The problem with Security Awareness programs is that it is hard to prove their successes. As with all security countermeasures, success is usually that nothing happens. Ideally, success also means that there is a report of the attempted attack, however that is rarely the case. With technical countermeasures however, logs are usually maintained that allow people to point to all of the prevented attacks.
More important, when there are acknowledged Security Awareness success stories, it is rare for organizations to share those stories, even internally. As principles in a company devoted to the human aspects of security and Security Awareness, we see Security Awareness success stories on a daily basis, however we cannot disclose those stories without permission.
So it was a pleasant surprise when we saw the CSO Salted Hash column, Inside an Attack by the Syrian Electronic Army, which highlights a major Security Awareness success story. The article highlights how the Security Awareness guidance we provided allowed IDG Enterprises, the parent company of CSO and Computerworld, among other major technology publications, to completely repel an attack by the Syrian Electronic Army (SEA).
As background, the SEA took issue with a presentation that Ira gave at the RSA Conference that detailed the SEA, their attacks, our experiences helping companies respond to their attacks, and methods to prevent similar attacks. The SEA responded by hacking the RSA Conference website, and we detailed exactly how that was accomplished. In response, the SEA hacked the Twitter feeds of the Wall Street Journal and Buzzfeed in an attempt to insult Ira. Ira prepared an article for Computerworld that analyzed the sequence of events. However, based on our experiences and working with the FBI on past attacks, we warned Computerworld to expect a focused attack from the SEA and detailed the expected methods that they would use, as well as guidance on how to prevent the expected attack.
In response, Computerworld's team worked with the appropriate people to ensure that the technical precautions were taken, as well as creating a proactive awareness program warning the appropriate IDG employees of the imminent attack. Details were provided regarding what employees should be on the lookout for, and special effort was made to ensure that the people with critical access were warned about what to expect.
As expected, spearphishing messages began to arrive the day the article went live on the website. The messages were in the format expected. Recipients of the message appropriately reported them. When the emails failed, the SEA apparently resorted to social engineering attacks, which were likewise unsuccessful and properly reported. This is critical as it demonstrates that when people are made aware of the likelihood of one attack, they are aware of the prospects for other forms of attack.
Sign up for Computerworld eNewsletters.