Education is first line of defense against spear phishing

Internal security exercises conducted by the U.S. Military Academy at West Point and New York state's chief information security officer (CISO) found that many e-mail recipients fall for phishing scams that appear to have been sent from within their organizations.

With effective technological solutions years away, user awareness is the most effective defense against targeted phishing attacks, Dave Jevans, chairman of the Anti-Phishing Working Group, said during a news conference Wednesday.

"This kind of education can be useful if companies and agencies do this to their own employees," Jevans said.

But even educating and testing e-mail users has limited success, according to Aaron Ferguson, visiting faculty member at West Point and a system engineering manager at the National Security Agency.

"We got an 80 percent click rate," on the first test e-mail, sent to 400 West Point cadets, Ferguson said. Subsequent exercises with as many as 3,000 cadets produced lower response rates, but the rates did not drop sharply, he said.

New York state CISO Will Pelgrin reported similar findings in tests of 10,000 state employees in five departments.

"Repetition is critical" for education and testing to be effective, Ferguson said.

Phishing is the use of phony e-mails or Web sites to solicit sensitive information from the recipient. Traditional phishing scams have relied on volume, but such mass mailings can be identified and blocked by enterprises.

In recent months, a growing number of targeted attacks, called spear phishing, have been observed. These involve relatively few messages sent to a selected group, apparently from an address within the organization. These can effectively fly under security radar and generate a high response rate because they appear to be from a senior official.

"Spear phishing is a firewall killer" because they can pass easily through perimeter defenses and rely on social engineering to be effective, said Alan Paller, director of research for the SANS Institute of Bethesda, Md.

SANS hosted a discussion of the problem yesterday.

The New York state and West Point exercises were carried out to test the effectiveness of awareness programs. E-mail supposedly from officials within an organization apparently had a high level of credibility. The West Point test was especially effective because it bore the name of a colonel, Ferguson said.

When you get an order from a colonel, he said, "You execute the order and ask questions later."

Because of the success of social engineering attacks such as spear phishing, "technology solutions are going to be critical," Jevans said. "E-mail authentication is going to be one of the cornerstone technologies."

Several schemes for authentication have been proposed, but a standards battle has delayed implementation. Even when a single standard is selected, it will only be able to authenticate a server, not a sender, and will require wholesale upgrade of e-mail servers, relays and possibly clients.

"In the best case, it's going to be years," before authentication is implemented, Jevans said.

Testing e-mail users with phony phishing requires careful planning to avoid disruptions within an enterprise and should only be carried out within an organization with employees. Conducting such tests across a public network is definite no-no, Paller said.

"It's a crime if you do it outside," he said. "It doesn't matter if you have good intentions; it's a federal crime."

William Jackson is a senior writer for Washington Technology's sister publication, Government Computer News.