In fact, email-based phishing attacks remain a thorn in the side of IT professionals, with 84% of organizations in a recent Proofpoint survey reporting that they had at least one successful email-based phishing attack against them last year. Despite an increased emphasis on cybersecurity in the wake of several widespread breaches and highly publicized incidents, that number actually grew a percentage point from 2021, according to the email security company’s survey.

Why phishing continues to be successful

Phishing remains successful for several key reasons, including an end-user awareness that still falls woefully short of adequate, and the fact that attackers are just as innovative as defenders and developers creating the security software organizations use to prevent attacks, says Sara Pan, a marketing manager at Proofpoint.

“They’re constantly upping their game,” Pan says of attackers. “While they’re still heavily relying on social engineering tactics, they always come up with different things.”

Attackers are still using the tried-and-true method of crafting their phishing emails about topics in the news or social media. For example, COVID-19-themed phishing lures lead to a 17% failure rate, according to Proofpoint’s analysis of phishing simulations.

Similarly, attackers are spoofing trusted brands such as Microsoft, Amazon, DocuSign, Google and others that provide widely used enterprise tools. According to Proofpoint, the company observed about 1,600 brand impersonation campaigns, with Microsoft the most abused brand. Over 30 million messages used Microsoft branding or featured a Microsoft product such as Office or OneDrive.

Simulated phishing attack data shows that Microsoft OneDrive-related email attacks had a 7% failure rate, while DocuSign and FedEx impersonations had an 11% failure rate. Since it only takes one user to lead to an organization-wide compromise, those statistics are alarming.

“They will go beyond just email and will use various threat vectors, such as call centers or text messages,” Pan says. “Attackers are definitely very creative, but at the same time, their primary target has always been people–and people remain vulnerable.”

New phishing tools to bypass security controls

While phishing, ransomware and brand impersonation remain major culprits, new classes of threats are emerging, including telephone-oriented attack delivery and multifactor authentication (MFA) bypass techniques such as adversary-in-the-middle (AiTM).

According to Pan, threat actors now have access to a range of methods to bypass MFA. The cybercrime industry is thriving, with service providers similar to legitimate tech firms offering phishing-as-a-service and MFA bypass tools in their off-the-shelf kits.

While multifactor authentication is quickly becoming a standard security practices across industries, attackers are already pivoting and remain a step ahead of these tools.

Phish kits being adopted by hackers include a transparent reverse proxy to conduct a man-in-the-middle attack on a browser session and steal credentials and session cookies in real time, Pan says.

Instead of the traditional phishing attack directing users to fake websites, attackers direct users to legitimate websites but are able to gather all the information they need to compromise a user’s account.

While this technique has been in use for several years, security researchers are just now starting to see MFA bypass phishing kits deployed at scale, Pan says.

“It’s not like this is a new way of attacking, but we’re just seeing these MFA phishing kits deployed at scale in 2022,” Pan says. “This makes security even more difficult for defenders.”

In addition, attackers are also using less sophisticated MFA bypass methods, such as MFA fatigue in which attackers spam a user’s MFA app until the user perhaps has a lapse in judgement and approves the request, says Eric Hart, manager of subscription services for cybersecurity firm LogRhythm.

There were several examples of these attacks last year, including the Uber breach. The ridesharing giant said in September 2022 that an attacker had the credentials of an external contractor and tried to log in several times, prompting two-factor login approval requests that the contractor eventually approved after multiple requests.

Then, the attacker accessed several other employee accounts that ultimately ended with the attacker gaining elevated permissions to a number of tools, such as G-Suite and Slack.

“Attackers are clever,” Hart says.

Why training and awareness seriously need to change

Despite cybersecurity incidents making international headlines in recent years, awareness remains critically insufficient, with just 40% of users telling Proofpoint that they know what ransomware is. In addition just 58% of users know what phishing is, and even lower amounts of users can identity phishing emails. Further, just 70% of organizations say they conduct formal training, and less than 55% make their security awareness training available to every user, not just privileged users, or users with access to sensitive resources.

Users still struggle to spot phishing emails, per the survey, with 21% saying they don’t know that an email can appear to be from someone other than the sender. In addition, 44% say they don’t know that a familiar brand doesn’t mean the email is safe, and 63% say they don’t know that an email link text might not match the website it goes to.

Like the software developers and programmers building some of the most advanced tools in history, attackers are also constantly innovating and finding new ways to do things, so security awareness training should evolve simultaneously, Hart says.

