Dennis Dillman: [00:00:00] Leading by example, positive reinforcement are the essential elements of a good security awareness program.
Dave Bittner: [00:00:07] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:25] Hello, Dave.
Dave Bittner: [00:00:26] We've got some interesting stories to share this week, and later in the show, my interview with Dennis Dillman. He's VP of security awareness at Barracuda Networks. He's going to share some insights on security awareness training.
Dave Bittner: [00:00:37] But first, a word from our sponsors, KnowBe4. So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us and we'll have some insights from our sponsor, KnowBe4, that puts it all into perspective.
Dave Bittner: [00:01:04] And we are back. Joe, I'm going to kick things off for us...
Joe Carrigan: [00:01:07] OK.
Dave Bittner: [00:01:07] ...This week. And you and I have said many times on this show that there is something that will get everyone.
Joe Carrigan: [00:01:14] Yes.
Dave Bittner: [00:01:15] Everyone has their weakness.
Joe Carrigan: [00:01:17] Yes, everybody has their vulnerabilities.
Dave Bittner: [00:01:18] Yes. This story came across my desk here, and I felt seen. This is this from Bleeping Computer.
Joe Carrigan: [00:01:26] (Laughter).
Dave Bittner: [00:01:27] And the headline is "Fake Star Wars Streaming Sites Steal Fans' Credit Cards."
Joe Carrigan: [00:01:31] No.
Dave Bittner: [00:01:32] (Laughter).
Joe Carrigan: [00:01:33] Dave, you didn't fall for this, did you?
Dave Bittner: [00:01:35] I can neither confirm...
Joe Carrigan: [00:01:37] (Laughter).
Dave Bittner: [00:01:37] ...Nor deny whether or not I may have or may have not fallen for this. No, actually, I did not.
Joe Carrigan: [00:01:44] Yeah.
Dave Bittner: [00:01:44] But here's the story. (Laughter) It's from Bleeping Computer. And of course, as we're recording this and as this is coming out, we are in the midst of a big "Star Wars" event. The latest "Star Wars" movie, "The Rise Of Skywalker," the final chapter in the Skywalker saga is being released, and so there's a lot of publicity around that. And of course, the scammers are taking advantage of that publicity.
Joe Carrigan: [00:02:09] Sure, as they often do with any kind of large, public event like this.
Dave Bittner: [00:02:12] That's right. So the folks over at Kaspersky Labs have been tracking this, and they've found over 30 sites that have been used in credit card phishing attacks. And basically, what they're doing here is they're taking advantage of the fact that folks want to get a look at this movie ahead of it coming out in theaters.
Joe Carrigan: [00:02:31] Right.
Dave Bittner: [00:02:31] So they're setting up fake streaming sites where - file-sharing sites, BitTorrent sites, those sorts of things, where they claim to have a prerelease copy of the film. And sure enough, if you download it, you do not get a copy of the film (laughter).
Joe Carrigan: [00:02:46] Ah. What do you get?
Dave Bittner: [00:02:47] You get malware.
Joe Carrigan: [00:02:48] Malware? No. Really?
Dave Bittner: [00:02:49] (Laughter) Yes, you do. Yes, you do.
Joe Carrigan: [00:02:50] Who'd have thought?
Dave Bittner: [00:02:51] I know. I know. There's some interesting statistics here. They're saying throughout 2019, there were over 285,000 attempts to infect over 37,000 users who were seeking to watch "Star Wars" movies. That's what Kaspersky tracked (laughter). So there's some recommendations here from Kaspersky. Of course, pay attention to official movie release dates. And don't click on suspicious links...
Joe Carrigan: [00:03:14] Right.
Dave Bittner: [00:03:14] ...Even if they're promising you a new film. Look at the download file extension.
Joe Carrigan: [00:03:19] Yep.
Dave Bittner: [00:03:19] Make sure it's an actual video extension. Check the website's authenticity. And use a reliable anti-malware solution. I would add, don't try to steal movies (laughter).
Joe Carrigan: [00:03:29] I would add that as well, yeah. These streaming services are never going to try to distribute their media through torrents.
Dave Bittner: [00:03:36] Right.
