Awaremess

 

Image from Unsplash

If you master touch-typing, then you know that your fingers sometimes have a mind of their own. Fortunately, you usually realize that they have written something different than intended and then the backspace key is your best friend. Recently I had such a case where I couldn't suppress a grin: I didn't type 'awareness', but 'awaremess'. That small error led to this blog post.

In my profession, awareness means security awareness: the extent to which employees realize that they play an important role in information security, have the associated knowledge and act accordingly. But sometimes, things get a little messy.

So where did that grin on my face come from? The word awaremess does not exist, but you could interpret it as a mess that arises in the field of consciousness. And that's exactly where we are right now. For example, we do a lot to teach you how to recognize phishing mail. But at the same time, you are being bombarded with legitimate email that looks like it's phishing. And then it becomes a mess.

I give two examples. All civil servants have received (or are still receiving) mail from Shuttel, stating that they need to apply for a new card for public transport. That e-mail contained quite a few phishing indicators. The main red flags were the general salutation (“Dear Employee”), the warning that your old card would be revoked and – the most important – a link that, when you hovered over it, showed a very different destination than what was shown in the mail itself: not my.shuttelportal.nl/[etc], but something like fbdecbh.r.af.d.sendiobt2.com/tr / cl/[etc]. The funny thing is that employees also hit on something that is not a phishing indicator at all. The Shuttel company wanted some words in the e-mail shown in bold, but that went wrong in the first series of e-mails: it did not say look & feel, but —look & feel’. The codes, which were supposed to make the text bold, didn't work properly. But that has nothing to do with phishing. However, the other indicators were very phishy. The only thing that went well here is that the exchange was announced in advance on the intranet (but not everyone reads that). And what went well afterwards is that I quickly found someone in the responsible department who understood me and made sure that the Shuttel company was held accountable. Unfortunately that came too late for us, but things should be better at other ministries now.

The second example is closer to home, because it concerns a medium on which this blog is published: our intranet. That intranet was radically changed a while ago. And so there was an email with the subject: “Survey: What do you think of the personalized intranet?” That e-mail comes from an external address, but it does show the name of our organization as the sender: red flag! The general salutation (“Dear reader!”) and the chance to win an “exclusive personalized gift with your avatar on it”, along with time pressure (“We are giving away 15, so be on time”), only made it but worse. And finally, the e-mail was signed impersonally (“Team Online Editors”) and the survey was not announced on the intranet (!). The first email from a concerned colleague has already arrived, and more will follow. Rightly so. Now last week we had a nice meeting with the bloggers and the intranet editors, and then we were told that there would be a survey. So by chance I know that this e-mail is real and I have informed the editors about the phishy nature of their e-mail.

Things can also go wrong the other way. Employees received an email from a foreign address, without subject and text; it only contained a vague link. You would think: this can't be right, wouldn’t you? Despite this, fifteen colleagues clicked on that link. Our security systems blocked it, so we know who clicked. I have spoken to some of these colleagues. They told me stories that make me understand how someone could be “stupid enough” to click. Most poignant was the case of a manager of a colleague who had recently died – and this colleague's surname matched the sender's name. The manager therefore thought that the family was seeking contact. In another case, the mail also contained the addresses of someone's brother (with whom he has long lost contact) and of another acquaintance. It is likely that hackers captured address books and made good use of them when compiling the mail. So it's way too easy to say, how could one be that stupid. Their actions were not stupid, but humane. It saddens me that criminals undermine that humanity.

And so it is quite a mess in terms of security awareness. My typo wasn't that bad after all.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• a test phish about salary increases is a distasteful idea.
• you also have to cover your power-led now.
• an official falsified reports about the security of the Dutch government’s identity management platform. [DUTCH]
• financial and ICT service providers must get started with DORA.
• an organization can suddenly be bombarded with a deluge of access requests. [DUTCH]
• the police are starting an international network to prevent and disrupt cybercrime. [DUTCH]
• Belgian judges and police officers are spied on. [DUTCH]
• a DDoS attack delayed the announcement of exam results. [DUTCH]
• mandatory periodic password changes are an outdated practice. [DUTCH]
• artificial intelligence is trained with private data, fake news and copyrighted stuff. [DUTCH]