Introduction
Even today, there is still no consensus on the importance of security training and awareness in the workplace. Whereas the majority of security professionals perceive security education as key, other questions if it is worth the cost, effort, and time spent on training the workers. The PricewaterhouseCoopers (PwC), in a study conducted in 2014, found that 42% of participants deemed security training as deterring potential cyber-attacks in their companies (Infosec, 2014). The report also compared the financial value of staff awareness and found that companies without Cybersecurity lost $683,000 every year in comparison where the employees had an awareness of being $162,000 (Rashid, 2014).
On the other hand, there are security specialists who are opposed to security training and consider the activity as a waste of resources and time. These specialists argue that employees cannot be security professionals, and as such, companies must not expect them to act as experts. Instead, they argue that the resources and time wasted would better be invested in enterprise infrastructure to strengthen and enhance technical regulators and address security mishaps related to software designs. The challenge with this kind of thinking is that several companies are authorized to impart security awareness and training to the staff. The military is not exceptional. The U.S. military has diverse branches, which include the Marine Corps, the Air force, Army, Coast guard, and Navy, all mandated to protect the U.S. from adversaries. However, in this digital age, the war no longer only concentrated in launching missiles, dropping bombs, sailing the sea, open battlefield, or flying through the air, but it includes the war of cyber attacking.
Delegate your assignment to our experts and they will do the rest.
Project Methodology
To conduct this study's success, I will apply the National Institute of Standards and Technology (NIST) to identify what a Phishing attack is as well as the stipulated guideline for dealing with Business Email Compromise.
The project Scope
To prevent phishing, we identify the way of the way to deal with the issues. The first step is to prevent phishing. Phishing can be intervened before reaching the system users through blocking or blacklisting the phishing sites or by filtering out phishing emails. This method requires that the system users look out at the URLs and the website they suspect, manually, or using automated use of machine learning. The project encourages the use of spam filtering software applications. While spam filtering cannot detect 100%, coupled with 12 months of training, can minimize cases of phishing (Phishing By Industry Report, 2018).
The U.S., for a long time, has been engaging in a strategic rivalry with Russia and China. These countries have extended the competition to cyberspace and are posing a strategic danger to the country and her allies. In particular, China has eroded the United States’ military overmatch and economic vitality through the exfiltration of sensitive information from the United States private and public sector institutions. Russia, on the other hand, has been using cyber-enabled data to sway the masses and test the United States democratic process. There are also other adversaries such as Iran and North Korea who apply mischievous cyber activities to cause harm to the population, and in that case, they are threatening United States interests. Worldwide, the pace and scope of malicious cyber activities are rapidly rising as more people gain access to the internet. Therefore, the growing reliance on the cyberspace by both military and civilians makes this unacceptable risk and urgent matter of security to the United States.
Therefore, the Department of Defense ( DoD) must step up the cyberspace technology as the cyberspace keeps on evolving. Keeping track of up-to-date technology will ensure that the U.S. maintains its competitive advantage and defend the military interests with the focus on Russian and China. The DoD needs to gather intelligence on various events and improve the cyber capabilities in readiness for any potential crisis or risk event. Additionally, the military must defend the country aggressively to prevent or curtail malicious cyber activity at its source. It is also vital to strengthen the resilience and security of systems and networks that contribute to the contemporary and future U.S. military advantages. This is an addition to working with international partners, industry, and interagency to advance together with their mutual interests. The DoD acknowledges that in time of war, the cyberspace forces must be ready to work beside space, sea, air, and land forces to target the enemy's weak points. The U.S. cannot afford laxity since the nation’s economic competition, values, and military prowess is exposed to threats that keep on rising daily.
Project Rationale
Everyone who has access to a computer connected to the Internet needs security awareness. Even in workplaces where no training is offered, users must take personal initiative to and ensure that their gadgets are up-to-date. The military, which comprises of both the civilian and soldiers as the workforce have right to access valuable data while in line of duty. If this data falls to the wrong hands can threaten the U.S. and its allies security because security specialists have argued that humans form the weakest link in the cybersecurity chain, DoD has over 1.4M military staff and 0.74M civilians workforce. This figure there creates an environment ripe for potential cyber-attacks. With the ever-increasing social engineering attacks and spear-phishing tactics, the military sector does not have any excuse not to offer the employees security awareness training (DoD, 2017).