Joe Carrigan: [00:03:36] It's just not a legitimate way to distribute media that you pay for. It's a great way to distribute free media, such as Linux distributions, and I use it all the time for that. But then when I get the Linux distribution, I verify it, at a minimum by checking the hash that's on the website. But there are other ways you can verify it as well, with signatures. But at a minimum, you should be checking the hash of the file when you get it.
Dave Bittner: [00:03:55] Yep. Yep. So if you're a "Star Wars" fan, like some of us, pony up and go see it in the theater. Get yourself a Disney+ subscription, and then you can watch all of them when they're released (laughter).
Joe Carrigan: [00:04:07] Right.
Dave Bittner: [00:04:07] And you don't put yourself at risk for these kinds of things. But...
Joe Carrigan: [00:04:10] I will say, Dave, that I am enjoying "The Mandalorian" on Disney+.
Dave Bittner: [00:04:13] Yes. Me, too.
Joe Carrigan: [00:04:14] It's pretty good.
Dave Bittner: [00:04:15] Yep. Me, too. Baby Yoda.
Joe Carrigan: [00:04:17] Yep.
Dave Bittner: [00:04:18] He's adorable (laughter).
Joe Carrigan: [00:04:19] He's adorable. There we go. We got our cultural reference in for the week.
Dave Bittner: [00:04:22] Right. That's right. Our street cred is rising.
Joe Carrigan: [00:04:24] Right.
Dave Bittner: [00:04:25] All right. Well, that's what I have this week. Joe, what do you have for us?
Joe Carrigan: [00:04:27] This one comes from a listener, Rohit Srivastwa, who is on Twitter as @rohit11 - R-O-H-I-T-1-1.
Dave Bittner: [00:04:33] Yep.
Joe Carrigan: [00:04:34] And you can follow him there. And he's talking a little bit about it here, but he has written up a nice report that he sent us, and he's going to make a blog post of it soon. This is a scam that he found. He lives in India. And on December 9, he received an SMS that piqued his interest, right? And it says, Montblanc official, 50% off ends tonight. Shop your loved Meisterstuck pens, wallets, bags, belts. Ships with 30-day store exchange warranty. And it has a Bitly link.
Dave Bittner: [00:05:01] OK.
Joe Carrigan: [00:05:02] Now, he says, ordinarily, just disregard this, but they got him, Dave.
Dave Bittner: [00:05:06] (Laughter).
Joe Carrigan: [00:05:07] They got Rohit. They piqued - they - because he is a Montblanc fanboy.
Dave Bittner: [00:05:10] So they found his "Star Wars."
Joe Carrigan: [00:05:12] Right. Exactly.
Dave Bittner: [00:05:12] Yeah. OK.
Joe Carrigan: [00:05:13] They found his "Star Wars."
Dave Bittner: [00:05:13] Right.
Joe Carrigan: [00:05:14] He doesn't just click on the link. It's a Bitly link.
Dave Bittner: [00:05:17] Yeah.
Joe Carrigan: [00:05:17] So he knows that there's the plus sign you can put after a Bitly link to see what the link is going to.
Dave Bittner: [00:05:22] OK.
Joe Carrigan: [00:05:22] This is something that Sam Small from ZeroFOX told us about a couple months ago. When he looks at the link in Bitly with that plus sign, it points to montblancindia.com, which seems like another legitimate website, right?
Dave Bittner: [00:05:34] Sure.
Joe Carrigan: [00:05:34] So he went ahead and selected a pen he liked, and he entered his discount code that they sent him.
Dave Bittner: [00:05:39] So this website looks like a legitimate online retail shopping site?
Joe Carrigan: [00:05:44] It does.
Dave Bittner: [00:05:45] Yeah. OK.
Joe Carrigan: [00:05:45] Yeah. And it's even got a domain - montblancindia.com.
Dave Bittner: [00:05:47] Right. Seems legit.
Joe Carrigan: [00:05:48] Once he starts the ordering process, that's when he begins to see telltale signs of fraud. Now, Rohit is a security guy. He's not going to fall for this. He sees bad punctuation, misplaced capitalization. And he does the cautious thing here. He sends a tweet out to the official Montblanc Twitter handle, which is @montblanc - underscore - world. And they tell him, yes, this is probably a scam. Our official reseller in India is TATA CLiQ.
Dave Bittner: [00:06:17] OK.
Joe Carrigan: [00:06:17] I think I'm saying that right.
