Friday, May 22, 2020

SiliconAngle: GitLab runs phishing test against employees – and 20% handed over credentials

GitLab runs phishing test against employees – and 20% handed over credentials
by Duncan Riley. UPDATED 22:26 EDT / MAY 21 2020

There’s always a lot of talk in cybersecurity about the importance of training employees to be aware of phishing attempts. Training does work but it’s not a panacea, the reality being is that there will always be employees who get tricked even with training.

Although there are various industry estimates, code repository management firm GitLab Inc. decided to phish their own employees to see what would happen. The result was not good: One in five employees fell for the fake emails.

Sadly, this is why cybersecurity research can only go so far. When 20% of employees working for a technology site can be phished like this, no technology product can solve the problem.

I am reminded of the Beagle/Bagle worm. In 2004, this worm was spreading rapidly throughout the Internet via e-mail. When virus scanners got definitions to identify and delete it, the authors created a variation (described in the linked article) which wrote itself to an encrypted zip file, putting the password in the mail message's body. This variation continued to spread despite requiring the recipient to manually save and decrypt an attached zip file, and then run the application contained within.

If people will blindly do whatever they're told in e-mail, then they're doomed no matter what security experts say and do.

Update May 26, 2020: I updated the article to include a link to an article about the Beagle/Bagel worm. At the time I originally wrote the article, I couldn't remember its name, but I was able to do some searching and found it (in one of my own blog posts from 2005: Encryption and security: an overview).

No comments: