Hacking Humans 3.12.20
Ep 89 | 3.12.20
Winking emoji.
Transcript

Gretel Egan: [00:00:00] We found that there really is a continued issue with general cybersecurity awareness and knowledge among working adults around the world. 

Dave Bittner: [00:00:10]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. You know this show. This is the show where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations all over the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:31]  Hi, Dave. 

Dave Bittner: [00:00:31]  Got some good stories to share this week. And later in the show, my conversation with Gretel Egan. She's from Proofpoint, and we're going to be talking about their 2020 State of the Phish Report. 

Dave Bittner: [00:00:40]  But first, a word from our sponsors at KnowBe4. So who's got the advantage in cybersecurity, the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective. 

Dave Bittner: [00:01:11]  And we are back. Joe, why don't you kick things off for us this week? 

Joe Carrigan: [00:01:15]  Dave, this week, I have a story from channelnewsasia.com. 

Dave Bittner: [00:01:18]  OK. 

Joe Carrigan: [00:01:18]  And the story is about the Singapore Police Force, the SPF. And they're warning of a malicious site that is impersonating their website. So when the user goes to this website, they see a message that informs them that the user's computer has been locked due to, quote, "viewing and dissemination of materials forbidden by law of Singapore" - specifically, viewing and disseminating pornographic material of an extreme nature. You know, we all know what that means, right? 

Dave Bittner: [00:01:44]  Yeah (laughter). 

Joe Carrigan: [00:01:45]  So, you know, it's one of these things that's supposed to grab you. We've seen this kind of scam before where a website says your computer's been locked, and it may even play an audio file. 

Dave Bittner: [00:01:54]  Right. 

Joe Carrigan: [00:01:54]  But this one's a little bit different. First, the webpage does prompt the user to pay 1,500 Singapore dollars, which is about a thousand dollars U.S... 

Dave Bittner: [00:02:01]  OK. 

Joe Carrigan: [00:02:01]  ...In a fine to unlock their computer. 

Dave Bittner: [00:02:04]  Oh. 

Joe Carrigan: [00:02:04]  But to make this webpage more believable, this page puts the browser into full-screen mode. And part of that full-screen mode is a Windows 10 desktop image. 

Dave Bittner: [00:02:17]  Oh. 

Joe Carrigan: [00:02:17]  Now... 

Dave Bittner: [00:02:17]  Interesting. 

Joe Carrigan: [00:02:19]  ...We used to do this back in my help desk days... 

Dave Bittner: [00:02:22]  (Laughter). 

Joe Carrigan: [00:02:22]  ...Right? - with our fellow help desk people on computers before we all knew to lock our computers on a regular basis, right? 

Dave Bittner: [00:02:30]  Yeah. 

Joe Carrigan: [00:02:30]  One of my co-workers went to another one of my co-workers' desktop, took a screenshot of his desktop, then took all of his desktop icons, put them into a little folder, hid that over to the side and then replaced his wallpaper with the screenshot. 

Dave Bittner: [00:02:45]  Yeah. 

Joe Carrigan: [00:02:45]  And then the guy would come back, and he would say, why are none of my icons working when I double-click on them? 

Dave Bittner: [00:02:51]  (Laughter). 

Joe Carrigan: [00:02:51]  Because you're not clicking on an icon; you're clicking on an image... 

Dave Bittner: [00:02:53]  Right. 

Joe Carrigan: [00:02:54]  ...A screenshot. 

Dave Bittner: [00:02:55]  Right. 

Joe Carrigan: [00:02:55]  One time, we were running SETI@home on our computers. This is actually when I moved into development. 

Dave Bittner: [00:03:00]  Yeah. 

Joe Carrigan: [00:03:00]  They used to have this really pretty graphic that would show you all the noise of the space noise you were listening to. 

Dave Bittner: [00:03:06]  Yeah. 

Joe Carrigan: [00:03:06]  And every now and then, there would be a spike in that noise. 

Dave Bittner: [00:03:10]  Yeah, E.T. phoning home. 

Joe Carrigan: [00:03:11]  Right. But it's random, right? 

Dave Bittner: [00:03:13]  Yeah. 

Joe Carrigan: [00:03:14]  But I took a screenshot where there was a spike on it. And then I drew an arrow to it. And I took a screenshot of a dialog box. And I mixed it all together, and I edited it up. It said, congratulations; you found an extraterrestrial signal. Please call SETI@home right now at this number. And the guy calls the number. And it's obviously not SETI@home, right? 

