Search Poisoning and Security Awareness Training

I was talking to my brother just now about recent search poisoning that was occurring related to the story about the guy who crashed a plane into the IRS building.  He works in a SOC at a large organization, and saw someone last night who searched for something like “echelon building plane crash” within the first few hours of the event.  My brother was responding to an alert that fired when that user was redirected to one of those fake antivirus sites that tells you your computer is infected and it needs to install itself to clean the machine.  In reality the program is a hoax designed to get people to fork over their credit card information willingly.  I don’t imagine this simple and effective threat will ever go away.

Interestingly enough I happened to be headed to the Internet Storm Center at the time, and found this story about search poisoning.  This got me thinking there’s something worth writing about here.  First, this is nothing new so there’s no shock factor here.  However, this social engineering attack is worth mentioning because it is a bit unique.  Most phishing, spear-phishing, or phone-based social engineering attacks are predicated on getting the target to take some action you desire based on misguided trust of the attacker because they do a good job of playing themselves off as an authority figure or as someone they are not.  However, search poisoning does not attempt to alter user behavior at all. The user was already going to search for .  The attacker simply makes use of actions users were already going to take anyway.  This makes it highly effective for the time before the search poisoning is elimninated.

Secondly, since this seems to be a standard attack, and since it is a form of social engineering that will likely be effective, I think it is worth including coverage of it in the basic security awareness programs that organizations implement.  I have never seen it covered.  The following sorts of modules are generally pretty standard:

  • Don’t share your password.
  • Don’t open attachments from people you don’t know, and confirm that ones you receive from people you do know are legitimate.
  • Be ware of phishing emails.
  • Don’t use P2P software on your work computer.
  • Don’t violate software EULAs.

While these topics are all important, an awareness program that does not evolve along with emerging threats is not an effective awareness program.  Users expect the same old material, and they stop paying attention to any of it.  And frankly, if they stop “learning” from it then why should they pay attention every time it’s forced down their throats? 

Too often, the concern with awareness programs is more focused on “how do we check the box?”  For the federal government this is a legitimate and time-consuming problem to answer.  When you have to deliver a training to tens or hundreds of thousands of users who are often dispersed to thousands of locations across the country or the world where some of these folks are often in remote sites with limited network access you don’t have any easy task of ensuring that all your users are trained.  However, information retention and content must always be considered.  This is where you draw the line between simply having sent information to a group of users and having deliveredd information to them which is useful and actionable for the average user.