Two major hacks within the last month, the Sony and CENTCOM hacks, haven't been attributed to poor awareness as of yet, but it is likely that they will be. One of the key issues of the Sony hack was that there were administrator credentials hardcoded into the malware. As the theory of the disgruntled employees has now been discounted, and it appears to be the work of a foreign intelligence agency, it was reported that the credential were obtained through spearphishing.
In the case of the US Central Command, aka CENTCOM, the organization's Twitter and YouTube accounts were compromised. These attacks are likely very similar to past Syrian Electronic Army hacks, where spearphishing compromised the passwords of organizations' social media accounts. Even if it involved easily guessable passwords, or password reuse, all of the issues involve bad security awareness.
Similarly, the infamous Target and Home Depot hacks, which involved the compromise of point-of-sales systems, were initially enabled by spearphishing attacks. The Verizon Data Breach Investigation Report has several categories related to failings of user awareness and more than half of all incidents detailed involve awareness failings.
Yet security awareness programs are frequently treated as minor elements of organizational security programs. The awareness program is frequently first to have its budget cut, and usually is minimally funded to begin with. While many security programs include some level of phishing simulation, such simulations are not true awareness efforts, but what should be considered a small metrics collection effort within an overall awareness program.
Before discussing this further, it must be acknowledged that awareness efforts should be a piece of an overall security program and a part of a defense-in-depth strategy. For example, Sony should have implemented multifactor authentication on its critical servers, so that a password compromise would have had minimal impact. With the Target hack, the network should have been much better segmented, so that vendor credentials should not have yielded access to the same network that included the point-of sales systems.
However as you look at the major incidents that have been making front page headlines, while costing the effected organizations tens of millions of dollars and great embarrassment, it is clear that security awareness should be taken seriously by all security programs. Organizations need to examine how to better implement awareness programs, and start allocating the appropriate resources to such programs.
While some people are going to contend that the attacks mentioned demonstrate how awareness has failed, the fact is that they also demonstrate how just about every technical security countermeasure has failed. In the Sony hack, access controls failed. Data leak prevention failed. Anti-malware failed. Encryption efforts failed. In the Target hack, there was likewise a failing in the overall attack kill chain, comprised of both technical and non-technical countermeasures. The same can be said for every major hack out there.
Sign up for Computerworld eNewsletters.