James Bond - Pen Tester

Adopt a James Bond style deception mode when it comes to spotting spear phishing, said Zinaida Benenson.

Delivering a presentation on “How to Make People Click on a Dangerous Link Despite Their Security Awareness” at the Black Hat conference in Las Vegas, Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, said that often people fall for the same things, and we don’t know how to “patch” them, or whether security awareness is the solution.

She said: “A lot of companies provide security awareness training, where they phish their own employees to assess security awareness and that is what I call ‘pen testing the humans’.” However, she was keen to point out that pen testing people is not the same as pen testing machines, and this can go very wrong when a person finds out they are being used by their own security department for pen testing.

Research was presented to demonstrate a decent level of security knowledge in tests, and she said that we require people to be suspicious of messages even if they know sender, and even if it fits with their current situation and work and life practices.

“What we want from employees about spear phishing is to be in James Bond mode when there is a message deception mode,” she said.

“If we want security awareness training to be more effective, think of the price people (employees) have to pay. Be James Bond with false positives where they think message is phishing, and organizations will see the effects of not answering emails that they should have answered. Testing security awareness by sending from bosses destroys trust. It adds to shame which is not good for the organization.”

Benenson said that pen testing and patching humans is difficult, as people don’t think in the moment and talk to users, and switch into deception mode if they see something suspicious. She also encouraged delegates to stop sending legitimate emails that look “phishy”, and talk to people sending them. “People make mistakes and there is nothing we can do about it,” she said.

“Pen testing and patching humans is tricky, what do you want to be the consequence? Always ask for consent and the most important lesson for security professionals is talk to the users.”

Infosecurity

 

« 5 Reasons IT Leaders Should ImproveTechnical & ‘Soft’ Skills
Artificial Intelligence - Hope Or Illusion? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Backup Systems

Backup Systems

Backup Systems is a leading backup and disaster recovery systems provider across the UK.

Cybersecurity Collaborative

Cybersecurity Collaborative

CyberSecurity Collaborative is a forum for CISOs to share information that will collectively make us stronger, and better equipped to protect our enterprises from those seeking to damage them.

Certis

Certis

Certis is a leading advanced integrated security organisation that develops and delivers multi-disciplinary security and integrated services.

White Bullet

White Bullet

White Bullet’s risk profiling AI detects, dynamically scores and flags unsafe domains, apps and advertising.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

AUTOCRYPT

AUTOCRYPT

AUTOCRYPT is a mobility security provider dedicated to the safety of future transportation

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

EDGE Group

EDGE Group

EDGE is one of the world’s leading advanced technology groups, established to develop agile, bold and disruptive solutions for defence and beyond.

Trustmarque

Trustmarque

Trustmarque delivers customer-centric IT solutions that enable better outcomes. We combine the technology, expertise and services to release value at every stage of the IT lifecycle.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Mindgard

Mindgard

The Mindgard Security Copilot platform secures your Artificial Intelligence, GenAI and LLMs.

S4E (Security for Everyone)

S4E (Security for Everyone)

At S4E.io, our mission is to democratize digital security, making it accessible, simple, and effective for individuals and businesses of all sizes.