There are three top reasons why organizations need security awareness training. First, there is the vanishing perimeter. This means that people are bringing their gadgets to the workplace. The other reason is the regulatory requirements and, lastly, the ever-changing threat landscape. The Department of Defense is no different and must adhere to regulatory requirements. Federal laws insist that Information Technology awareness training be done annually, and therefore, various military branches have begun planning to start mandating systems under the RMF (Risk Management Framework) (Ahmed, 2015). This necessitates cybersecurity awareness training to be part of the system authorization and continues monitoring. It means this kind of system cannot operate unless there is an implemented and documented training program for the system users.
Furthermore, the waning perimeter risk relates to staff that brings their PCs to the workplace. For instance, cellphones, laptops, and iPods, when connected to the network, increase vulnerabilities. To make it worse, there no way to prove that personal gadgets follow secure cyber hygiene practices or are kept up to date. Luckily, military organizations do not allow personal gadgets in the workplace since they are already aware of the risks associated. However, this rule is not always held to expectations because some employees will skive and violate the laws. Therefore, the military should ensure users are well trained and made aware of specific policies that relate to personnel electronics gadgets and the need for not linking to the workplace network to avoid a security breach. Finally, the constant threat landscape mandates that the military should stay updated on cyber threats and assess how organizations can fall victim to cyber-attack since several spear-phishing attempts are directed toward large organizations such as DoD.
Another reason why the military needs to train and make their workforce aware of cybersecurity is that the military recruits young people each year come directly from high school. At such an age, young people must not be considered as a computer engineering professional, and they cannot be. They instead need weeks to months of training before they commence their jobs. Unlike season professionals who have spent time learning and in the internship, the young military personnel are thrown in real-world situations and are highly stressed because of insufficient support. Some challenges that affect military cybersecurity include the use of (GOTS) government off the shelf goods and using the embedded systems that pose a threat. The use of this kind of system is informed by false information that they are un-hackable. However, the truth is that these systems were built decades ago, and they cannot meet the current cybersecurity needs in an age when hacking capabilities have increasingly become lethal. It means these systems are faced vulnerabilities give that they are hard to upgrade due to their unique attributes and the budget constraints.
Need for the Solution:
Phishing can be intervened before reaching the system users through blocking or blacklisting the phishing sites or by filtering out phishing emails. This method requires that the system users look out at the URLs and the website they suspect, manually, or using automated use of machine learning. Secondly, there is a need to install indicators of phishing in your web browser, certified system identification, and branded verification system.
Project Summary
When cyber-attacks occur against business entities, many cases are associated with industry competitors spying to get access to the company secrets and propriety data. Likewise, the military has secrets that, if stolen, can put the security of the whole country in jeopardy. The military must ensure that their plans, tactics, and secrets are not accessible to rivals. The military also has a history of these recent cyber-attacks. Back in 2015, the DoD was attacked through spear-phishing that compromised the email credentials of more than 4,000 workers, both military and civilians (Hussain, 2015). The officials assured the public that the enterprise assets were patched correctly and configured, and thus, this was deemed to be a zero-day attack. The investigations suggested that the attack had involved some social engineering tricks. The hacker is said to have used the social engineering tactic of DoD employees members to gains enough data to enhance his conduct spear-phishing attack that drew attention to the intended victims. The value of these attacks underpins the need for training and creating awareness users to be conscientious about how they use the system. Some features for identifying phishing are low-quality incredible images, misspellings, bad grammar poorly formatted emails.
Whereas in the commercial sector, the business may generate enough income to be able to update their systems with the best and newest, the military might not be able to regularly update their systems as they operate on the budget limited by the executive. Thus, there is a likelihood that the military still uses outdated equipment and unsupported software, which may make updating tough. For example, the U.S. is still running on Windows XP when the rest of the world has upgraded to Windows 10. It does not make sense why the Navy is spending $9M annually for an obsolete system. However, the Navy spokesperson claimed that the Navy depends on legacy apps and programs that depend on the XP (Goldman, 2015). However, the DoD has found it necessary to seek the help of cybersecurity experts working to create awareness amongst high-level staff on the importance of keeping their system updated. The budget controllers are also enlisted for this training. While training for the users of the system can help identify phishing frauds, keeping the infrastructure updated is an important point.