Dave Bittner: [00:03:36]  OK. 

Joe Carrigan: [00:03:36]  It's a completely different number. But... 

Dave Bittner: [00:03:38]  Is it, like, Burger King or something? Or... 

Joe Carrigan: [00:03:40]  No, Dave. 

Dave Bittner: [00:03:41]  (Laughter). 

Joe Carrigan: [00:03:41]  It was not anything so innocuous as... 

Dave Bittner: [00:03:43]  I see. OK. 

Joe Carrigan: [00:03:44]  In my youth, I was a little bit of a jerk. 

Dave Bittner: [00:03:46]  (Laughter) Really? Just in your youth? 

Joe Carrigan: [00:03:48]  Yeah (laughter). 

Dave Bittner: [00:03:49]  OK. Go on. Keep going. 

Joe Carrigan: [00:03:51]  He got me back, though. 

Dave Bittner: [00:03:52]  (Laughter). 

Joe Carrigan: [00:03:52]  He installed the Blue Screen of Death screensaver. 

Dave Bittner: [00:03:55]  Oh, I'm not familiar with that, being a Mac guy. 

Joe Carrigan: [00:03:57]  Well, OK. 

0:03:58:(LAUGHTER) 

Joe Carrigan: [00:04:00]  Well, you're familiar with the Blue Screen of Death, right? 

Dave Bittner: [00:04:02]  Yes. 

Joe Carrigan: [00:04:03]  Well, this was a screensaver that would pop on. You'd get something that looks like the Blue Screen of Death. And I actually wound up calling the help desk over that. And (laughter) so he got me pretty good. So... 

Dave Bittner: [00:04:15]  You wacky nerds and your... 

Joe Carrigan: [00:04:18]  Right, yeah. And our stories. 

Dave Bittner: [00:04:19]  Yes (laughter). 

Joe Carrigan: [00:04:21]  But this is why it's effective is because this webpage looks like the desktop, right? I mean, these are the kind of things - the same tricks that we used to pull on each other as pranks. These scammers are now using that to make money. And they've made about $22,000 off of five of these websites in the past - I think since the beginning of the year. There are a couple things you can do to protect yourself. No. 1, these are always a scam, right? Whenever somebody says law enforcement has locked your computer, that's a scam. 

Dave Bittner: [00:04:49]  Yeah. 

Joe Carrigan: [00:04:50]  They do not lock your computer for illegal content like this. They... 

Dave Bittner: [00:04:55]  No, if law enforcement wants your computer... 

Joe Carrigan: [00:04:57]  They show up, and they take it. 

Dave Bittner: [00:04:59]  ...They're coming - yes, right. They're coming to take your computer. 

Joe Carrigan: [00:05:02]  Yeah. 

Dave Bittner: [00:05:02]  And they're not giving you a warning. 

Joe Carrigan: [00:05:04]  Right - nope. So understand that it's always a scam. If you press the Alt key and then the Tab key, that may let you switch windows. Or you can press Ctrl Alt Delete, which will bring up - and then select Task Manager, and then kill the browser. And then when you reload the browser, don't reload the tabs. Just start a new session over. And also, if you have a Windows computer, that keyboard has a little Window (ph) key on it. You press that, that will open up the Start menu. So you can start looking through that and doing other things as well and use your computer. You may not be able to click on the icon in the lower left-hand corner because the webpage might be covering that up. And it might not be an icon. And it will look to you like it's locked. But pressing the Windows key will always open that up. 

Dave Bittner: [00:05:48]  (Laughter) You remind me of the pranks. There was a - back in the day - this was back in the '90s, before Mac had OS X. There was a system extension you could load called SpeedChopper. And the idea with SpeedChopper was that every time you restarted the computer, it would slow the computer down by 1%. And the notion was you'd put this on your boss' machine. And every time your boss restarted the machine - and back in the OS 9 days, you were restarting your machine a lot. 

Joe Carrigan: [00:06:14]  Right (laughter). 

Dave Bittner: [00:06:15]  And every time your boss restarted the machine, it would get a little bit slower. So eventually, your boss would get tired of this machine being so slow, would buy a new machine. You would get the hand-me-down from your boss, uninstall SpeedChopper, and you had a nice, fast machine. 

Joe Carrigan: [00:06:30]  (Laughter). 

Dave Bittner: [00:06:30]  That was the plan behind SpeedChopper, so... 

Joe Carrigan: [00:06:34]  You did a little bit of your own scamming there, Dave. 