Dave Bittner: [00:06:17] All right.
Joe Carrigan: [00:06:18] It's T-A-T-A C-L-I-Q.
Dave Bittner: [00:06:19] OK.
Joe Carrigan: [00:06:20] Now he knows that this is not a real site.
Dave Bittner: [00:06:22] OK.
Joe Carrigan: [00:06:22] But he's curious, right?
Dave Bittner: [00:06:25] (Laughter) Ah, OK.
Joe Carrigan: [00:06:25] Because he's one of us.
Dave Bittner: [00:06:26] Yeah. Right (laughter).
Joe Carrigan: [00:06:26] He's a security researcher.
Dave Bittner: [00:06:27] Right. Can't help himself.
Joe Carrigan: [00:06:29] He Googles Montblanc India, and sure enough, the first website comes up, right? And we've seen this before. This is what I like about this story, Dave, is it has so many pieces of what we've been talking about on this show. Somebody is using search engine optimization so that when you Google Montblanc India, their search result is the first result that comes up.
Dave Bittner: [00:06:46] The scammers, yeah. Yeah.
Joe Carrigan: [00:06:46] They - yeah. They may also be buying an ad, right?
Dave Bittner: [00:06:50] OK. Yep.
Joe Carrigan: [00:06:50] But these are scammers - spoiler alert, right?
Dave Bittner: [00:06:53] Right. Right.
Joe Carrigan: [00:06:54] Every episode, I'm talking about scammers. These are scammers. So he decides he's going to act like a trusting customer, he says. And he says, I went ahead and ordered a pen, but I insisted upon using cash on delivery, right?
Dave Bittner: [00:07:04] Oh, OK.
Joe Carrigan: [00:07:05] Now, COD isn't used very much here in the U.S. anymore.
Dave Bittner: [00:07:08] Yeah.
Joe Carrigan: [00:07:08] But it used to be back in the '70s. Remember that?
Dave Bittner: [00:07:10] I do. I do.
Joe Carrigan: [00:07:10] All the Ron Popeil things and everything.
Dave Bittner: [00:07:12] Right (laughter).
Joe Carrigan: [00:07:12] You could order something cash on delivery. And what that is, is when the guy shows up with the product, you have to give him cash.
Dave Bittner: [00:07:18] Yeah.
Joe Carrigan: [00:07:18] And that's the transaction. All right, so he completes the order as a COD order. So he's not out any money. He hasn't given them any payment information. And he gets an SMS message and an email confirmation of the order. But the email goes straight to spam, and he notices that the address of the email is not Montblanc India but Montblancs India, with an S between blanc and India. And he does a quick who-is query of Montblancs India and finds that all the domain registration information is anonymized - right? - which is a service you can get now for your domain registrations.
Dave Bittner: [00:07:51] Right. Right.
Joe Carrigan: [00:07:51] But he finds that montblancindia.com has information on it, which is interesting, that they're using these two domains - one of them has anonymous information, the other one does not. Along with the SMS confirmation, he receives a WhatsApp message from a business account named just SB. Kind of shady. And WhatsApp says this isn't a chat with a business account, which means that this is a business in WhatsApp, as far as WhatsApp is concerned.
Dave Bittner: [00:08:15] OK.
Joe Carrigan: [00:08:16] And they ask him to confirm his payment details.
Dave Bittner: [00:08:19] But he's said cash on delivery.
Joe Carrigan: [00:08:22] Cash on delivery, right.
Dave Bittner: [00:08:22] Yeah. OK.
Joe Carrigan: [00:08:22] He says, please share the account details. At this point in time, he's 100% this is fraud. He's already decided to play along. So after the message on WhatsApp, he gets a phone call from a local cell number to discuss his order. Look at all the moving parts in this story.
Dave Bittner: [00:08:34] Yeah.
Joe Carrigan: [00:08:35] This is what fascinates me about it. Now, the guy on the phone says, we'll give you an extra 6% off if you pay via Google Pay or Paytm, right? Now, these are tokenized payment means.
Dave Bittner: [00:08:45] Yeah.
Joe Carrigan: [00:08:45] And one of the unfortunate things about them is while they're a little bit more secure for, like, retail sales and things like that, is that if you pay somebody over the internet using this, it's very hard to get your money back.