Problem Background
The U.S.security, liberty, and prosperity rely on the open accessibility of data. The internet has empowered and enriched people’s lives as it offers excellent access to new knowledge, services, and business ideas. Indeed, the network and computer technologies form the basis of United States military fighting dominance as it enables the Joint Force to access the intelligence of enemies and strike longer distances at the same time. However, though there is a widely held perception of the U.S. as a technological and innovation powerhouse, it still lags among the industrialized nations in terms of connectivity and internet access. Globally, the US has been in the vanguard of developing cybersecurity strategy and policy, which began as early as 2003 when the government first issued the first national cybersecurity strategy. The National Strategy to Secure Cyberspace adopted in 2003 founded the strategic goals for U.S. cybersecurity: It aims to minimize damage and downtime resulting from cyber-attacks, to reduce national vulnerability to cybercrimes, and to prevent cyber-attacks against critical national infrastructure (DoD, 2018).
To achieve these objectives, five national priorities were identified for attaining these goals: initiate awareness and training programs for cybersecurity, establishing a threat and vulnerability reduction program, develop a response network, secure federal computer systems, networks, and developing a system of international cooperation. The digital era equally led to challenges to the Department of Defense (DoD) as well as the country at large. Because of the openness, decentralization, and transnational nature of the internet that DoD seeks to protect and create substantial vulnerabilities. Adversaries and competitors alike not willing to face the U.S. in the open battlefield and as a result they are using the cyberspace to steal U.S. technology, interrupt trade and governance, threaten the critical infrastructure and even going to the extent of challenging the country’s democratic process (DoD, 2018)
Need for the Solution
As stated in this study, security awareness is the responsibility of the military under RMF. The DoD offers phishing awareness training to selected staff through compulsory training is referred to as the Cyber Awareness Challenge. This training is facilitated and designed by the Defense Information System Agency (DISA) in conjunction with DoD.
Reason for Approach
DISA training involved quizzes and are interactive. Besides, the agency trains users on contemporary cybersecurity developments. This training is seen as satisfactory though to curb the cases of phishing crimes, and the DoD must start testing employees by sending them phishing emails to the system users to ascertain if they can easily fall prey to phishers. This can help assess and evaluate the efficiency of the training and customize the training to suits the needs of the employees.
Prospectus Organization
If a phishing attack happened to the U.S. military, 2.2M employees would be affected, plus the estimated loss would amount to an estimated $814M every year. However, upon the implementation of the anti-phishing campaign, the paper reveals a compelling value and Return on Investment for initiating comprehensive anti-phishing programs. The goal of the project is to prevent phishing attacks. Therefore, the paper begins by understanding the concept of phishing, analyzes various causes and how it can happen in the context of the military. Finally, the paper undertakes a cost analysis to determine how much it would cost the DoD to implement an Anti-Phishing campaign in the military. In the final part, the paper undertakes a risk analysis of the phishing threats and determine how they are implemented by cyber attackers. Also we state the assumption and limitations to preventing phishing.
Problem Statement
It is the mandate of organizations and security teams to protect the U.S. against cyber-attacks, but it is evident that the DoD is living in a challenging era that has increasingly become targets of sophisticated threats that are well managed and finance and it has repeatedly demonstrated that it can outsmart even the most robust security defences. Cybercriminals are efficient in their attacks because the security teams do not have enough financial and human resources required to keep pace, and therefore, the military might be unable to protect from the nation against current threats such as ransomware attacks and phishing. It is also unfortunate that the security teams often help cybercriminals who have made intentional acts and mistakes. For this paper, the main problem identified for this study, phishing and ransomware attacks, is some of the common problems that face every internet user. A report in 2018 found that every that for every 3331 emails, there was one phishing attempt. On the other hand, there was a 74% increase in ransomware variants (Kumar, 2018). Therefore, phishing and ransomware are the main challenges facing the military. Also, see appendix A to identify classes of Phishing.
Background Information
Spear-Phishing results can negatively leave an organization devastated and struggle to mitigate (Zetter, 2015). Further, training and raising awareness with personnel, end-point clients, have valid information security policies, and published procedures attach to must-have. It is important to note that hackers prefer spear-phishing since it offers a more fundamental financial advance than ordinary phishing attacks. Even though spear-phishing attacks are time-consuming and expensive, there are some great rewards for success (Savvas, 2012). Therefore, employees must be aware of how to noticed some of the traits of an impending cyber-attack, which are also discussed below.
