Yesterday the U.S. Department of Defense released its cybersecurity strategy. The DoD summarized the importance of cybersecurity:
Along with the rest of the U.S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations.
The report stresses the role of people as the first line of defense.
People are the Department’s first line of defense in sustaining good cyber hygiene and reducing insider threats. To mitigate the insider threat and prevent dangerous disclosures of sensitive and classified information from occurring, DoD will strengthen and go beyond the current information assurance paradigm, including the exploration of new operating concepts to reduce vulnerabilities. DoD’s efforts will focus on communication, personnel training, and new technologies and processes.
Iconix recently released a whitepaper on the effectiveness of training against spear phishing attacks. In that paper, we questioned the effectiveness of training to fight this problem. Our concerns were confirmed by research from the Department of Homeland Security. The Department of Homeland Security found that before training, spear phishing was effective 22% of the time. After training, people were fooled 21% of the time. Training resulted in a one percentage point change. Training people to avoid suspicious emails is essentially impossible because, as Lt. Col. Gregory Conti, IT professor at West Point observed in the New York Times,
“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”
This is where SP Guard from Iconix comes into play.
SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:
SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard is available now from Iconix.
To learn more, visit us at http://www.iconix.com/business/spearphishing.php.