Dave Bittner: [00:08:55] Oh, there's no chargeback mechanism.
Joe Carrigan: [00:08:57] There's no - yeah, there are no chargeback policies...
Dave Bittner: [00:08:58] Yep.
Joe Carrigan: [00:08:58] ...Offered by any of these vendors.
Dave Bittner: [00:08:59] OK.
Joe Carrigan: [00:09:00] He says that when these people call him, typically they don't display a good command of the English language, but these guys were fluent in English, and they were really good. So these guys have decided that they're going to take their skills and apply them maliciously. He decides to stump the person on the phone and say, hey, I already talked to Montblanc and they said TATA CLiQ was the only authorized resaler. And they said they're actually calling from Richemont India, which is the parent company of Montblanc - Richemont. And they're clearing out their 2017 stock. Now, this sounds believable, but it's a blatant lie.
Dave Bittner: [00:09:29] OK. Interesting that they have an answer for everything.
Joe Carrigan: [00:09:31] They do. They...
Dave Bittner: [00:09:32] They've done their homework.
Joe Carrigan: [00:09:33] They have done their homework on this.
Dave Bittner: [00:09:34] Yeah.
Joe Carrigan: [00:09:34] This is pretty good. So eventually, what Rohit does is he insists, no, I'm going to do cash on delivery, and we're just going to do that, and he hangs up. Fifteen minutes later, he gets another call from a non-Indian number, and this caller is speaking with an obvious Indian accent, but it's very polished English, again. And he says that he's from the Swiss Office of Montblanc and repeats the same story that this is old stock and they're having a clearance sale with a two-year warranty. When confronted with the tweet, he said the Twitter handle is managed by Amazon, as Montblanc is an Amazon company now. Montblanc is not an Amazon company.
Dave Bittner: [00:10:04] (Laughter) OK.
Joe Carrigan: [00:10:05] OK. That's important to note.
Dave Bittner: [00:10:06] (Laughter) OK.
Joe Carrigan: [00:10:06] So he's trying to invoke the name of another large company, right?
Dave Bittner: [00:10:10] Yeah.
Joe Carrigan: [00:10:10] Although Montblanc's really not a large company; their revenue's less than a billion dollars a year. So a day later, he gets another call from an unknown number telling him that his order was dispatched or will reach him soon. The caller insists that opening the delivery is not permitted before paying cash, right? So now they think they got him, right? They're going to give him a box and insist that he pays them the money, and then they're going to run away as fast as they can while he opens the box and finds out that there's nothing in the box of any value, right?
Dave Bittner: [00:10:36] (Laughter) Right. Right. Right. Now, do we suspect even the actual delivery person is in on the scam, I wonder? If the - are they a mule for the money? Or I wonder if they're...
Joe Carrigan: [00:10:44] I don't know how this works.
Dave Bittner: [00:10:46] Yeah.
Joe Carrigan: [00:10:46] Rohit insists that he's going to open the box. He says, you're not going to get the money unless I open the box and see that there's a genuine product in here.
Dave Bittner: [00:10:52] Seems reasonable.
Joe Carrigan: [00:10:52] Right. Next day, he receives another message on WhatsApp from an unknown number with the account details claiming to be the delivery team. And they, again, try to get him to pay before opening the box, but he insists, no, I'm going to open the box before I pay. So this story that Rohit has written here ends with the present day, where the status has not changed. He got a call today saying the packages is out for delivery and that I can pay via cash as the card-swiping machine is not available with the delivery person, right?
Dave Bittner: [00:11:18] (Laughter) Of course, it's not.
Joe Carrigan: [00:11:19] No, of course, it's not. Rohit continues to insist that he's not going to give them any money without opening the box. And they said, fine, you can open the box, right? But the delivery guy still hasn't come. I don't think they're going to come.
Dave Bittner: [00:11:32] Yeah.
Joe Carrigan: [00:11:32] I think they were hoping for somebody else.
Dave Bittner: [00:11:33] Boy, there's a lot going on here. And a couple of things come to mind for me. One is that I wonder if these scammers have a supply of counterfeit Montblanc pens.
Joe Carrigan: [00:11:44] Yeah, they might, right?
Dave Bittner: [00:11:45] (Laughter) So that if you do...
Joe Carrigan: [00:11:46] Or possibly stolen Montblanc pens, too.