The Individual Fragile Spot would continue to point out many factors pertains to the achievements of spear-phishing (Mitnick, 2015). Advantage will be taken of basic human psychology; an example of this is “the need to know.” When an individual receives an email notification from a good site like from a friend, financial institution, or work associate, even though they might be aware of security threats, some would still respond to it. The term “ individual fragile spot ” people would present one of the possible vulnerabilities to a system’s integrity. Compromised data must be identified, secured, and unlikely to be recovered. Universal access, passwords, digital certificates must be reestablished and rebuild (Parmar, 2012). This would be expensive and is time-consuming too. This would provide proper defence-in-depth security.
The Defense-in-Depth refers to the process of security layers that contains policies, procedures, and end-user cybersecurity awareness training (Savvas, 2012). The first step of a defence in depth is to protect against all network breaches to establish proper access control systems. Before an individual can have access rights, and enterprise system needs to verify if the system users have the correct any device identifies, such as software, hardware, and network features, and the user identifies (Hirchmann, 2014). The users should also have the role of accessing specific roles that are required. An example of this is, a network can grant access to only employees using devices that are approved who are in management positions at a company using secure network connections. All security and network components must be able to communicate just in case attacker access into a system, and others can respond ASAP to take further measures. If a breach happens, the company must inform personnel to prepare for the collection of evidence, preserve data to be used for investigation, media, attorneys, police, and crisis management teams.
Consequently, the policies and procedures should be performed by Information Technology personnel on workstations like monitoring and installation of server-level measures such as exchange, web proxy servers, firewalls, and gathering spam filtering. These practices permit incoming email scanning; reduce the surfacing of possible threats (Caldwell, 2013). The training of Information Technology personnel should focus on network accountability, hacker’s methods, and prevent breaches of data. At the center stage of all procedures, policies, and cybersecurity measures, there is also a need to educate the systems users or the end-users.
There are so many ways by which security awareness training can be facilitated to end-users. The e-learning variety is the most popular, whereas systems users access the online courses to cover the basics of security awareness, considering the federal laws mandate this policy. This can teach individuals to be aware that they are the victim. The training should also encompass ways of identifying phishing and social engineering, password checks, and any other specific driven requirements (Prime, 2014). Teaching workers or employees is one way of establishing the necessary level of knowledge though it may not engage the individuals as expected training. Any security program is accessible to the end-user. Most of the cyber-attacks can be intercepted at the system user’s level if the employees are aware and attentive to detail and can notice and report reporting suspicious emails (Purkait, 2012). While users can educate possible danger, it is misfortunate, and if one person clicks a suspicious link and can download a contaminated file, the whole organization is at risk of softening financial danger.
The end-users should be adequately trained to ensure that they are aware and attentive to details to be able to recognize suspicious scams and communications who hide behind false addresses. The system users must not click or update personal information related to a suspected email but instead should visit the real website. If a link suddenly pops up, users should take caution and ignore them since it could be a having malicious intent (Mitnick, 2015). Emails such as these may be phishing scams that are designed to entice system users to pay a visit to a malicious website. Additionally, the user should note that a web page can appear as an email but, in reality, is set up to fool the system users to the disclosure of delicate data such as their bank information, username, and passwords. Individuals should explore emails, even with the people they may know, do not make any sense, beware of pop-ups that would request to update their computer or caution of security (Savvas, 2012). So many attacks have been active today networks even though 20 billion dollars has been invested in IT security. Hackers will continue to leverage spear phishing if the organizations maintain a status quo of security that has been proven to no match for spear phishing. The organizations need to take it to the next level for protection that will protect all threats vectors and address them with every stage of an attack.
Causes of Phishing
Most phishing attacks exhibit the application of social engineering tactics. According to ZDNet (2019), social engineering is the most significant factor that leads to malicious hacking crimes since 99% of cyber-attacks need some level of human intervention to execute. However, many phishing campaigns are made to look legitimate, but these interactions enable macros and malicious code to run. Whereas it may be easy to blame the system users, it is also important to note that phishing has become increasingly sophisticated. It is increasingly becoming challenging to note new attacks since the perpetrators make the email look as coming from a trusted source. However, social engineering is playing a central role in facilitating these crimes since the attackers can even mimic the sequences of businesses to certify the best chance of succeeding (Palmer, 2019).
