During the presentation, one of the delegates posted the following on Twitter;
Just to emphasise, this was posted on a presentation about social engineering to an audience of security professionals. Surely we tech savvy individuals would NEVER fall for such a simple ruse?
I followed up with Liron the next day and asked about the result. I have to be honest and half expected him to inform me of the experiment’s miserable failure. Well within 24 hours, the total number had reached just under 130! Those that clicked onto the link were then presented the following page;
This type of behaviour really emphasises the challenges facing us today. Everybody and I mean everybody is susceptible to social engineering no matter how well informed you may be. This of course is the issue with people and process based controls is that decision makers base are prone to making errors in judgement. Consider lack of sleep, a pressing deadline, and anything else in between may lead to a security breach. Herein lies the issue, is that without a comprehensive defence in depth approach, any organisation is simply one click from compromise.
I suppose the question you may ask, is that did I, the speaker in the presentation click on the link? Well I will leave that to think about!