Dave Bittner: [00:11:47] No, could be. Could be.
Joe Carrigan: [00:11:49] Right?
Dave Bittner: [00:11:49] Yeah. So that if you do open the box, at first glance, you're going to let the delivery guy go with the cash, and away they go.
Joe Carrigan: [00:11:55] Here's where the biggest hook is on this, right? Is that the cost of the pen to Rohit was around $130. I looked at the Montblanc website. The cheapest pen on the Montblanc website is $340. That's the cheapest ballpoint pen you can buy. They really tried to get him on the fear of missing out.
Dave Bittner: [00:12:11] Right. And he's a collector of these pens.
Joe Carrigan: [00:12:13] Yeah, he loves these pens.
Dave Bittner: [00:12:14] Yeah.
Joe Carrigan: [00:12:15] This is something he likes.
Dave Bittner: [00:12:15] Right.
Joe Carrigan: [00:12:16] You - like you said, it's his "Star Wars."
Dave Bittner: [00:12:18] Yeah. Interesting. It's also, like you alluded to earlier, how much time they've invested in him.
Joe Carrigan: [00:12:25] Right. He talks about not only did they invest time, but they invested real money in getting their services, their websites up, and one of them is even behind Cloudflare, which means they're paying for the Cloudflare service.
Dave Bittner: [00:12:36] Yeah.
Joe Carrigan: [00:12:37] They're putting out money to do this, which means they have to be getting some kind of success out of this. And that's kind of Rohit's thing here, is that they're going after people who are in the market for Montblanc pens.
Dave Bittner: [00:12:47] And how interesting - for these premium items...
Joe Carrigan: [00:12:50] Right.
Dave Bittner: [00:12:50] ...The scammers have set up shop to target people who love these premium items.
Joe Carrigan: [00:12:56] Yes.
Dave Bittner: [00:12:56] And they know how to push your buttons.
Joe Carrigan: [00:12:59] I want to thank Rohit for sending this story in. This is great. When he puts out a blog post, we'll put a link to it. He doesn't have it up yet, as of the recording.
Dave Bittner: [00:13:05] No, really good. Thanks for sending it in. All right. Well, those are our stories. It is time to move on to our Catch of the Day.
0:13:12:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:13:16] Joe, our Catch of the Day was sent in by a listener who was scammed by - or contacted, I suppose, by what he quickly determined to be a bot on the Tinder dating app and started playing along with it. Let's start here. You can play the part of the listener, whose name is Brock (ph), and I will play the part of the lovely female bot who's trying to win his affections. Hello, Brock. I'd like to get to know you. May I ask you a few questions?
Joe Carrigan: [00:13:46] Absolutely.
Dave Bittner: [00:13:47] Have you ever been in love?
Joe Carrigan: [00:13:50] Once, I think. But that was a while ago.
Dave Bittner: [00:13:52] I see. I haven't, although it sounds nice. What makes you human?
Joe Carrigan: [00:13:57] What makes me human? Let's see - my beating heart and those weird feelings.
Dave Bittner: [00:14:03] I like this answer. What attracts you to me?
Joe Carrigan: [00:14:06] I thought you were absolutely gorgeous. And you have innocence, but we all know I could be totally wrong.
Dave Bittner: [00:14:11] Thank you, Brock. That's very kind of you. Last question - if you could meet me anywhere, where would you choose?
Joe Carrigan: [00:14:18] Considering we're both in Austin now, I'd say in Austin.
Dave Bittner: [00:14:22] You are clever. You've passed my test. Take a look at my Instagram and let me know if I've passed yours.
Joe Carrigan: [00:14:28] Perfect.
Joe Carrigan: [00:14:31] This is what failing the Turing test looks like.
Dave Bittner: [00:14:32] I was going to say, I was thinking about - speaking of tests...
Joe Carrigan: [00:14:36] Right.
Dave Bittner: [00:14:36] How about the Turing test?
Dave Bittner: [00:14:39] Which is? Joe, who does the Turing test?
Joe Carrigan: [00:14:41] Oh, the Turing test, actually - good question, Dave. Some of our listeners might not know what the Turing test is. This was a test proposed by Alan Turing, when he was talking about general purpose artificial intelligence.
Dave Bittner: [00:14:50] Yeah.