The use of obsolete systems can also cause spear-phishing or only phishing. As a paper note, by 2015, the Navy had been using the outdated Windows XP and, at the same time paying for the obsolete software for over $9M. One of the reasons why phishing occurs is due to when the entire network of an organization is not up to date, and therefore, the system fails to patch some notable flows within the current system. To minimize the damage that can be caused by phishing, it is critical to warrant that the system is up to date. Additionally, organizations are also advised to harness monitoring software and implement comprehensive spam filters. Whereas the spam filters cannot detect 100% of spam emails, they will reduce phishing.
Military Impacts of Phishing
Based on the wealth of data available on the internet and the low cost of computing gadgets, hackers have become more technologically savvy and can be able to launch sophisticated intrusions into the networks which control the national infrastructure. Given that the military strength of the country depends on the economic vitality, the cyber vulnerabilities contributed by phishing can erode the country’s competitive and effectiveness advantage at a global scale if the attacks persist and persevere. Another impact of the cyberattack on a nation’s military is that it could result in the exposure of the nation's deep secrets. For instance, some of the valuable information that can be exposed includes the weapon’s blueprint, compromising the surveillance data as well as the operational plans. This can, to a great extent, undermine national security. For instance, a rogue program that was introduced to the US military laptop by a flash drive in a Middle East operation base gained access to unauthorized information within the networks. This is, therefore, a clear indication that cyber-attacks can easily infiltrate the military system to ensure that even when rogue programs are introduced without being detected. In those processes, the program can exfiltrate sensitive military information. The U.S. considers such intrusion as being an act of war.
Cost Analysis
As earlier pointed in work, the mitigating cybercrime is an expensive affair. However, failure to mitigate is or put the measure in place to combat the vice is even more expensive. Let us now breakdown the cost associated with implementing a training awareness program for military the workforce to combat phishing. Because, cybercrimes impacts on the organization are uniform, the paper adopts a previous study to help come up with the estimated cost of implementing phishing prevention program. Phishing can be intervened before reaching the system users through blocking or blacklisting the phishing sites or by filtering out phishing emails. Secondly, there is a need to install indicators of phishing in the web browser, certified system identification, and branded verification system.
Experts have determined that a 10,000-employee organization spends approximately $3.7M annually fighting phishing attacks. However, most of the losses incurred results from productivity losses. It is estimated that an employee wastes 4.16 hours annually because of phishing scams (Korolov 2015). As the paper pinpointed earlier, the U.S. military forces comprised of more than 1.4M military personnel and an extra 740,000 civilian staff. This comprises of around 2.2M employees. Thus using this basis, it then means that it would cost $814M in losses to the military if crucial information was obtained through phishing. To effective clean up the military in case of phishing attack, the organization would spend $1,138,368,000 depending on the provisions of the IT sectors as analyzed below.
Cost Analysis of Military Anti- phishing Program
IT Department Labour Cost
To resolve the phishing incident, the DoD IT staff will work together with external consultants. We select a team of 4000 Information Security Analyst each paid the annual salary of $98,350 according to industry standard hence the total cos for labor will be $393,400,000 (U.S. Bureau of Labor Statistics, 2019 ).
Identity Protection
The military will higher the AllClear ID Pro. for all account holders which will be charged at $15.00 per account for identity protection. To protect 2.2M military staff account holders,it will cost $33M/Month for 12 months with an option for renewal ( Stevens, 2020).
