Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts & Sciences

Analogies only work if they're accurate Except in the case of car analogies, which always suck *Let's try to keep this discussion free of car analogies

Proven Technical Solutions

Security Luminaries agree: ● Bruce Schneier ● Dave Aitel, Immunity ● Richard Bejtlich, Mandiant N.B.: Detractors of security awareness training have no financial stake in the correctness of their argument.

Gizmodo -- The 10 most popular passwords of 2012: 1. Password (Unchanged) (Unchanged) (Unchanged) 4. abc123 (Up 1) 5. qwerty (Down 1) 6. monkey (Unchanged) 7. letmein (Up 1) 8. dragon (Up 2) (Up 3) 10. baseball (Up 1) What about Pa$$w0rd?

Simulated Phishing Campaigns ● New York State employees (2005) – 10,000 people – decline in response rate to fake phishing s ● from 15% to 8% over two trials ● PhishMe at Emory (2012) – 40,000 people -- decline in response rate to fake phishing s – From 13.7% overall to 8.1% over three trials. – No overall decline in number of successful phishing attacks ● Operation Carronade (West Point, 2004) – 80% of cadets (small sample size, 400) clicked on the link; 90% of freshmen – “There is a culture at West Point that any with a "COL" (abbreviation for Colonel) salutation has an action to be executed. To a cadet, the action/request is to be executed regardless of its nature or rationale. The sought to exploit this culture.”

Phishing Education is Misguided

Careful where you Click

Be careful where you click?

Human Cognition is Exploitable Some tricks are invisible:

Privacy/Sensitive data

Effective Training (Developers)

Effective Training (Users)

NCSAM Campaigns in SAS Two main messages ● Information Security is an issue ● Know who to contact if you have questions We chose themes based on pain points ● Data and privacy ● Be careful where you click ● Securing mobile devices Different methods of outreach ● Posters ● Web site ● Events (shredding day) ● “Security and Donuts” -- school wide but locally-based Shared material/ideas with other Penn schools/units

References ● West Point: ● ● New York State phishing: ● “You Won’t Believe How Adorable This Kitty Is! Click for More!” by Geoffrey A Fowler, Wall Street Journal, 3/27/2013. ● Emory University phishing: ● ● Top 10 Passwords: ● ● Anti-Phishing Phil: ● "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish." by Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Elizabeth Nunge. Symposium On Usable Privacy and Security (SOUPS) 2007, July 18-20, 2007, Pittsburgh, PA, USA. Available at ● West Virginia University training effort: ● “Information Security Training - Lessons Learned Along the Trail” by Michael Cooper. SIGUCCS ’08, October 19-22, 2008, Portland, Oregon, USA ● Arguments in favor of security training:: ● ●

References (cont.) ● Proven technical controls ● "Strategies to Mitigate Targeted Cyber Intrusion," Australian Defense Signals Directorate. ● "20 Critical Controls," Center for Strategic and International Studies. ● Phishing resources: ● ● ● ● Security training is a waste: ● “On Security Awareness Training,” by Bruce Schneier. Dark Reading ● “Why you shouldn't train employees for security awareness”, by Dave Aitel. CSO Online, awareness awareness ● “Security Awareness Training: A Waste of Time?,” by Richard Bejtlich. Tao Security, ● Malware obfuscation techniques ● “Soft Hyphen – A New URL Obfuscation Technique,” by Samir Patil. Symantec Official Blog,