Joe Carrigan: [00:14:50] And the test is that you put somebody in communication with a person or an AI and the person cannot tell with greater than 50% accuracy that they're dealing with an AI...
Dave Bittner: [00:15:02] Right.
Joe Carrigan: [00:15:03] ...Over a person.
Dave Bittner: [00:15:03] That's right.
Joe Carrigan: [00:15:04] So it's - essentially, it's a coin flip. And if you have developed an AI that people only guess as an AI 50% of the time, then you have achieved AI.
Dave Bittner: [00:15:13] Yeah. All right, very good. Way back in the day, there was a famous one called ELIZA, one of the first ones back in the '60s they spun up.
Joe Carrigan: [00:15:20] Yep.
Dave Bittner: [00:15:20] And it was like an online - not online. There was no online.
Joe Carrigan: [00:15:23] (Laughter) Right.
Dave Bittner: [00:15:23] It was a computerized (laughter) therapist and could be quite compelling, actually.
Joe Carrigan: [00:15:27] Really?
Dave Bittner: [00:15:28] Oh, yeah.
Joe Carrigan: [00:15:28] I don't think I ever played with ELIZA.
Dave Bittner: [00:15:30] Yeah. Yeah. It's fun. All right. Well, that is our Catch of the Day. Coming up next, we've got my interview with Dennis Dillman. He's VP of security awareness at Barracuda Networks.
Dave Bittner: [00:15:39] But first, a word from our sponsors. Now let's return to our sponsor's question about the attackers' advantage. Why do the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:16:43] Joe, I recently had the pleasure of speaking with Dennis Dillman. He is VP of security awareness at Barracuda Networks. And he's going to share some of his thoughts on security awareness training. Here's my conversation with Dennis Dillman.
Dennis Dillman: [00:16:56] My attention is focused on the employee, the adult learner, the individual who's engaged in the risky behavior. I'm very focused on what are the signals that are going to trigger them into a response, and that's what's largely unchanged because the underlying social dynamic is the same as it's ever been. The same things that triggered people probably a thousand years ago are the same...
Dave Bittner: [00:17:23] Right.
Dennis Dillman: [00:17:23] ...As trigger them today. Fear of missing out, anger, frustration - all of these triggers that are essential to an effective phishing email are the things that we see today. And so my focus has always been on cutting through the fog in the minds of the average employee to enable them to see a little bit more clearly the threats that surround them. But at the end of the day, it's about the emotional trigger and the sophistication of the data capture that happens after the trigger has been tripped.
Dave Bittner: [00:17:56] When you're first beginning to interact with an employee, what is the typical state of that person in terms of their natural defenses against these sorts of attempts to get them to do things?
Dennis Dillman: [00:18:08] I'm generalizing here, right? So there's obviously a couple of different buckets that employees fall into. So I'm talking about, you know, the average person who's not intimately engaged with security as a profession. Those employees largely are completely unconcerned with security. And that's not a criticism. That's just the fact of life of an adult learner is that they're focused on a hierarchy of needs that relate to their personal situation, their immediate professional obligations. And everything after that, they struggle to find time for. And a lot of people see security as a field handled by others who are responsible for keeping them safe. And so their day-to-day view of the world is not focused on good security habits.
Dave Bittner: [00:18:59] Well, take us through how you approach that. How do you get their attention? And then how do you get them to take the things that you're suggesting seriously, make them realize that that's time well spent for them?
Dennis Dillman: [00:19:09] Like a lot of these programs, it starts at an executive level. So if we can engage at a level where relatively modest resources are allocated to security awareness training, we see an order of magnitude more success. And my preferred approach - right, every organization's culture is different - but my default approach for most cultures is to try to get them to game-ify their training. And by game-ify, I do not mean make it juvenile or put some kind of arcade, you know, veneer over what's happening. What I mean is to engage a sense of teamwork and a sense of competition. And those are very natural learning mechanisms in an adult learner because they draw them into a more communal approach to problem solving and without them having to do a lot of extra work. In the Midwest here, we have fish fries. And so I talk about having a phish Friday. It doesn't matter what the mechanism is that you choose to engage the employees with. The important thing is is that you are constantly making them aware of the fact that phishing happens and that they should be on the lookout. Even if you do it by telling them you're going to be tested on Friday, we tell you in advance. We even might tell you what the phish is going to look like on Friday.
