Why Do Phishing As Part of Security Testing

I was recently watching a web cast on incident response and found myself thinking about the cause of the example incident.  It was yet another instance where phishing emails were sent, desktops were owned and data left the victim’s network.  I’m not sure how many presentations, web casts and papers that I’ve listened/read that point to phishing as the cause of the breach, but its been quite a few.  The problem that I see is that we have an attack vector that appears to be very successful, but a reluctance to test our phishing defenses during security testing.  I found myself asking why folks are hesitant to do testing for phishing and what benefits could organizations receive from it?

First, lets look at some ideas on why organizations may decide to avoid phishing.  These ideas are simply from my observations and not from any kind of survey.

  • Someone is going to click on the link anyhow, so why bother?
  • Concerns about disrupting the employees’ work day.
  • Phishing isn’t looked at real closely in the compliance requirements that the organization is under.
  • Politics and authority.  You want to do this test, but can’t get authorization to proceed with it.
  • Perhaps even a little embarrassment.  No one likes to get beat up too badly in a test.  (see politics)

These are all understandable (to a point) and even out of our control in some cases.  Politics is a good example of something we may not be able to control.  Others are more within our grasp.  If we think about the purpose of a penetration test, we are really testing out our existing defenses and seeing how far an attacker could go if he exploited a set of vulnerabilities.  We are trying to see how well things are actually protecting us, discover any holes that are out there and measure the impact that an attack could have.  All of which apply to phishing.  We have defenses (we hope), we’re pretty sure there are holes, but we don’t know what these holes are and what damage they could do.  Without testing we are left to a gut feeling on the issue, which could be heavily influenced by a range of emotions from from fear to hubris.

By performing phishing we are able to get a better idea of the real risk that we are facing.

  • Is that endpoint protection suite really doing its job?  Do we have it setup properly?  
  • What is the risk to the organization if a customer service rep was to get compromised?  How about a developer or system admin?  Or (heaven forbid) an executive?
  • Can we detect when a desktop gets compromised?
  • Can we detect what the attacker is doing once he’s compromised someone’s system?
  • What can we do to improve our ability to protect and detect this type of attack?

Controlled phishing tests allow us to really see how we are doing, point out weaknesses that we need to shore up and possibly help us on the political front to get defenses in place or setup a bit better.  Testing can be done on an ongoing basis as part of user awareness training or as part of a full penetration test to see just what risk our data is at.  Secure Ideas performs regular testing for clients through the phishing components of MySecurityScanner.  This allows organizations to see how they are performing over time rather than just how things went during a full penetration test.

It’s important to keep in mind that even if we do not do this testing, we are getting tested.  My inbox has been getting all kinds of attacks for years and our users’ inboxes are no different.  Some we block, but some gets through.  The bad guys are testing us all the time.  The difference is that the bad guy isn’t going to let us know how we are doing at keeping them out.  We need to take steps to find that out ourselves.

Jason Wood is a Senior Security Consultant with Secure Ideas.  If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Leave a Comment

Your email address will not be published. Required fields are marked *