Pub. 6 2016-2017 Issue 3

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S November • December 2016 11 Phishing Insurance BY KEITH LAUGHERY, CISA, CISSP I f I were to ask you to list your top security threats, how would you respond? No doubt many would mention cybersecurity, seemingly the hottest topic at bank technology con - ventions, forums and with examiners. A Google search for “top cybersecurity threats” produces lists like these: • Retail Data Hacks, Mobile Secu - rity & Smartphone Vulnerability Threats, Phishing Attacks & Social Engineering, Identity Theft, Healthcare Data Hacks, Targeting of Children by Sex - ual Predators, At tacks on Banks (https://usa.kaspersky. com/internet-security-center/ threats/top-7-cyberthreats#.V- k91vArKUk) • Extortion Hacks, Attacks That Change or Manipulate Data, Chip-and-PIN Innovations, IoT Zombie Botnet, More Back - door s ( ht t p://www.w i r ed . com/2016/01/the-biggest-secu - rity-threats-well-face-in-2016/) • IoT: The Insecurity of Things, Sophisticated DDoS Attacks, Social Media attacks, Mobile Malware, Third-party Attacks (http://www.pcworld.com/arti - cle/2867566/experts-pick-the- top-5-security-threats-for-2015. html) Some of the aforementioned items might be in your own list and, like me, you may not even be familiar with some of these threats. How would you answer if I rephrased the question: “What is your weakest link in security?” You Are The Weakest Link! Well, YOU may not be the weak - est security link but your employees probably are. In a CIO.com article aptly named People Remain theWeakest Link in Security, Graham Welch makes this statement: “People are largely trusting in nature. If you get an email from a friend, family member or work col - league with a link, we tend to think it is genuine and trust the content. Yet again we know that cybercriminals can easily mock up an email reportedly from an acquaintance to fool us into believing it to be genuine.” One of the particularly maddening things fraudsters exploit is that banks sell trust and your employees are friendly, trusting people by nature of your helping profession. Social engineer - ing is defined as the clever manipulation of the natural human tendency to trust. Even after two decades of ever-evolving phishing emails…from the early emails fromNigerians desperate for andwilling to pay exceedingly handsomely for your assistance to the latest, hard-to-discern- from-genuine, malicious link or attach - ment-laden versions…onemight assume employees would now recognize these schemes. For their own sake, if not for the bank’s. But, Welch goes on to say, “It seems people cannot stop themselves clicking on links they receive in emails without even the most cursory check on whether it is a valid link or not. It is an easy step often overlooked that you hover your mouse over the link and see what web address it is trying to send you to.” 2015 Social Engineering Test Results Historically, most financial institu - tions have conducted security awareness training only annually and those who tested the effectiveness of their training also generally did so only annually. An analysis of these social engineering test results confirmed what I observed for almost 8 years as an IT auditor: Annual training/testing is not effective enough. Based on more than 200 external penetration tests conducted in 2015, failure rates for social engineering tests ranged from a low of 14.5% (employees clicked on an email phishing link) to 31% (employees downloaded a file after being prompted via a phone call)! Further - more, there was almost no difference in failure rates between small and large financial institutions: • Assets under $250M – 24% av - erage failure rate • Assets $250M-$750M – 23% average failure rate • Assets over $750M – 23% aver - age failure rate This was particularly surprising be - cause one might have expected smaller banks to do better (fewer numbers of employees to train and probably lower turnover) or larger banks to do better (more resources for training, a bigger target than smaller banks). The point is everyone is performing equally poorly since a single failure during an actual attack is too many. Now What? Welch concludes his article by say - ing, “People are no doubt the soft under - belly of any organization, and through education and awareness we can try to limit their ability to compromise net - work security.” Banks must cultivate a culture of security awareness rather than relying upon a single annual security awareness presentation or training course. Many banks have begun sending monthly emails, integrating short pre - sentations about security awareness into morning meetings, sharing (sanitized) genuine phishing emails that sneak through their spam filters and distrib - uting interesting articles online and in bank association magazines. Addition - ally, banks should engage a competent external penetration-testing firm for security awareness/social engineering testing at least annually. And, thanks to a relatively new type of software, banks can now augment their external security awareness testing by sending their own phishing emails. This software allows banks to easily and economically test employees’ security awareness AND immediately train users who fail the test. So, promote a security awareness culture and consider phishing your own employees so they’ll better recognize a fraudster’s phishing attack. n Keith Laughery is an Account Man- ager for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing and tandem – a security and compliance software suite designed to help financial institutions with GLBA and other regulatory compliance. Read about our newest tandem Software solution, tandem Phishing, at https://conetrix.com/Tandem#Phish - ing or contact Keith at klaughery@conetrix.com or 800-356-6568.