Dennis Dillman: [00:20:32] The point is is that it gets it in your mind. It lets you know that your department is going to be compared against the other department. And what we see, of course, is, you know, with adult learners that positive reinforcement is key. So the department that gets the most points gets a pizza day, gets a traveling trophy, gets any sort of positive reinforcement for engaging in the right behavior. And when you make it a drumbeat, you pull it out of the fog - right? - and expose it to a little bit more light of day and make it something that's always in the front of their mind because they walk past the bulletin board. It's on their intranet page. We can obviously go deeper. We can obviously teach them about the hundreds of different types of phishing attacks that are out there in the wild, but we have to start with this foundation of them being cognizant of the fact that there is this ever-present danger that they need to be aware of.
Dave Bittner: [00:21:26] What happens in an organization that is engaged with this kind of training when a real phish gets through and someone clicks on it? How do you turn that into a teaching moment?
Dennis Dillman: [00:21:37] When it's a real phish and they click on it, it moves into a different realm of possibility from my point of view. I don't have a good answer for if they give their credentials to an external site. That moves into the realm of incident response and dealing with a security issue. But when we know a certain type of email is effective - right? - whether it's because it's one of our own or whether it's because there's a threat that's in the wild, we can turn that into a training program by exposing other people in the organization to that kind of threat.
Dave Bittner: [00:22:11] One of the things I'm curious about is it sounds to me like, from start to finish, this is a positive reinforcement kind of thing. There's no point where if someone, for example, clicks on a simulated phish, there's no shaming that's going to go on here.
Dennis Dillman: [00:22:26] Well, yeah. There's a lot of research, Dave, out there that with all learners - but adult learners in particular - that negative reinforcement, punishment is counterproductive. It may be effective in a very narrowly measured sense of the word, but it has so much extra in terms of side effects that it's a net negative in terms of the approach. So positive reinforcement with adult learners is absolutely essential. Building a sense of teamwork around that behavior is essential. Executive buy-in in terms of healthy approach to security is huge. It's really hard to encourage the staff to have good risk-averse behavior when the executives at an organization don't engage in that same behavior and they're setting a counter example. So leading by example, positive reinforcement are the essential elements of a good security awareness program.
Dave Bittner: [00:23:20] When someone implements a security awareness program, how do they measure success? How do you know that you're getting return on your investment?
Dennis Dillman: [00:23:28] That is a controversial question. And the reason it's controversial is that I would say there's not a standardized best practice around this answer. One approach is to focus on a key metric like click rate. And there's a lot of security awareness providers in the market that are very focused on click rate and want to encourage you to see success in a ever-diminishing, you know, click rate for your organization. And while that's certainly not bad news, the problem with click rate is that it is a very, very narrow metric because it's not just click rate; it's click rate for a very specific type of email. I always encourage my customers to try to find a spike in click rate, which is actually what led to ice phishing as a topic for my team is that you need to keep changing the types of emails that are being sent to see whether or not there's a specific type of email that has a massive response by your organization's employees so that you know you've got a risk issue that you need to address. It's a lot like vulnerability-scanning servers and firewalls. If you always scan for the same thing, you're not really searching for the threats that face your organization. So we can drive a click rate to near zero. The problem is, is that there might be another type of phishing attack that has a huge response from your employees and you remain unaware of it because you're not testing a broad array of social engineering simulations.
Dave Bittner: [00:24:59] For organizations that are just starting their journey with security awareness training, how do you recommend they get started?
Dennis Dillman: [00:25:08] Again, every corporation has its own unique culture, right? And you've got to be sensitive to that. But as a rule, I think kind of the majority of customers can benefit from the following advice. Number one, don't take an adversarial approach to security awareness training. Don't make this a gotcha type of testing mechanic. Communicate with your employees about the fact that you're starting the campaigns, you're starting the program. Communicate with your employees about what the intention is and that it's working to make the company more safe, and it's a collaborative effort. It's very helpful to establish that. The best way to train adult learners, in my experience, is to put the real thing in front of them and let them interact with it, let them understand what they need to be looking for. And then keep up the frequency. If you train once a year and you do a once-a-year simulation, I know you're not going to get the level of response that you want. You need to be training constantly throughout the year.
