Simulated phishing

Last updated

Simulated phishing or a phishing test is where deceptive emails, similar to malicious emails, are sent by an organization to their own staff to gauge their response to phishing and similar email attacks. The emails themselves are often a form of training, but such testing is normally done in conjunction with prior training; and often followed up with more training elements. This is especially the case for those who "fail" by opening email attachments, clicking on included weblinks, or entering credentials.

Contents

Rationale

There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.[ citation needed ] [1] Simulated phishing allows the direct measurement of staff compliance, and when run regularly, can measure progress in user behavior. Phishing simulation is recommended by various official agencies, who often provide guidelines for designing such policies. [2] Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour. [3]

Ethics

Such campaigns need to be authorised at an appropriate level [4] and carried out professionally. [5] If such a technique is used carelessly, it may breach laws, attract lawsuits, and antagonise or traumatise staff.

However, if employees are advised of a change to policy such that "the company reserves the right to send deceptive 'simulated phishing' email to staff from time to time to gauge staff security awareness and compliance", and training and guidance has been given in advance, then such problems should not occur. Some organisations may choose to require users to give their consent by opting in, [6] and others may allow staff the option to opt out. [7]

The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training. [8] [9] [10]

Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons. These would include emails with content likely to cause distress to the recipient or the use of third-party trademarks, [5] [8] although it is also sometimes argued that this is covered by fair use. [11]

Methods

Such testing can be done in a number of ways.

Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.

Frequency

Most advice is that testing should be done several times per year, to give staff practice in responding correctly, and to provide management feedback on the progress in staff identifying and reporting potentially dangerous email.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Simulation</span> Imitation of the operation of a real-world process or system over time

A simulation is an imitative representation of a process or system that could exist in the real world. In this broad sense, simulation can often be used interchangeably with model. Sometimes a clear distinction between the two terms is made, in which simulations require the use of models; the model represents the key characteristics or behaviors of the selected system or process, whereas the simulation represents the evolution of the model over time. Another way to distinguish between the terms is to define simulation as experimentation with the help of a model. This definition includes time-independent simulations. Often, computers are used to execute the simulation.

<span class="mw-page-title-main">Phishing</span> Impersonating a reputable organization via electronic media

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of cybercrime.

Network security are security controls, policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<span class="mw-page-title-main">Social engineering (security)</span> Psychological manipulation of people into performing actions or divulging confidential information

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in the sense that it is often one of the many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

Internet safety, also known as online safety, cyber safety and electronic safety (e-safety), refers to the policies, practices and processes that reduce the harms to people that are enabled by the (mis)use of information technology.

<span class="mw-page-title-main">Internet Security Awareness Training</span>

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

The Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) is a physical computing platform developed by the MIT Lincoln Laboratory as a testbed for network security applications. Use of the platform is restricted to the United States military, though some academic organizations can also use the platform under certain conditions.

ANY.RUN is a cybersecurity company that provides an interactive malware analysis sandbox and threat intelligence services for real-time analysis and investigations of malware and phishing threats. The platform is designed for use by cybersecurity professionals, researchers, and IT specialists, providing tools for interactive analysis of malicious software and behavior and threat intelligence services.

References

  1. Jampen, Daniel; Gür, Gürkan; Sutter, Thomas; Tellenbach, Bernhard (2020-08-09). "Don't click: towards an effective anti-phishing training. A comparative literature review". Human-centric Computing and Information Sciences. 10 (1). doi: 10.1186/s13673-020-00237-7 . hdl: 11475/20346 . ISSN   2192-1962.
  2. "Designing Phishing Simulations" (PDF). Center for the Protection of National Infrastructure. Retrieved 12 September 2018.
  3. Fischbein, Jonathan. "Council Post: 2021 Cyber New Year's Resolutions". Forbes. Retrieved 2021-10-03.
  4. Kovacs, Eduard (23 August 2018). "Attack on DNC Part of Simulated Phishing Test". Security Week. Retrieved 12 September 2018.
  5. 1 2 Cheng, Joey (18 March 2014). "Out-of-control Army phishing test results in new guidelines". DefenseSystems. Retrieved 12 September 2018.
  6. "Simulated Phishing". Berkeley Lab. Retrieved 12 September 2018.
  7. "Simulated Phishing Email Campaign". UC Santa Cruz. Retrieved 12 September 2018.
  8. 1 2 Prendergast, Tom. "Is all fair in simulated phishing?". www.csoonline.com. Retrieved 9 September 2018.
  9. Meijdam, Katrien. "Phishing as a Service: Designing an ethical way of mimicking targeted phishing attacks to train employees" . Retrieved 10 September 2018.
  10. R, Kate. "The Trouble with Phishing". National Cyber Security Centre. GCHQ. Retrieved 12 September 2018.
  11. Calarco, Daniel. "Stop Phishing with Bad Fake Bait". EDUCAUSEreview. Retrieved 12 September 2018.
  12. Salla, Sebastian. "free phishing test campaigns". CanIPhish. Retrieved 10 October 2022.
  13. Korolov, Maria. "10 companies that can help you fight phishing". CSO Online. Retrieved 12 September 2018.
  14. e.g GoPhish, King Phisher, The SocialEngineer Toolkit
  15. Pauli, Darren (4 February 2016). "Go phish your own staff: Dev builds open-source fool-testing tool". The Register. Retrieved 12 September 2018.
  16. "Phishing campaign simulators". Phishing Countermeasures. Retrieved 12 September 2018.
  17. Ghosh, Debraj. "GA of Attack Simulator For Office 365 Threat Intelligence". Microsoft Tech Community. Retrieved 12 September 2018.
  18. Lardinois, Frederic (16 April 2018). "Microsoft launches a phishing attack simulator and other security tools". TechCrunch. Retrieved 12 September 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.