Dave Bittner: [00:06:36]  Well, at the time, I was self-employed, running my own company, so it didn't really go very far. But... 

Joe Carrigan: [00:06:41]  (Laughter) You're going to hand yourself down the machine. 

Dave Bittner: [00:06:42]  Yeah, exactly, exactly. All right. Well, it's a good story - something to be on the lookout for, certainly. 

Joe Carrigan: [00:06:49]  These scams actually catch people from time to time. I know people who have fallen for these website scams that say there's something wrong with your computer or your computer has been locked. And it's always a scam. It's just always a scam. That's not how these things work. 

Dave Bittner: [00:07:01]  Yeah, but you can understand that feeling that flushes through you when - the specter of having law enforcement... 

Joe Carrigan: [00:07:09]  Right. It's the exact same feeling when you see the lights go on in your rearview mirror, you know? 

Dave Bittner: [00:07:12]  (Laughter) Right. 

Joe Carrigan: [00:07:13]  Even if you're not getting pulled over - if you're not the one getting pulled over, it's still a terrifying experience. 

Dave Bittner: [00:07:18]  Yeah. All right, well, my story this week comes from the folks over at Bleeping Computer. And this is a story about the Nemty Ransomware. And Nemty is a strain of ransomware that not only locks up your data on your computer but also exfiltrates some of that data. 

Joe Carrigan: [00:07:36]  Right. 

Dave Bittner: [00:07:36]  So it copies that data off of your computer, sends it to the bad guys. And this is the latest trend in ransomware - that if you don't pay the ransom, not only will you not get your files back, but they will start posting your personal information or your private information, your company's information... 

Joe Carrigan: [00:07:53]  Right. 

Dave Bittner: [00:07:53]  ...On a public website. And that is a way that they... 

Joe Carrigan: [00:07:56]  This is how they're... 

Dave Bittner: [00:07:56]  ...Turn on the heat. 

Joe Carrigan: [00:07:57]  ...Changing the economics of it because a lot of people are saying, we're not paying the ransom 'cause we have good backups, 'cause ransomware has been around for a while, right? 

Dave Bittner: [00:08:04]  Right, right. 

Joe Carrigan: [00:08:04]  So the situation has changed. So what they're doing now is they're exfiltrating and threatening to release the data. 

Dave Bittner: [00:08:10]  Yeah. 

Joe Carrigan: [00:08:11]  I don't know that I would ever recommend being incentivized by them committing to not releasing the data because there is no way that you have to demonstrate that they won't release the data or sell it to a competitor. 

Dave Bittner: [00:08:24]  Yeah, yeah. Well, it's a good reason to have your data encrypted at rest. 

Joe Carrigan: [00:08:28]  Yes, it is. 

Dave Bittner: [00:08:29]  (Laughter) So if your data is always encrypted on your machine, even if they get it, they can't do anything with it... 

Joe Carrigan: [00:08:34]  That's right. 

Dave Bittner: [00:08:34]  ...Because they won't have the keys. 

Joe Carrigan: [00:08:35]  That's correct. 

Dave Bittner: [00:08:36]  But none of this is the reason why I bring up this story. That's all backstory for the main story. The main story is how they are distributing this. They are using the most minimalist way possible. So imagine yourself getting an email message. And the message subject line is something like, don't tell anyone, or, I love you, or, letter for you, or... 

Joe Carrigan: [00:08:58]  There was an entire virus that spread with an email called ILOVEYOU... 

Dave Bittner: [00:09:01]  Yes. 

Joe Carrigan: [00:09:01]  ...Back in the early 2000s. 

Dave Bittner: [00:09:03]  ...Will be our secret... 

Joe Carrigan: [00:09:03]  Right. 

Dave Bittner: [00:09:04]  ...Or, can't forget you. And when you open up the email, all it is is a single emoji - with just a little winking emoticon - nothing else except the attachment, which is also called LOVE_YOU. And it is a zip file. And if you unzip the file, it is a heavily obfuscated JavaScript file also named LOVE_YOU. And that is what loads the Nemty Ransomware payload. So what they're taking advantage of here is by not sending you hardly anything, your curiosity gets going. What could be the harm in this simple little message? 

Joe Carrigan: [00:09:45]  Right. 

Dave Bittner: [00:09:45]  There's no problem with any sort of bad English. There are no spelling errors. There's no broken English. It's just a little wink. And it's enough for a lot of people to get their curiosity piqued to say, well, who loves me? Someone has affection for me. Who could it be? I'll just look inside here and see what it is. 

