Credit: John Taylor
When a hacker released the contact information of 9,000 DHS employees, it was the result of several awareness failings. The reality is that these are failed awareness programs that are typical of industry as a whole.
Summarizing the attack, apparently a criminal compromised the user id and password of a random Department of Justice employee, reportedly through a spearphishing attack. The credentials did not however give the attacker the connectivity required, so the attacker called most likely a Department of Justice help desk number. The help desk gave the attacker credentials to some portal and/or VPN connection. From that point, the attacker was apparently able to access the unclassified Depart of Justice network, which led to the compromise of FBI and DHS telephone directories, and 200GB of unspecified data.
There were two apparent awareness failings. The first was likely the first employee clicking on a phishing message. The second failing was the help desk providing credentials to the attacker to access the network remotely. I am sure that some phishing vendors will claim that if there was more simulated phishing messages that this would not have happened. Those claims would be foolish. The Department of Justice already engages in phishing simulations. The best they can do is reduce the incidents, and not the inevitability.
However there is nothing phishing simulations would do to stop the social engineering calls to the help desk. Here is probably the most important aspect; the susceptibility to phishing was irrelevant if the person would not have been given the credentials to access the network.
When you have an organization the size of the Department of Justice, it is inevitable that credentials will be compromised through phishing, or social engineering. The only people who believe you can stop all attacks like that are fools or liars. Frankly, multi-factor authentication should have been in place, which would have prevented this attack. However there was almost a form of multi-factor authentication in place, as the attacker needed additional credentials to access the network remotely.
Again, that layer failed as a result of poor processes and awareness on the likely part of the help desk. Phishing simulations won’t mitigate that attack vector. Once a year videos, designed for a mass population would not be specific enough for the responsibilities of help desk personnel. Even when you have once a month videos, typically organizations run a different topic each month of the year, and the once a year social engineering video, which averages under 3 minutes, is not going to have a significant impact against all of the possible ruses a help desk employee might encounter.
Sign up for CIO Asia eNewsletters.