James Bond - Pen Tester

Uploaded on 2016-08-15 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Adopt a James Bond style deception mode when it comes to spotting spear phishing, said Zinaida Benenson.

Delivering a presentation on “How to Make People Click on a Dangerous Link Despite Their Security Awareness” at the Black Hat conference in Las Vegas, Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, said that often people fall for the same things, and we don’t know how to “patch” them, or whether security awareness is the solution.

She said: “A lot of companies provide security awareness training, where they phish their own employees to assess security awareness and that is what I call ‘pen testing the humans’.” However, she was keen to point out that pen testing people is not the same as pen testing machines, and this can go very wrong when a person finds out they are being used by their own security department for pen testing.

Research was presented to demonstrate a decent level of security knowledge in tests, and she said that we require people to be suspicious of messages even if they know sender, and even if it fits with their current situation and work and life practices.

“What we want from employees about spear phishing is to be in James Bond mode when there is a message deception mode,” she said.

“If we want security awareness training to be more effective, think of the price people (employees) have to pay. Be James Bond with false positives where they think message is phishing, and organizations will see the effects of not answering emails that they should have answered. Testing security awareness by sending from bosses destroys trust. It adds to shame which is not good for the organization.”

Benenson said that pen testing and patching humans is difficult, as people don’t think in the moment and talk to users, and switch into deception mode if they see something suspicious. She also encouraged delegates to stop sending legitimate emails that look “phishy”, and talk to people sending them. “People make mistakes and there is nothing we can do about it,” she said.

“Pen testing and patching humans is tricky, what do you want to be the consequence? Always ask for consent and the most important lesson for security professionals is talk to the users.”

Infosecurity

 

« 5 Reasons IT Leaders Should ImproveTechnical & ‘Soft’ Skills
Artificial Intelligence - Hope Or Illusion? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LogRhythm

LogRhythm

LogRhythm's security platform unifies SIEM, log management, network and endpoint monitoring, user behaviour analytics, security automation and advanced security analytics.

SQA Service

SQA Service

SQA Service provide independent software and process Quality Assurance services.

Wilson Sonsini Goodrich & Rosati (WSGR)

Wilson Sonsini Goodrich & Rosati (WSGR)

WSGR is the premier provider of legal services to technology, life sciences, and growth enterprises worldwide. Practice areas include cybersecurity and data protection.

AET Europe

AET Europe

AET Europe is specialised in creating technological solutions for user identification and authentication.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

Identity Defined Security Alliance (IDSA)

Identity Defined Security Alliance (IDSA)

IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of education and information on identity-centric security strategies.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

SecurityGen

SecurityGen

SecurityGen is a global cybersecurity start-up focused on telecom security, with a focus on 5G networks.

Anchor Technologies Inc (ATI)

Anchor Technologies Inc (ATI)

Anchor provides a full spectrum of cybersecurity services assisting our clients with all aspects of cybersecurity risk planning, identification, management, and monitoring.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

3DOT Solutions

3DOT Solutions

3DOT Solutions is an established UK cybersecurity consultancy focused on delivering end-to-end cyber security solutions for private and public sector customers.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.

HeroDevs

HeroDevs

HeroDevs is the trusted leader in providing secure, long-term support for deprecated open-source software.

Device42

Device42

Device42 is a trusted, advanced, and complete full-stack agentless discovery and dependency mapping platform for Hybrid IT.