Joe Carrigan: [00:10:07]  Yeah, this is the exact same way that the ILOVEYOU virus spread. 

Dave Bittner: [00:10:11]  Now, what's interesting is this particular ransomware, Nemty, is - it has a low VirusTotal detection rate. 

Joe Carrigan: [00:10:17]  Right. 

Dave Bittner: [00:10:18]  Now, what does that mean, Joe? 

Joe Carrigan: [00:10:19]  That means they don't have a signature for it in VirusTotal. 

Dave Bittner: [00:10:22]  So you unzip this file, and then what happens? 

Joe Carrigan: [00:10:26]  Well, there's this JavaScript file that's in there - is LOVE_YOU.js. And if you double-click on that, it will open up in your browser - or it may open up in your browser... 

Dave Bittner: [00:10:33]  Yeah. 

Joe Carrigan: [00:10:33]  ...Depending on how you have your settings set. 

Dave Bittner: [00:10:35]  OK. 

Joe Carrigan: [00:10:35]  If you're a developer, it may open up in an editor. But if you are a user, it may open up in a browser. And if it opens up in a browser, your browser's going to execute the JavaScript, and that could be anything. And that's what runs the install script for the ransomware. 

Dave Bittner: [00:10:49]  I see. So that installs an executable and then runs it. 

Joe Carrigan: [00:10:53]  Right. 

Dave Bittner: [00:10:54]  And that's the ballgame. 

Joe Carrigan: [00:10:55]  Yeah, I don't think the JavaScript here is the ransomware. The JavaScript is just a way to get and start the ransomware. 

Dave Bittner: [00:11:00]  I see. Well, I mean, there is some good news here. There are some decryptors for some of the versions of the Nemty Ransomware. So it's possible that if you find yourself a victim of this, there may be a decryptor. It's always a bit of a cat and mouse with these sorts of things. The developers of the ransomware are updating the types of encryption they use, and people work on building encryptors and so forth. The bottom line is spread the word that just because there isn't very much in a message here, that could be a sign that something's up. 

Joe Carrigan: [00:11:30]  Right. 

Dave Bittner: [00:11:30]  Don't fall for it. Don't be seduced by the... 

Joe Carrigan: [00:11:34]  The simplicity of the message. 

Dave Bittner: [00:11:36]  Yeah, absolutely. All right. Well, that is my story. It is time to move on to our Catch of the Day. 

0:11:42:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:11:46]  Our Catch of the Day comes via Bored Panda. This is an article they posted here. It's "My Wife Spent Three Days Trolling a Scammer." And we have a series of screen captures here of a woman leading the scammers along. This is a pretty standard attempt to get her to buy some gift cards. 

Joe Carrigan: [00:12:04]  Right. 

Dave Bittner: [00:12:04]  But she does a good job of sending them down a path. Tell you what. Joe, why don't you play the scammer? And I will play the wife. 

Joe Carrigan: [00:12:12]  OK. Good day, Sara. Please, do you have a moment? Regards. 

Dave Bittner: [00:12:17]  Sure. What can I do for you? 

Joe Carrigan: [00:12:19]  Sara, sorry I'm putting this to you. I'm tied up right now. Can you purchase iTunes gift card - five pieces, $100 each? I would reimburse you when I am through here. Let you know I also would prefer to call you but can't receive or call at the moment with my line. 

Dave Bittner: [00:12:37]  Sure. Where can I meet you to give them to you? 

Joe Carrigan: [00:12:39]  You can get them at any store around. Just remove the silver strips at the back and send he picture of the codes through there (ph). Can you take care of that now? I will reimburse you once I am through here. Thanks. 

Dave Bittner: [00:12:51]  I really would feel more comfortable giving them to you in person. 

Joe Carrigan: [00:12:54]  I would love to receive it in person, but I am very busy at the moment. 

Dave Bittner: [00:12:57]  I can just drop them by your house. 

Joe Carrigan: [00:12:59]  Sara, this is needed urgently. I am not at home at the moment. Thanks. 

Dave Bittner: [00:13:04]  I could bring them to the meeting. 

Joe Carrigan: [00:13:06]  Sara, why all this? Send the cards through here. Thanks. 

Dave Bittner: [00:13:10]  Remember I told you last week I had to send my phone in for a battery replacement? I don't really have a way to take pictures right now. I'll just bring them to the meeting. 