Dave Bittner: [00:26:06] Joe, what do you think?
Joe Carrigan: [00:26:07] Dennis gets it.
Dave Bittner: [00:26:08] Yeah.
Joe Carrigan: [00:26:08] He has a keen understanding of what the problem is and social engineering. I love the Dennis points out that the triggers that people have are not new, but they are things that we have had for thousands of years. We've evolved with these things. And gamification is also very useful. Using things like teamwork and competition are the natural counterparts to these triggers that scammers use because teamwork and competition are things that we've evolved with as well as fear and greed. The way Dennis articulates it is great. The attacks are getting better, but so are the defenses. But still, we see the same things getting through. And then they hit in the same triggers again. So the answer is use the teamwork. Use the competition, and build a security awareness program. One of the key points here is that a security awareness program is going to be much more effective when it comes from the top, right? If you're in any kind of organization, the C-suite of that organization has to be onboard. And adult learners are averse to negative reinforcement. They really don't like it.
Dave Bittner: [00:27:03] Oh, we even say, don't treat me like a child.
Joe Carrigan: [00:27:05] Exactly. They...
Dave Bittner: [00:27:06] Yeah (laughter).
Joe Carrigan: [00:27:06] That's exactly what it is, this don't treat me like a child, right?
Dave Bittner: [00:27:09] Right.
Joe Carrigan: [00:27:09] And nothing is more offensive to an adult learner than being treated like a child. So communicate with your employees, and don't have a gotcha mentality. Some of the things Dennis says here are very important. Tell them we're going to have a phishing training coming through with fake emails coming through to measure the effectiveness. This is to make you better at spotting these.
Dave Bittner: [00:27:27] Right. It's not to catch you and embarrass you.
Joe Carrigan: [00:27:29] Exactly.
Dave Bittner: [00:27:29] Yeah.
Joe Carrigan: [00:27:30] And if you have a large enough organization, tell your employees what the results are. When you send out a phishing email and 20% of the people click on the link, put that out there as the metric. Twenty percent of us clicked on the link. Here are the things you can do to notice this is better. We're going to do this again in another month, and we're going to see how it's improved. At one point in time, you asked him what happens when a user clicks on a real phish. That then does go beyond what he focuses on in his work. But there are some things you can do to protect yourself, to mitigate the damage from that. And one of the best things you can do is two-factor authentication because if a user gives up username and password and you have two-factor authentication on your systems, then there is a much lower risk - in fact, almost no risk - of those accounts being compromised if you're using a good, strong second-factor authentication, something like a YubiKey. One of the key points here is measuring ROI this training is really tough because there are no standards yet. We're still in a very nascent part of this field where we're trying to make a difference. Click rate is OK, but as soon as he started about click rate, I started thinking about what are you measuring - right? - when you're measuring click rate? And his example was a great example. You might be measuring how good your employees are at spotting your fake phishing emails. And that's not really a good measurement.
Dave Bittner: [00:28:39] What if you're fake phishing emails are...
Joe Carrigan: [00:28:41] ...Are insufficient?
Dave Bittner: [00:28:42] ...Awful?
Joe Carrigan: [00:28:42] Right. Exactly.
Dave Bittner: [00:28:43] (Laughter) Right. Right. They have nothing to do with "Star Wars."
Joe Carrigan: [00:28:47] Exactly, yeah.
Dave Bittner: [00:28:48] I mean, that wouldn't work.
Joe Carrigan: [00:28:48] And nobody is going to click on...
Dave Bittner: [00:28:49] No. Who's going to click on that?
Joe Carrigan: [00:28:49] ...Something that doesn't have anything to do with "Star Wars," right?
Dave Bittner: [00:28:51] Right. Exactly.
Joe Carrigan: [00:28:52] Taking a baseline measurement is absolute imperative, as is constant training. This is something that needs to be done on a regular basis. This is not something you do once a year and forget it.
Dave Bittner: [00:29:01] Yeah. Well, you know, just really interesting conversation. Again, thanks to Dennis Dillman from Barracuda Networks for joining us and sharing all of his insights and wisdom.
Dave Bittner: [00:29:12] That is our show. And of course, we want to thank all of you for listening. And we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:37] The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:51] And I'm Joe Carrigan.
Dave Bittner: [00:29:52] Thanks for listening.