Securing Anti-Phishing Software programs
The military will purchase MailChannels for: spam blocker and whitelisting/blacklisting, e-mail monitoring, queue management, response management, routing spam filtering and detecting software at a cost of $59.99 per user. If you consider the 2.2M individuals $131,978,000 for 5 years translating into $659,890,000 (Capterra, 2020)
Training Does Matter
Wombat Security Technologies will facilitated the training at a cost of $3.69 per head. Considering the Military population of 2.2M, it will cost $8,118,000 ( Ponemon Institute, 2015 )
Risk Analysis
Threat | Likelihood | Impact/consequences |
Spamming/Spoof website/ | High to unsuspecting system users | Adversary duplicates legitimate website and when the user visit the site, it gathers personal information or installs a malware |
Craft Phishing attack | High to unsuspecting systems users | Counterfeiting information to acquire sensitive information |
Malware via Email | High to unsuspecting system users using e-mails | Adversary uses email to insert/install malware into military database and collect data and the malware controlling the systems |
(Source: NIST, 2012)
Assumptions
Phishing is one of the leading cybersecurity problems in the military. Even if the DoD has prohibited the use of personal devices to access the workplace network systems: the study assumes that there are those individuals who still do no heed these provisions and may find themselves being phished, which can jeopardize the security of the country. That is the reason why training the military workforce and ensuring that they are aware of the tricks that the hackers use can, to no small extent, curtail the cyber-attacks associated with phishing.
Limitations
There are many forms of cyber-attacks, depending on the hacker’s skills. Worse enough, hackers can learn more tasks to facilitate this attack. For instance, ransomware, malware, and phishing can be used to fool given system users to exfiltrate valuable state secrets unknowingly. However, this project has concentrated on phishing alone at the expense of other cyber-attack statistics. In the statement, summarize the limitations of the problem.
Technical Terms
Phishing refers to the unauthorized attempt to obtain an individual’s or organization’s sensitive information such as credit cards, passwords, and usernames. The perpetrator disguises themselves as a trustworthy entity during electronic communication. Phishing is illustrated or classified in the diagram in the appendices depending on how the phisher frauds their victims (Ramzan, 2010).
Malware refers to any software that is designed with the intent to cause damage to the computer network or client (Khan et al., n.d).
Ransomware is a type of malware designed to threaten to publish the victims sensitive information or block the owner from accessing it unless a stipulated ransom has been paid (Khan et al., n.d)
Social Engineering refers to the use of psychological manipulation in information security in order to perform activities that divulge confidential information using a confidence trick.
Technology Solution
To effectively combat phishing, the military must initiate user training and awareness programs. Additionally, the military should do away with obsolete software, which is hard to manage or update, and yet, they still fetch a commanding price. Upgrading will ensure that the latest software can keep phishers at bay since they cannot easily crack. The military could also use network-level protection such as the anti-spam filters to determine the origin of the email or DNS based blacklist. The user can also authenticate if the attacker is pretending. There are three ways by which a solution to phishing can be approached. First, the system users must detect when they reach the phishing site, training the system user or preventing phishing all together. For every approach, there are benefits and downsides, but it is best advised that organizations apply a mix of the three approaches. When applying any of the styles, managers need to note that phishing is evolving daily to bypass the defences and avoid detection, but by taking the three approaches, they maximize the chances that they can be detected, and attacks stopped. Appendix C shows the proposed approach for dealing with phishing. The first step is to prevent phishing. Phishing can be stopped before reaching the system users through blocking or blacklisting the phishing sites or by filtering out phishing emails. This method requires that the system users look out at the URLs and the website they suspect, manually, or using automated use of machine learning. However, this can only detect few sites since the phisher can easily make another site once the previous has been blocked or taken down. The second method, however, seems to be more effective because when it is successfully applied, it can stop the user from ever being exposed to the link for phisher’s sites (Vayansky & Kumar, 2018). Currently, there are several spam filtering tools used by email servers, but there few phishing filters because of its complex nature.
Filters for phishing are designed using machine learning techniques. According to Akinyelu and Adewumi (2014), the authors discuss the characterization of phishing emails. For instance, they identify the application of URLs that contains an IP address that is not matching the ‘href links and attributed texts, checking the domain name against the email sender and the number of dots within the domain name. Machine learning techniques also looks at particular sets of keywords to establish whether they are from a phisher. For instance, the use of terms such as verify, suspend, update, or urgent. These authors that these methods were 99.7% accurate; hence this is one of the most effective methods of combating phishing given that machine learning continues to evolve as does the phishing attacks techniques.
The next proposed solution to phishing is to learn how to detect them. Since phishers will use the complicated technique to make sure that the phishing websites and emails reach vulnerable users, some methods warn the user to avoid malicious sites or identify a suspected phishing site. Many internet users already have defences in place to warn or help them detect phishing sites using either active or passive indicators. When using active indicators, the user will get a pop-up window warning them of an impending attack or warn them that the site they want to access has malicious content. On the contrary, passive indicators do not actively engage the user and warn them. As such, many users will ignore the passive indicator, and therefore, the active indicators are preferred. However, other users presume that the site they are visiting is what they expect because the site has been initially trusted. To combat phishing attacks in such cases, users are advised to apply verification systems for the secure and trusted. Given that the users regularly see the verification on a safe site, it is easier for them to detect it on a fake website. Certified identification helps the user know that they are on the right site.