Joe Carrigan: [00:13:17]  This is needed urgently. Bring them to the meeting will be useless because it is needed right now. Use your computer to take a picture of the cards. Ask anyone around you to help with he or her phone to take pictures of the cards. 

Dave Bittner: [00:13:31]  I don't have anybody around. Why is this so urgent? The meeting is tomorrow. I'll bring them then. 

Joe Carrigan: [00:13:36]  I need them today, not tomorrow. 

Dave Bittner: [00:13:38]  I don't even know if my laptop has a camera in it. How would I find out? 

Joe Carrigan: [00:13:42]  Turn on your cam. 

Dave Bittner: [00:13:43]  I don't know how to do that. I don't even know if I have a camera at all. Where does it say? 

Joe Carrigan: [00:13:47]  At the top of the screen. The go to system setting will turn it on. 

Dave Bittner: [00:13:52]  I don't see settings at the top of the screen. 

Joe Carrigan: [00:13:54]  The camera is at the top of the lap to screen. The go to the setting to turn it on. Did you have anyone around to help you out? 

Dave Bittner: [00:14:02]  Oh, you know Sam. He's useless with these things. He says he can just bring it (ph) by your place tonight. 

Joe Carrigan: [00:14:07]  I will appreciate Sam to bring them but am not at home. Don't know what to do right now. Can't you find someone (ph) else to help you out? 

Dave Bittner: [00:14:14]  Well, he can leave them on your doorstep. You know, we still have your casserole dishes. That sweet potato casserole was so much appreciated. 

Joe Carrigan: [00:14:22]  You're welcome. But don't drop it on my doorstep. I will so much appreciate if you can send them through here due to the urgency need of this card. Try all you could to (ph) get them send on here. 

Dave Bittner: [00:14:32]  Well, I've got the cards, but I just don't know how to send them. I clicked the button to look for settings, but nothing says settings. I'm afraid I'm just going to (ph) have to hand them to you tomorrow if you don't want them sitting on your doorstep. I mean, Sam could put them inside the screen door, or maybe under the mat. 

Joe Carrigan: [00:14:47]  Sara, I so much appreciate your kindness. 

Joe Carrigan: [00:14:49]  This guy's really patient. 

Joe Carrigan: [00:14:51]  I am not home yet, and I don't think I will be coming home today. I don't know why you find it so hard to send me the cards here. Just remove the silver strips at the back and send he picture of the codes through here. Look for other means to send them here. Thanks. 

Dave Bittner: [00:15:06]  I'd love to, and I've got the strips off, but I just can't figure this darn machine out. I think it does have a camera if that's what the dot on the top of the screen is. You're so much better at this technology stuff than I am. Do you have your presentation ready for the meeting tomorrow? I'm really looking forward to it. 

Joe Carrigan: [00:15:21]  Yes, I will get them ready before the meeting tomorrow. Seem you have remove the strips on the card. You can type them out one after the other and send them here. 

Dave Bittner: [00:15:29]  I don't think that's a good idea. You know, Katie told me to never send important numbers like that through email. This is so silly. I'll just hand them to you tomorrow, along with your dishes. What are you bringing for the potluck? 

Joe Carrigan: [00:15:40]  That will be surprise for tomorrow. Yes, she said so, but I requested for this. If you can't send it right now, it will be useless tomorrow. 

Dave Bittner: [00:15:48]  I really don't think that's a good idea. Katie's so smart with computers. Did you get her wedding invitation yet? They're so elegant. If you need it tonight and you're out, why don't you just drop by the house? You know we're up late, especially with all the fireworks this week. 

Joe Carrigan: [00:16:01]  Sara, your questioning are much. I don't know when you start acting this way. 

Dave Bittner: [00:16:06]  Well, I'm just trying to be safe. You know how Katie would make me feel so silly if anything ever happened. She already thinks I'm such an old dingbat. I just feel like a picture would be safer to send. 

Joe Carrigan: [00:16:16]  I understand everything. Seems you are having issues sending picture. You can type it out and get it sent to me here. Everything is safe, Sara. Stop overacting. Have you type the cards codes, Sara? Am waiting. 

Dave Bittner: [00:16:28]  Well, I don't feel comfortable doing that through email. Is this for your presentation tomorrow? You didn't tell me if you got Katie's invitation. She worked so hard on them. Sam says it looks like she's opening a bordello, but you know how vulgar he can be. So I think I got it working. Is this what you needed, or is it (ph) too late for what you need it for? 

Joe Carrigan: [00:16:46]  And this looks like an image that came from Google Images. 

