Phishing Awareness Training Sucks

Here's the proof

Forget Furbies and Tamatogchis, Casio went watchmaker to AI pet creator with the release of Moflin. A hamster? Owl? Hamowl..yup, let’s go with that. One dude took it for a spin and discovered that Moflin grades your interaction with it. He might be questioning his relationships with his results

Anyway, back to cyber. Today, we’re covering:

  • Fuzzy AI? I’m in.

  • Proof that security awareness training sucks.

  • Don’t trust your neighbor’s cyber security.

-Jason

p.s. don’t leave home without this advanced duck duck goose tip.

AI Spotlight
AI + Fuzz Testing = 😌🧸🛌🏿👌

AI and vulnerability research are getting super cozy with each other. And security is benefiting from new advancements in fuzz testing.

WTF is fuzz testing? Like much of what you see on the Internet, fuzz testing is a software testing technique that feeds a computer program a bunch of bad and random data, hoping it causes the program to act differently. If the program has an adverse reaction, like crashing, it could indicate a vulnerability in the code.

Way back in 2016, Google introduced OSS-Fuzz. It’s an open-source project that automates fuzz testing for open-source software. Developers of widely used software can opt into OSS-Fuzz and use it to identify vulnerabilities in their code. Since 2016, OSS found over 10,000 vulnerabilities. Oh, and they can get compensated for it too. In its first five years, OSS-Fuzz gave out $600K to over 65 contributors for integrating their projects into OSS-Fuzz.

OSS-Fuzz’s AI Love affair started in August 2023. That’s when the team announced they would use LLMs to increase its capabilities. And they’re having good success.

They found 26 new vulnerabilities in projects that already had “hundreds of thousands of hours of fuzzing.” Not too shabby. This was made possible because the LLMs have automated a developer’s entire workflow in fuzzing source code, allowing it to scale well beyond what OSS-Fuzz was doing before.

Security Deep Dive
Proof Security Awareness Training Sucks

As a CISO, I have a confession to make. I hate security awareness training. I know, I know, how dare me. It’s often touted as an essential component of every security program and the first line of defense in protecting your network. And yes, I will recommend people do it. BUT…

It’s the equivalent of keeping your porch light on at night. While it may deter a “small portion of burglaries,” it won’t do anything substantial.

And now, there’s data to support my gut feeling. A recent study looked to understand the efficacy of phishing training. The experiment happened over 8 months and involved “ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization.”

I’m going to start with the punchline. The study found the training efforts “offered limited value” and that there was no “significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation.”

My favorite finding of the study would read like an Onion article. We’ll title it “Executives shocked that employees aren’t paying attention to training videos.” The research found that over half of all training sessions ended within 10 seconds or less, and less than 24% of users completed the training material.

I wonder how much that healthcare company is paying for that phishing training…

Security awareness training is well-intentioned but ineffective. Is it something I would ensure you do for your users? Sure, especially if you’re required to. However, I would focus on the act of encouraging people to report suspicious emails instead of teaching them not to click on anything.

People will mess up, and that’s okay. That’s why I’d much rather put my security investments towards technical controls to prevent the inevitable slip up of clicking a link or improving detection and monitoring capabilities to catch the aftermath.

Security & AI News
What Else is Happening?

🧶 This might be my favorite use of AI yet. A company created an AI “Granny” who answers scam calls and keeps the scammers talking in real-time. The video release is hilarious. I very much so hope the recordings in that video are real because hearing the scammers get angry just feels so good.

🧑‍⚖️ An administrator of the Phobos ransomware group was arrested in South Korea and extradited to the US. Between December 2021 and April 2024, affiliates used the Phobos Ransomware-as-a-Service (RaaS) platform to attack over 1,000 victims and netted over $16 million.

😨 ElevenLabs released a conversational AI agent last week. I played around with it, combining deep fake audio of a friend with its conversational capabilities. I couldn’t help but see this is a massive step forward for attackers to create realistic deep fakes to automate phone scams.

🔓️ A new malvertising campaign is targeting Bitward password manager users. The ad tells users they are using an outdated Bitwarden version and urges them to install an updated Chrome browser extension. That malicious browser extension then targets Facebook cookies, including usernames, saved credit card information, and geolocation.

🔥 Law enforcement unsealed criminal charges against five idiots who brought social engineering to the next level in attacks against companies including LastPass, MailChimp, Okta, T-Mobile, and Twilio. These dudes, aged 20-25, showed how easy it was to trick users into giving up their credentials and the devastating effect that can have on organizations.

🇷🇺 Russian nation-state hackers used a victim’s neighbor’s network as a launch pad into their environment. The attackers compromised the victim’s credentials but got stuck at MFA. With this failure, the attackers targeted the victim’s neighbor network and used that foothold to probe the victim’s Wi-Fi network. Low and behold, the stolen credentials allowed them access to the Wi-Fi network without MFA. Voila, the attacker, had access to the victim’s network.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.