Finally, train the system users. Stakeholder training to avoid falling victims to phishers is the other approach. However, most of the training is not up to date to fight the ever-evolving phishing attacks, in addition to depending if the users take time to read the material. However, this project proposes that anti-phishing training by embedding training systems in an e-mail server or using games. Researchers are working on such games. For instance, the Anti-Phishing Phil is a game that helps users identify suspected URLs and other aspects of phishing. Such approaches are engaging and informative, and users are likely to learn. The second method of training, that is, embedded training, is helpful to the military because by sending mock phishing emails, users who are not ware are easily identified and trained. The method turns a premium phishing victim, not an educated system user.
Implementation of the Proposal
Organizations need to analyze the impact of training in three steps implemented over the cause of 12 months.
Phase one
The face is essential to identify if the employees can detect a phishing attack. This is achieved by sending a phishing message to the unsuspecting user. The IT staff did not warn the user of the test.
Phase Two
This phase runs between the first and third months. This test is vital to unearth the initial impact of the training after 90 days of phishing security tests.
Phase Three
This the final phase of the training and phishing security testing undertaken after 12 months.
Project Outcomes
Phase One
We found that every organization, regardless of vertical and size, is susceptible to social engineering and phishing if they are not trained despite the investment of world-class security technology.
Phase Two
After 90 days of training, phish prone percentage would reduce by half.
Phase Three
This is conducted after 12 months of training. The results show that phishing drastically dropped, therefore, necessitating training of employees despite the size of the organization
Business Driver
This paper identifies e-mail as the key driver. The e-mail is a form of exchanging messages between individuals using electronic devices. Established in the 1960s, email has risen to become the preferred mode of communication across computer networks today, both in public and private settings. Phishing can be prevented by reaching the system users through blocking or blacklisting the phishing sites or by filtering out phishing emails. Secondly, there is a need to install indicators of phishing in the web browser, certified system identification, and branded verification system. The two approaches are meant to maintain military confidentiality and integrity over the usage of its network.
Justification
Email is a preferred mode of communication due to the ability to communicate to a broader audience. Additionally, emails are important business drivers due to the capability to customize and deliver private messages to the intended person. Military operations support to be top secret and in no way should be accessible to enemies of the State. Confidentiality also lays the ground for integrity over how workers use the military network. In this case, NIST, together will DoD, should continue formulating policies that restrict the military network usage by it is employees to maintain its confidentiality and integrity.
No Solution
If the phishing issue is not solved, it means that the U.S. military-related information will fall at the hands of the adversary, further jeopardizing the U.S and her allies' security. The PricewaterhouseCoopers (PwC) found that 42% of participants deemed security training as deterring potential cyber-attacks in their companies. The report also compared the financial value of staff awareness and found that companies without Cybersecurity lost $683,000 every year in comparison to organizations where the employees had an awareness of being $162,000 (Rashid, 2014; Infosec, 2014). Given that this is a small company, it means the risk is even higher with the military if they fail to implement the federally mandated policies. Even worse, the national security of the U.S. would significantly be in jeopardy, and the resultant loss would have no monetary attachment, as this would destabilize the world order.
Solution
The primary solution toward phishing apart from training and raising awareness among the military employees who are over 2 million individuals is to prevent ph ishing by blocking or blacklisting the phishing sites or by filtering out phishing emails and installing indicators of phishing in the web browser, certified system identification and branded verification system. Since the government has already and continues to invest in new technologies, people must be trained with the right knowledge and skills to implement the technology. Additionally, if employees are taught how to deal with phishing, it means that military information will not fall at the wrong hands, and thus, the country will be secure. It is also vital for cybersecurity experts in the military to keep up with the latest technology to keep abreast of adversaries. As discussed above, there are three major approaches to phishing. The first approach is to prevent phishing using machine-learning techniques. The approach requires the system user to filter phishing emails and to block phishing sites. The second approach. The second solution is to detect phishing by installing indicators in web browsers, branded verification system, and use certified system identification. Finally, it is crucial to train stakeholders using game-based anti-phishing training or using embedded training with mock phishing emails (Vayansky & Kumar, 2018).