Joe Carrigan: [00:16:49]  OK, send the rest. Yes, Sara, you got it right. Send the remaining four the same way. Not too late. I still need them. Thanks. 

Dave Bittner: [00:16:57]  I still don't see why on Earth I can't just give them to you later today. It's like you don't even want your casserole dish back. 

Joe Carrigan: [00:17:02]  I want my casserole dish back. Sara, am not up for this today. I wonder why you are sending me fake cards. Please stop it. I don't like the way you are acting. 

Dave Bittner: [00:17:12]  Fake cards? They aren't fake cards. I bought them from a nice young man in front of Target. 

Joe Carrigan: [00:17:16]  Okey (ph), snap all the cards and send them here. 

Dave Bittner: [00:17:20]  And she sends the same picture of - a sample picture of a card. 

Joe Carrigan: [00:17:23]  Right. 

Dave Bittner: [00:17:23]  Oh, whoops. You know I'm not very good at these things. Really, I don't know why you're so snappy today. You must be really nervous about that presentation. It's just the League of Women Voters. It's not a tank of piranhas. 

Joe Carrigan: [00:17:35]  (Laughter). 

Dave Bittner: [00:17:35]  How's this one, you revolting parasite? I hope somebody tries to scam your sweet, trusting grandmother. And I hope that all your sweet potato casseroles taste like dog-something. Have a great day. 

Joe Carrigan: [00:17:46]  A new email comes in on the chain. 

Joe Carrigan: [00:17:48]  You are sick, big idiot. 

Joe Carrigan: [00:17:49]  And that's the end of the chain. But this is really good. I like this. 

Dave Bittner: [00:17:53]  Yeah. 

Joe Carrigan: [00:17:54]  And, Dave, again, I am filled with respect for your ability to read through these things without stammering through this. 

Dave Bittner: [00:18:00]  (Laughter). 

Joe Carrigan: [00:18:00]  There - our listeners should know there's a lot of editing that goes in when I read the scammer's portion of this (laughter). 

Dave Bittner: [00:18:08]  Yeah, my amazing ability to completely disengage my brain. 

Joe Carrigan: [00:18:12]  Right. 

Dave Bittner: [00:18:12]  It's a gift, yeah (laughter). 

Joe Carrigan: [00:18:15]  I'll bet it comes in handy in more ways than just reading bad text. 

Dave Bittner: [00:18:17]  Oh, you have no idea - no idea. All right, well, that's our Catch of the Day. Coming up next, my conversation with Gretel Egan. She's from Proofpoint. And we're going to be talking about the 2020 State of the Phish Report. 

Dave Bittner: [00:18:28]  But first, a word from our sponsors, KnowBe4. Now let's return to our sponsor's question about the attacker's advantage. Why do the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:19:28]  And we are back. Joe, every year, the good folks over at Proofpoint - they put out a publication called their State of the Phish Report. And, of course, it's all about phishing and all the things related to that. They recently put out the one for this year, for 2020. And I had the opportunity to speak with Gretel Egan from Proofpoint all about that report. Here's our conversation. 

Gretel Egan: [00:19:54]  We've really looked in three different areas. First, we did a third-party survey of working adults from around the world. And we did want to focus specifically on working adults because the findings that we found there, we wanted to be able to make that direct line to what organizations are experiencing with their workers, so focused in on that. Also, again, looked at infosec experiences via a third-party survey. More than 600 people participated in that survey across a range of roles, including CISOs and sysadmins and a bunch of different roles that participate in security awareness training. 

Gretel Egan: [00:20:32]  And then we looked at our own data. And on that first point, we found that there really is a continued issue with general cybersecurity awareness and knowledge among working adults around the world. We have people who still - only about 60% globally who are able to identify the definition of phishing from a multiple-choice array. And that is - at a very basic level, we asked, what is phishing, and gave three definition examples and asked people to pick the right one. Only about 60% were able to identify that definition. So what we're really finding is there continues to be what I like to call a cybersecurity language gap, basically. You know, we have infosec teams who may be going out and speaking to their people, using terminology that they just straight-up do not understand. 

Gretel Egan: [00:21:27]  So what we really want to convey to people who are, you know, trying to educate their users is for them to understand that they may have to start at a much more basic level than they anticipate. And if they've not started at that fundamental level, they may have, you know, skipped ahead and lost a bunch of people along the way just from using terminology that people don't understand. 

Dave Bittner: [00:21:54]  Since you've been tracking this for a number of years now, what are you seeing in terms of trends? How have things changed over time? 

