James Bond - Pen Tester

Adopt a James Bond style deception mode when it comes to spotting spear phishing, said Zinaida Benenson.

Delivering a presentation on “How to Make People Click on a Dangerous Link Despite Their Security Awareness” at the Black Hat conference in Las Vegas, Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, said that often people fall for the same things, and we don’t know how to “patch” them, or whether security awareness is the solution.

She said: “A lot of companies provide security awareness training, where they phish their own employees to assess security awareness and that is what I call ‘pen testing the humans’.” However, she was keen to point out that pen testing people is not the same as pen testing machines, and this can go very wrong when a person finds out they are being used by their own security department for pen testing.

Research was presented to demonstrate a decent level of security knowledge in tests, and she said that we require people to be suspicious of messages even if they know sender, and even if it fits with their current situation and work and life practices.

“What we want from employees about spear phishing is to be in James Bond mode when there is a message deception mode,” she said.

“If we want security awareness training to be more effective, think of the price people (employees) have to pay. Be James Bond with false positives where they think message is phishing, and organizations will see the effects of not answering emails that they should have answered. Testing security awareness by sending from bosses destroys trust. It adds to shame which is not good for the organization.”

Benenson said that pen testing and patching humans is difficult, as people don’t think in the moment and talk to users, and switch into deception mode if they see something suspicious. She also encouraged delegates to stop sending legitimate emails that look “phishy”, and talk to people sending them. “People make mistakes and there is nothing we can do about it,” she said.

“Pen testing and patching humans is tricky, what do you want to be the consequence? Always ask for consent and the most important lesson for security professionals is talk to the users.”

Infosecurity

 

« 5 Reasons IT Leaders Should ImproveTechnical & ‘Soft’ Skills
Artificial Intelligence - Hope Or Illusion? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Virtustream

Virtustream

The Virtustream Enterprise Class Cloud provides a secure, highly available, Infrastructure as a Service (IaaS) to enterprises and government customers.

Redcentric

Redcentric

Redcentric is a leading UK IT managed services provider. We deliver managed IT, cloud computing, data backup, information security services and managed networks.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

LRQA Nettitude

LRQA Nettitude

LRQA Nettitude is an award-winning global provider of cybersecurity services, bringing innovative thought leadership to the ever-evolving cybersecurity marketplace.

Soracom

Soracom

Soracom offers secure, scalable, cloud-native connectivity developed specifically for the Internet of Things.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Zivaro

Zivaro

Zivaro provides transformational consulting and technology services to help clients attain real business value from their technology investments.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

Navarino

Navarino

Navarino is the maritime industry’s most advanced communications and connectivity company. We develop advanced technologies and innovative IT solutions including cyber security.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Thridwayv

Thridwayv

Thirdwayv helps your enterprise realize the full potential of loT connectivity. All while neutralizing security threats that can run ruin the customer experience - and your reputation.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

Valency Networks

Valency Networks

Valency Networks provide cutting edge results in the areas of Vulnerability Assessment and Penetration Testing services for webapps, cloud apps, mobile apps and IT networks.

Ostra Cybersecurity

Ostra Cybersecurity

As a next-generation MSSP, Ostra Cybersecurity combines best-in-class tools, proprietary technology and exceptional talent to deliver Fortune 100-level protection for businesses of all sizes.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.