“The landscape is always shifting, and the attacker can pivot anytime they want,” Hart says.

Due to the variety of attacks, IT and security professionals are having a hard time staying up to speed on creating quality training tools that go beyond the stale five-minute training video and test.

While phishing simulations can help establish a baseline of awareness, those emails are relatively easy to spot since the people administering them “have a moral background” and don’t go for the low blow-type social engineering attack, Hart says.

“With your internal campaigns, you’re generally throwing softballs,” Hart says.

Security training and awareness recommendations

Hart and Pan lay out several recommendations for organizations conducting security awareness and training programs:

• Make training programs relevant to the end user. Inform users about the type of threats that could be targeting them, their industry and their occupation specifically.
• Conduct more frequent training to keep it fresh in end users’ minds.
• Incentivizing phishing simulations by offering rewards for top performers, and requiring training for a failed simulation, but not any further penalties.
• Communicate these issues to end users. IT and end users often don’t communicate until something breaks, but IT and security teams can be more proactive by educating users on the actual threats their organization is facing and why it is important for users to be vigilant. Regular, engaging communication between IT leaders and end users on these issues can help make awareness a priority.
• Educate users about the security of their home tech use. End users working from home are increasingly becoming targets, with attackers finding success accessing loosely secured home routers and devices.

The post Security Awareness Training Needs to Change. Here’s Why. appeared first on My TechDecisions.

The organization is providing what it calls a comprehensive security awareness and training toolkit that features a training module for all employees, an employee assessment to help identify security awareness training needs, promotional media focused on key security behaviors, an educational screensaver focused on recent data breaches and an employee presentation about the program.

According to Infosec, the organization will release additional complimentary resources as National Cybersecurity Awareness Month approaches. Those additional resources include a hands-on skills challenge, a training webinar for security awareness administrators and discounts on instructor-led boot camps.

All Infosec NCSAM resources are powered by the Infosec IQ and Infosec Skills security education platforms designed to spread awareness to end users and upskill and certify cybersecurity professionals, respectively.

“For organizations and individuals everywhere, securing data and systems is no game. As the threat landscape grows, education and training must grow to meet it,” said Jim Chilton, Infosec general manager and CIO of parent company Cengage. “National Cybersecurity Awareness Month is an opportunity to build excitement and momentum within organizations around cyber education that employees can use to protect themselves at work and home. Infosec is pleased to offer these free resources to make training accessible and engaging for everyone.”

The post Infosec Launches Free Educational Resources for Cybersecurity Awareness Month appeared first on My TechDecisions.

According to a recent report from cloud email security software provider Tessian, nearly one-third (30%) of employees at any given organization do not think they are personally responsible for maintaining their company’s cybersecurity posture, and just 39% of employees say they are very likely to report a security incident.

When asked why they wouldn’t report incidents, 42% say they wouldn’t know how if they had caused an incident in the first place, and 25% said they just don’t care enough about cybersecurity to mention it, according to Tessian’s research, a survey of over 2,000 employees in the U.S. and U.K. That, of course, makes the job of IT and security teams even more time-consuming and challenging.

However, nearly all (99%) IT and security leaders surveyed as part of the report say a strong security culture is important to maintain a strong security posture.

Kim Burton, head of trust and compliance at Tessian, said everyone in an organization needs to understand how their work helps keep their coworkers and company secure.

“To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work. It is the security teams’ responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows,” Burton said in a statement. “Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”

Security awareness training shortfalls

Technology professionals rate their organization’s security an 8 out of 10 on average, but about 75% of those organizations have had a security incident in the last 12 months, suggesting that security awareness training isn’t going far enough.

About half of security leaders say awareness training is one of the most important factors in building a strong security posture, but just 28% of employees say security awareness training is engaging, and only 36% say they pay full attention during such training.

Those employees who are engaged might not even find the security awareness training effective, as just half say it’s helpful, and another half has had a bad experience with a phishing simulation.

Tessians’ report also highlights a disconnect when it comes to reporting security risks, as 80% of security leaders believe robust feedback loops are in place to report incidents, but fewer than half of employees feel the same way. That suggests that security teams have lower visibility into security risks than they think.

Interestingly, the report found that the youngest generation (18-24 years old) is almost three times as likely to have a negative experience with a phishing simulation compared to those 55 years and older. Those older employees are also four times more likely to have a clear understanding of their organization’s security policies compared to their younger colleagues, and are also five times more likely to follow those rules.

The post Security Awareness Training Is Not Effective, New Research Suggests appeared first on My TechDecisions.