Gretel Egan: [00:22:02]  Well, one thing that we really saw come roaring back, and not surprisingly, for 2019 were infosec teams saying that they experienced ransomware infections. And we did see a significant falloff in ransomware in general in 2018 - certainly came bubbling back to the surface in 2019, and it obviously continues to be a big problem. That trend, of course, different from the prior year, but also, I think, because the landscape was different in 2019 than it was in 2018. And that's something for people to keep in mind. You know, we caution people from doing a kind of set-it-and-forget-it approach to security awareness training because the threat landscape can change so significantly. People probably didn't have to talk to users about ransomware that much in 2018. But not having that conversation could have left them less prepared for 2019 when ransomware came back. 

Dave Bittner: [00:23:09]  In terms of training the employees - investing in training for their employees, where do we stand with that? 

Gretel Egan: [00:23:17]  Among the people that we've surveyed - and, again, this was a third-party survey of 600 infosec professionals around the world - we do see a fair number, a good number of people saying that they are doing some level of security awareness training for their users. We had 78%, in fact, saying that the efforts that they're expending are delivering measurable results for them, which is terrific and, you know, certainly something that we've advocated for a long time - that if you put the effort in with your users, you will see improvement in behaviors. 

Gretel Egan: [00:23:57]  The one caveat I would say there is that we saw only about 60% of organizations saying that they're doing some level of formal training session, be that in-person training or computer-based training for their users. We caution that if people are relying strictly on simulated phishing attacks and things like newsletters and posters, those kind of more passive, awareness-driven activities to drive behavior change, it's going to be difficult to move the dial. A simulated phishing attack in itself is just capturing a moment in time, really. It's one example of one type of phishing attack. So a user's interaction or noninteraction with that simulated phishing test is really only going to give them a small glimpse at what phishing is and can be overall. It's really important to take the step to do some more formalized training around phishing and other cybersecurity behaviors in order to help users learn what they need to look for on a broader sense, not just with one type of email example that they were sent. 

Dave Bittner: [00:25:14]  Is there any sense in terms of where organizations can get the best bang for their buck? In terms of investing in protecting themselves against phishing, where do you recommend they begin? 

Gretel Egan: [00:25:26]  Obviously, technical defenses are important. We would never advocate for anyone to rely strictly on security awareness training to protect their organization. Clearly, technical safeguards are a huge and important factor in protecting against phishing attacks. However, we also know that some things will always slip past perimeter defenses. These technical safeguards we put in place - they're not foolproof. They're not a hundred percent. 

Gretel Egan: [00:25:58]  So it really is important to understand that because attackers are focusing on people - and we've seen that for certain. They are absolutely looking up and down and across org charts to find people to target. And they are very aggressive in going directly to people. So in that case, if we have organizations that are not focusing on their people, they absolutely need to make that mindset shift and make that change. 

Gretel Egan: [00:26:31]  From where we sit, the best way to move the dial on behavior change - and, really, that is what organizations are seeking. They want their users to behave differently than they are currently behaving. So it is about a combination of risk identification - and that means understanding the types of vulnerabilities that exist within your organization, both from phishing tests - the things that phishing tests can teach you - but also looking to your threat intelligence, understanding the people in your organization that are being targeted and the ways they're being targeted. Are attackers using credential compromise? Are they looking to install back doors? Is it more of a BEC situation? You know, examining those things and then crafting your training to address the issues that you really see within your organization. 

Gretel Egan: [00:27:27]  We love State of the Phish. It's great for benchmarking. It's great for opening some eyes and telling people and providing some guidance. But, really, it's that last piece, guiding people to understand the data that they have within their organization and then using that data to their benefit, because other people's data, obviously, is interesting and important from a benchmarking perspective, but, really, it's what's happening within your own organization that can tell you the places that you are most vulnerable, help you stop, you know, making assumptions about where the dangers are, about who the problem children are within your organization, really focusing your attention and then driving not only an effective program, but an efficient program. 

Dave Bittner: [00:28:16]  Joe, what do you think? 

Joe Carrigan: [00:28:16]  This report is now one of the big annual security reports, much like the Verizon Data Breach Investigations Report. 

Dave Bittner: [00:28:21]  Yeah. 

