Letter from the CISO, Vol 1 Issue 3
Washington University Community:
“Keep Information Security Simple” has been my motto for nearly a decade. This month, I’d like to share an important thing that everyone can do to improve our security—slow down, just a little bit because haste makes good people fall for bad tricks.
In the first issue, I argued that the University truly needs your help to prevent cybercrime. Last month, I argued that “The One Thing” everyone should do to protect themselves is turn on 2-Factor Authentication whenever possible.
This month, I encourage you to adopt a healthy dose of skepticism and paranoia.
Please read what follows carefully. There will be not one but two tests.
The Most Important Security Thing to Do (That’s Almost Impossible)
In a white paper, “Root Causes of Ransomware,” Roger A. Grimes from KnowBe4 uses meta-analysis to assess the root causes behind ransomware, concluding:
“It is safe to say that social engineering is the most consistent number one root cause. Social engineering was picked as the number one reason for successful exploitation by ransomware.” (Emphasis added)
Social engineering leverages psychology and our natural decision-making biases to encourage us to do things that aren’t in our best interest, often without our awareness. For example, con artists create a sense of urgency that short-circuits our critical thinking, leading us to quickly do things we normally wouldn’t.
There are many other examples—I’ll spare you them (for now)—but the key to dodging most of them is to slow down, take a deep breath, and think about whether this seems a little “off,” unusual, or out of character.
In short, be skeptical and a little paranoid.
Unfortunately, that sounds easy, but in truth, it is quite difficult, exhausting, time-consuming, and contrary to our foundational wiring as social beings.
Don’t worry! The Office of Information Security is here to help!
This issue of “Secured!” features a collection of articles on:
- Social Engineering,
- Misinformation,
- Reporting phishing email messages, and
- A real-world example of a “SMiSishing” attack.
Please also see Quint Smith’s June 9, 2021 “Social Engineering Red Flags” article.
In addition, we now subscribe to a library of over 1,000 professionally produced, educational, (mostly) entertaining, online learning modules and games covering a wide range of information security and privacy issues. If you have special concerns and think some of our materials could help you, your team, or your department, please let me know.
About the Two Tests
Above, I mentioned that there would be not just one but two tests.
All of us have been taking—and mostly passing—the first test continuously for years, namely, the real-world phishing attacks we regularly see in our mailboxes. With our new KnowBe4 tools, when you report a suspected phishing message, our office will quickly analyze it for malicious content and communicate with you about it. Most importantly, we will automatically identify copies of the same attack across our system, quarantine them, and remove them. The sooner you report a suspicious message, the more quickly we can make sure no one falls for the attack.
The second test will be in the form of simulated phishing messages. Using simulated phishing messages, we’ll identify and assist more “phish-prone” users and groups. For more information about the simulated phishing program, please read Quint’s newsletter article, “Introducing KnowBe4,” in which he outlines the simulations, why we need them, and how we will use the data from the simulations.
Thank you for your interest in information security and your help in our ongoing fight against cybercrime.
-Chris Shull, CISO