Reference
Ahmed, N. (2015). Top 3 Reasons You Need Cyber Security Awareness Training. See https://www.trushieldinc.com/top-3-reasons-you-need-cyber-security-awareness-training/
Akinyelu, A. A., & Adewumi, A. O. (2014). Classification of phishing email using random forest machine learning technique. Journal of Applied Mathematics , 2014 .
Capterra (2019). MailChannels Review and Pricing. Retrieved from https://www.google.com/search?q=urchase+spam+filtering+and+detecting+software+at+a+cost+of+%2459.99+per+user&oq=urchase+spam+filtering+and+detecting+software+at+a+cost+of+%2459.99+per+user&aqs=chrome..69i57.1315j0j4&sourceid=chrome&ie=UTF-8
Department of Defense (DoD) Releases Fiscal Year 2017 President's Budget Proposal" . See https://www.defense.gov/Newsroom/Releases/Release/Article/652687/department-of-defense-dod-releases-fiscal-year-2017-presidents-budget-proposal/
Department of Defense (2018). Cyber Strategy. See https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
Goldman, D. (2015). Navy pays Microsft $9M year for Windows XP. See https://money.cnn.com/2015/06/26/technology/microsoft-windows-xp-navy-contract/
Gupta, B. B., Arachchilage, N. A., & Psannis, K. E. (2018). Defending against phishing attacks: a taxonomy of methods, current issues, and future directions. Telecommunication Systems , 67 (2), 247-267.
Infosec (2014). Why does your Organization Need Security Awareness Training? See https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-training/#gref
Hirschmann, J (2014). Defense in Depth: A layered approach to Network Security. See http://www.securitymagazine.com/articles/ 85788 - defense in - depth - a - layered - approach - to - network - security
Hussain, F. (2015). Spear Phishing Attack at Pentagon’s Network, Breached 4000 Military Accounts. See https://www.hackread.com/pentagons-network-hacked-with-phishing-attack/
Khan, N. A., Jibran, A., Ali, M., & Aleem, M. Android Malware Survey: A Comprehensive Analysis.
National Institute of Standards and Technology (2012). Guide for Conducting Risk Assessments. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Ramzan, Z. (2010). Phishing attacks and countermeasures. In Handbook of information and communication security (pp. 433-448). Springer, Berlin, Heidelberg.
Rashid, F., Is Security Awareness Training Worth it? See https://www.darkreading.com/operations/careers-and-people/is-security-awareness-training-really-worth-it/d/d-id/1317573
Palmer, D. (2019). Cybersecurity. 99% of email attacks rely on victims clicking links. See https://www.zdnet.com/article/cybersecurity-99-of-email-attacks-rely-on-victims-clicking-links/
Parmar, B (2012). Protecting against spear-phishing. Computer Fraud & Security, 8-11
Prime, R (2014). Educating the end user and eliminating the biggest security risk. See http://www.information - age.com/educating - end - user - and eliminating - biggest - security - risk - 123458150/
Purkait, S (2012). Phishing countermeasures and their effectiveness-literature review. In Information Management & Computer Security (p 20).
Ponemon Institute (2015). Wombat Cost of Phishing. Retrieved from https://ualr.edu/itservices/files/2016/10/Ponemon_Institute_Cost_of_Phishing.pdf
Savvas, A (2012). 91% of cyberattacks begin with spear-phishing emails. See http://www.techworld.com/news/security /91 - of - cyberattacks - begin - with spear - phishing - email - 34113574/
Stevens D. R., (2020). AllClear ID Review 2020. Retrieved from https://securethoughts.com/allclear-id-review/
U.S. Bureau of Labor Statistics, (2019). Computer and Information Technology. Retrieved from https://www.bls.gov/ooh/computer-and-information-technology/home.htm
Vayansky, I., & Kumar, S. (2018). Phishing–challenges and solutions. Computer Fraud & Security , 2018 (1), 15-20.
Zetter, K (2015). Hacker Lexicon: What Are Phishing and Spear Phishing? See http://www.wired.com/2015/04/hacker - lexicon - spear - phishing/