James Bond - Pen Tester

Uploaded on 2016-08-15 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Adopt a James Bond style deception mode when it comes to spotting spear phishing, said Zinaida Benenson.

Delivering a presentation on “How to Make People Click on a Dangerous Link Despite Their Security Awareness” at the Black Hat conference in Las Vegas, Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, said that often people fall for the same things, and we don’t know how to “patch” them, or whether security awareness is the solution.

She said: “A lot of companies provide security awareness training, where they phish their own employees to assess security awareness and that is what I call ‘pen testing the humans’.” However, she was keen to point out that pen testing people is not the same as pen testing machines, and this can go very wrong when a person finds out they are being used by their own security department for pen testing.

Research was presented to demonstrate a decent level of security knowledge in tests, and she said that we require people to be suspicious of messages even if they know sender, and even if it fits with their current situation and work and life practices.

“What we want from employees about spear phishing is to be in James Bond mode when there is a message deception mode,” she said.

“If we want security awareness training to be more effective, think of the price people (employees) have to pay. Be James Bond with false positives where they think message is phishing, and organizations will see the effects of not answering emails that they should have answered. Testing security awareness by sending from bosses destroys trust. It adds to shame which is not good for the organization.”

Benenson said that pen testing and patching humans is difficult, as people don’t think in the moment and talk to users, and switch into deception mode if they see something suspicious. She also encouraged delegates to stop sending legitimate emails that look “phishy”, and talk to people sending them. “People make mistakes and there is nothing we can do about it,” she said.

“Pen testing and patching humans is tricky, what do you want to be the consequence? Always ask for consent and the most important lesson for security professionals is talk to the users.”

Infosecurity

 

« 5 Reasons IT Leaders Should ImproveTechnical & ‘Soft’ Skills
Artificial Intelligence - Hope Or Illusion? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

National Initiative for Cybersecurity Education (NICE)

National Initiative for Cybersecurity Education (NICE)

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

X4 Technology

X4 Technology

X4 Technology is a leader in finding the very best technology talent for some of the world’s most innovative start-ups and globally recognised brands.

Rentalworks

Rentalworks

Rentalworks is a leading provider of Internet-of-Things (IoT) Asset Lifecycle Management Services including secure data erasure and disposal.

GreenWorld Technologies

GreenWorld Technologies

GreenWorld has a proven track record in industry leading IT asset management, secure data destruction and remarketing.

Phoenix Cybersecurity

Phoenix Cybersecurity

Phoenix Cybersecurity Services and Managed Security Services help clients just like you take full advantage of leading cybersecurity technologies and industry best practices.

Cloud Box Technologies

Cloud Box Technologies

Cloud Box Technologies is one of the premier IT Infrastructure Solution providers in the Middle East.

CyberCyte

CyberCyte

CyberCyte provides a disruptive built-in integrated physical, network and perimeter security solution framework.

Microland

Microland

Microland’s delivery of digital is all about making technology do more and intrude less for global enterprises. Our services include Cloud & Data Center, Networks, Cybersecurity and more.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Samurai Digital Consulting

Samurai Digital Consulting

Samurai Digital Security are a cyber and Information security services provider, specialising in penetration testing, incident response, user awareness and information governance solutions.

Onesecure Asia

Onesecure Asia

ONESECURE Asia’s expertise and services are built around its mission to provide reliable, robust and scalable technology solutions to cater for its customers’ needs.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

StrongBox.Academy

StrongBox.Academy

StrongBox.Academy provides cybersecurity training courses that are tailored to the specific needs and challenges of the industry.

Board of Cyber

Board of Cyber

Board of Cyber offers Security Rating: a fast, non-intrusive, continuous, 100% automated solution to evaluate the cyber performance of an organization.