Security infrastructure failure is to blame for a successful phishing attack, not the person who clicks on the phishing link, Ira Winkler told the (ISC)2 Congress audience in Orlando, Florida, on September 12 2016.
“If a single user click can take down your network, then your network sucks,” said Winkler, during his presentation ‘The Phishing Kill Chain’. “Technical people want to tell you that people are stupid, but a single click should not cause your security defense to fail. A successful phishing attack results from a systematic failure of the security infrastructure.”
Technology failures happen much more than user failures, said Winkler, who argued that phishing attacks need to be stopped with a holistic defense.
“There are many phases of a phishing attack, and each phase represents an opportunity to detect the attack and kill the attack in progress,” he argued. “Even if you fail at protection, what about detection and reaction? Protection will always fail, that’s a given. But you don’t fail at security until the bad guy succeeds with their goals. It doesn’t matter if the bad guy gets in unless they accomplish their goals.” This, he said, is the concept of a kill chain. “Look at your adversary’s attack plan and work out where you can stop it most effectively.”
It takes a failure of technology at several levels for phishing to succeed, claimed Winkler, who argued that 20% of a successful phishing attacks is due to user failure, and the other 80% is a result of inferior security infrastructure.
Investing in good user awareness, however, is always advisable, claimed Winkler. “Awareness programs should be about making people behave appropriately, and if enough people comply, it creates a security culture.”
People that argue that user awareness doesn’t work are “dumb”, claimed Winkler. “People keep track of the one person in hundreds who clicks on the phishing email. But who keeps track of the successes? Think about the thousands of phishing emails in your spam box – that’s a security success story. Awareness successes go grossly unnoticed. Implement a comprehensive awareness program, not just phishing simulations and videos.”
Phishing is not a user problem, Winkler concluded. “Look at detection, it can feed prevention. Your strategy needs to be backward-looking as much as forward-looking. There are dumb users out there, but there are many that aren’t.”