James Bond - Pen Tester

Adopt a James Bond style deception mode when it comes to spotting spear phishing, said Zinaida Benenson.

Delivering a presentation on “How to Make People Click on a Dangerous Link Despite Their Security Awareness” at the Black Hat conference in Las Vegas, Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, said that often people fall for the same things, and we don’t know how to “patch” them, or whether security awareness is the solution.

She said: “A lot of companies provide security awareness training, where they phish their own employees to assess security awareness and that is what I call ‘pen testing the humans’.” However, she was keen to point out that pen testing people is not the same as pen testing machines, and this can go very wrong when a person finds out they are being used by their own security department for pen testing.

Research was presented to demonstrate a decent level of security knowledge in tests, and she said that we require people to be suspicious of messages even if they know sender, and even if it fits with their current situation and work and life practices.

“What we want from employees about spear phishing is to be in James Bond mode when there is a message deception mode,” she said.

“If we want security awareness training to be more effective, think of the price people (employees) have to pay. Be James Bond with false positives where they think message is phishing, and organizations will see the effects of not answering emails that they should have answered. Testing security awareness by sending from bosses destroys trust. It adds to shame which is not good for the organization.”

Benenson said that pen testing and patching humans is difficult, as people don’t think in the moment and talk to users, and switch into deception mode if they see something suspicious. She also encouraged delegates to stop sending legitimate emails that look “phishy”, and talk to people sending them. “People make mistakes and there is nothing we can do about it,” she said.

“Pen testing and patching humans is tricky, what do you want to be the consequence? Always ask for consent and the most important lesson for security professionals is talk to the users.”

Infosecurity

 

« 5 Reasons IT Leaders Should ImproveTechnical & ‘Soft’ Skills
Artificial Intelligence - Hope Or Illusion? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Kaseya

Kaseya

Kaseya is a premier provider of unified IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBS).

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

KE-CIRT/CC

KE-CIRT/CC

KE-CIRT/CC is the national Computer Incident Response Team for Kenya.

EIT Digital

EIT Digital

EIT Digital is a leading digital innovation and entrepreneurial education organisation driving Europe’s digital transformation. Areas of focus include digital infrastructure and cyber security.

Heimdal Security

Heimdal Security

Heimdal Security provides proactive protection against cyber threats including ransomware, exploit kits and financial malware.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Pathway Forensics

Pathway Forensics

Pathway Forensics is a leading provider of computer forensics, e-discovery services and digital investigations.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Stage2Data

Stage2Data

Stage2Data is one of Canada’s most trusted cloud solution providers offering hosted Backup and Disaster Recovery Services.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

AngelList

AngelList

AngelList champion startups and the people who empower them. Search tech & startup jobs, find new tech products, and invest in startups.

Lifetech

Lifetech

Lifetech is a software development, product engineering and system integration company. Cybersecurity services include SIEM deployment and training.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

RevealSecurity

RevealSecurity

RevealSecurity's TrackerIQ detects malicious activities in enterprise applications.

CyberMaxx

CyberMaxx

At CyberMaxx, our approach to cybersecurity provides end-to-end coverage for our customers – we use offense to fuel defense.