Joe Carrigan: [00:28:22]  Right? This is actually - it has a lot of insightful information in it. One of the key things that Gretel talked about was the issue of awareness is still big. Sixty percent of people get the right answer when they're choosing from three choices about what phishing is. This illustrates Gretel's point about cybersecurity language gap. We in tech and in cybersecurity make so many assumptions about the audience and what they know. We - and this is not just unique to cybersecurity or tech. It happens in the medical field. It happens in the accounting field. I've had people from both those fields talk to me, and I have no idea what they're talking about and have to ask them to explain it. 

Dave Bittner: [00:28:56]  Right. 

Joe Carrigan: [00:28:57]  Right? 

Dave Bittner: [00:28:57]  Right. 

Joe Carrigan: [00:28:57]  Now, I have no problem asking them to explain it because that's exactly what I would want if I said to somebody, you're going to be susceptible to a phishing attack, and they didn't know what a phishing attack was. I would want them to say to me, what's a phishing attack? But it's not human nature to do that. 

Dave Bittner: [00:29:11]  No, I think we all have that impulse to - not to be embarrassed by not knowing something. 

Joe Carrigan: [00:29:16]  Right. 

Dave Bittner: [00:29:17]  So you sort of be quiet and hope that you're going to figure it out along the way. 

Joe Carrigan: [00:29:20]  Exactly. 

Dave Bittner: [00:29:20]  One of the things I've learned that's very helpful for me is to interrupt politely and say, I'm sorry; I don't know what that means. 

Joe Carrigan: [00:29:27]  Yeah. 

Dave Bittner: [00:29:27]  And then you'll get an explanation. And then you know. 

Joe Carrigan: [00:29:29]  Right. But we don't want to do that... 

Dave Bittner: [00:29:31]  Yeah. 

Joe Carrigan: [00:29:31]  ...As people. And when you're trying to teach people or talk to people about cybersecurity, you have to understand that nobody's going to ask you that and explain it to somebody who doesn't really know what the jargon and the lingo is. Security training must be ongoing is another point that she made. You can't just do it one and done, fire and forget, right? It's not that. Two reasons for this. One, the landscape changes all the time. 

Dave Bittner: [00:29:57]  Right, right. 

Joe Carrigan: [00:29:57]  And two, people need to be reinforced. The DOD has annual security training requirements for everyone that holds a clearance. You have to go and complete some kind of opsec training. Another point here is phishing tests alone are not going to work. I've been saying this numerous times. There is no one thing that's going to work. You need a full-featured plan that includes people, technology, policy and training. 

Dave Bittner: [00:30:20]  Yeah, yeah. 

Joe Carrigan: [00:30:20]  And you need to attack it from all sides. 

Dave Bittner: [00:30:23]  Again, I find it helpful to compare it to public health. Washing our hands isn't going to - I mean, it's going to help a lot, but it's not the only thing. There are many other things. It's a system. It's an ecosystem. 

Joe Carrigan: [00:30:33]  Correct. 

Dave Bittner: [00:30:34]  Many different things have to happen to be successful. 

Joe Carrigan: [00:30:36]  It's got to be a system. And nothing is 100% foolproof. And your policy needs to include planning for what happens when everything fails because eventually, it will, right? You need to have some kind of disaster recovery plan... 

Dave Bittner: [00:30:47]  Right. 

Joe Carrigan: [00:30:48]  ...Business continuity plan and things of that nature. Those should be part of your security or risk planning. Another great point that Gretel makes is that your security program must be tailored to address the risks of your organization. There is no cookie-cutter security plan that's going to work. You can't just copy and paste someone else's security plan. They're going to have different risk tolerances, different system requirements, different people in their organization than you're going to have. 

Dave Bittner: [00:31:13]  Yeah. 

Joe Carrigan: [00:31:13]  It has to be custom for every single organization. That doesn't mean it has to be complicated. That doesn't mean there aren't commonalities you can leverage. But you should not delude yourself into thinking that you can just slap some kind of policy up that everyone else uses and say that'll be good enough. 

Dave Bittner: [00:31:29]  Yeah. And the work you do now could save you a lot of heartache in the future. 

Joe Carrigan: [00:31:32]  Absolutely. An ounce of prevention is worth a pound of cure - right? - that old saying. 

Dave Bittner: [00:31:37]  Yeah. All right. Well, again, thanks to Gretel Egan from Proofpoint for joining us. Do check out their 2020 State of the Phish Report. Lots of good information in there. We want to thank all of you for listening. 

Dave Bittner: [00:31:48]  And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:32:11]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:32:25]  And I'm Joe Carrigan. 

Dave Bittner: [00:32:25]  Thanks for listening.