Do phishing tests do more harm than good? – Wolfgang Goerlich – ESW #376
A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.
He posted, "our industry needs to kill the phish test",and I knew we needed to have a chat, ideally captured here on the podcast.
I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?
And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."
Segment Resources:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- The GoDaddy Phishing Awareness Test
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
I’ve spent my career immersed in solving the constant and ever evolving challenge of cybersecurity. The constant change and evolution always keeps it interesting. Right now I’m defining security models for LLM. In the past, l’ve co-led the industry charge towards securing cloud, putting the Sec in DevOps, and making Zero trust deployable and manageable for enterprises of every size. I’m an IANS Al, Zero Trust, and Security Leadership expert and you’ll find me speaking as well as listening at conferences.
Leader, coach, mentor, manager, tinker, tailor, soldier, spy.
Speed, Flexibility, and AI: The Case for Migrating from Legacy SOAR Systems – Whitney Young – ESW #376
In this episode, we explore some compelling reasons for transitioning from traditional SOAR tools to next-generation SOAR platforms. Discover how workflow automation and orchestration offers unparalleled speed and flexibility, allowing organizations to stay ahead of evolving security threats. We also delve into how advancements in AI are driving this shift, making new platforms more adaptable and responsive to current market demands.
Segment Resources:
- Learn more about using Tines for Security
- Peruse the Tines library of 'Stories' built by Tines partners and customers
- Learn how to integrate AI tooling into Tines stories and workflows
This segment is sponsored by Tines. Visit https://securityweekly.com/tines to learn more about them!
Whitney Young is a Solutions Engineering Manager at Tines. Since joining in April 2022, her role focuses on supporting teams in their evaluation of Tines, a smart, secure workflow platform designed to automate any manual task, regardless of complexity. A career sales and technology professional, Whitney works with businesses based in the Western and Central regions of the United States.
Cybersecurity: is the talent gap a myth? Is the industry delusional? – ESW #376
This week, the cybersecurity industry's most basic assumptions under scrutiny. Following up our conversation with Wolfgang Goerlich, where he questions the value of phishing simulations, we discuss essays that call into question:
- the maturity of the industry
- the supposed "talent gap" with millions of open jobs despite complaints that this industry is difficult to break into
- cybersecurity's 'delusion' problem
Also some whoopsies:
- researchers accidentally take over a TLD
- When nearly all your customers make the same insecure configuration mistakes, maybe it's not all their fault, ServiceNow finds out
Fortinet has a breach, but is it really accurate to call it that?
Some Coalfire pentesters that were arrested in Iowa 5 years ago share some unheard details about the event, and how it is still impacting their lives on a daily basis five years later.
The news this week isn't all negative though! We discuss an insightful essay on detection engineering for managers from Ryan McGeehan is a must read for secops managers.
Finally, we discuss a fun and excellent writeup on what happens when you ignore the integrity of your data at the beginning of a 20 year research project that resulted in several bestselling books and a Netflix series!
Adrian Sanabria
- ESSAYS: Cybersecurity Workforce Woes
An essay examining the "talent gap". Is it real? Was it all a myth? Was it ever real?
There's a lot of nuance in the answers to these questions, and Chris Hughes does a good job of covering the bases in this long(ish) read.
- ESSAYS: Prioritizing Detection Engineering
This is a followup on Ryan's infamous 2017 essay titled, Lessons Learned in Detection Engineering. Ryan seems to share my obsession with understanding what works and what doesn't in the enterprise, and how things fail when they don't work.
If I'm being honest, I see a LOT of my own mistakes in this one. Granted, many of those were made almost exactly 20 years ago, but I imagine people being people, some of those same mistakes are still being made today.
- ESSAYS: Cybersecurity’s Delusion Problem
BREAKING: Cybersecurity is not the most important thing to the business. It's not even their biggest risk. Not by a long shot.
- ESSAYS: Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing in the Security Industry
Sit down, be humble
- WHOOPSIES: We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
One of those incredible stories that will become legend.
Situations like this is why the entire category of External Attack Surface Management (EASM) was created, but to find these kinds of issues for one customer - an organization and its subsidiaries. It wasn't designed to find these issues at the TLD or internet architecture level!
Every now and then, it feels like Lopht testifying before Congress in 1998 all over again.
- WHOOPSIES: Enterprise ServiceNow Knowledge Bases at Risk
Similar to that issue Salesforce had last year. In fact, I just realized it was discovered by the same person, Aaron Costello, and that's how he got his job at AppOmni, as a security researcher!
This is in that category of "misconfiguration due to unclear UI/UX". We have at least one of these every year - there should be an award, in the shape of an S3 bucket.
- BREACHES: Fortinet confirms data breach after hacker claims to steal 440GB of files
The threat actor, known as "Fortibitch,"
Okay, NOW you've got my attention.
- DUMPSTER FIRES: Cybersecurity Pen Test Arrests: 5 Years Later
An incredible listen. Remember when a couple of physical pentesters were thrown in jail in Iowa during a paid engagement to break into a courthouse? This is THAT story, with the benefit of 5 years of hindsight.
Includes both pentesters, the CISO of Coalfire, and the journalist at Dark Reading that covered it as the news was breaking. 5 years later, and these poor guys are still dealing with the fallout on an almost daily basis.
- SQUIRREL: ‘The data on extreme human ageing is rotten from the inside out’ – Ig Nobel winner Saul Justin Newman
This is less of a non-sequitur than I usually post for a squirrel story, because it's a tale about what can happen when you don't check the integrity of your source data. I've run into this problem on several occasions while working with data scientists in cybersecurity, though none of them were as huge and impactful as this one.
This science faux pas isn't quite as bad as the misunderstanding that lead to a food industry-wide fat-free craze, but it's still pretty bad.
