A (0:02)

You're listening to the Cyberwire Network powered by N2K. Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

B (0:44)

The word is simulated fishing. Spelled simulated as in an imitation of something, and fixed. Phishing as in a social engineering technique in which a trustworthy person or organization is impersonated in order to trick a targeted user into performing a malicious action. Definition A security awareness training technique in which authorized but fake phishing emails are sent to employees in order to measure and improve their resistance to real phishing attacks. Example sentence the employee clicked on a link in a simulated phishing email, which took them to an educational page on social engineering. Origin and context. Early in the history of cybersecurity, one bad habit that emerged was blaming the user for clicking on that phishing link or that allowed some cyber bad guy to gain a foothold inside the network. Common phrases in the industry included you can't fix stupid and if we didn't have any users, our jobs would be a lot easier. This all presupposes that the user did something wrong instead of the infosec team keeping phishing emails away from employees or preventing phishing email from doing any damage. I don't know about you, but I've been in the business for over 30 years and I still get fooled by phishing email. How can I expect Kevin down in the HR department from clicking those links when an industry veteran like me gets fooled all the time? If the infosec team can't keep the phishing emails out, then maybe the next best thing is to better train Kevin and me on what to look for. Organizations use simulated phishing to train employees to recognize real phishing emails by using convincing but harmless replicas to trick users into clicking on a link or downloading an attachment. This helps educated users who fall for them and allows the organization to measure how vulnerable it is to a phishing attack. Ian Muscat at Phishdeck explains, while phishing tests alone are not a replacement for technical defenses such as email security gateways, phishing filters, and anti malware solutions, they can be invaluable in improving an organization's security awareness and posture. Additionally, when paired with an effective security awareness program, phishing simulation can serve as a powerful tool to promote security Best Practices. Tom Pendergast, in an article for CSO Online, notes that there can be drawbacks to simulating phishing, though if it isn't done properly. For example, emails impersonating the IRS and other organizations can cause users to report them as real fraud, swamping the impersonated organizations with false reports. Additionally, many real phishing emails contain content that isn't appropriate for a company to send their employees, such as sextortion, profanity, and just plain porn. One piece of advice from Defenseworks says organizations should be transparent that they're implementing a phishing simulation program so employees don't feel like they've been deceived by their employer. Nerd Reference you're listening to Snake Charmer, written and performed by Eagle Eye Williamson. One of the tracks played in the 2015 movie Black Hat, starring Thor himself Chris Hemsworth and let me tell you, hackers have never looked so good and directed by Michael Mann. Best known for the 1980s TV show Miami Vice, Hemsworth plays a black hat hacker who the US government breaks out of a 15 year prison sentence to help them track down some hackers. They apparently use code that Hemsworth wrote as a kid as a terrorist attack directed at a nuclear power plant in China. In this scene, Hemsworth needs to access an NSA server called Black Widow. He crafts a phishing email and sends it to a Mr. Donahue from the security guy Ben Hitchens. It says, in light of the fact that you were contacted by an FBI agent working on a joint task force with Chinese cyber specialists, we've become concerned about the security of your Black Widow remote logins. We strongly suggest you change your password and attached to the email is a PDF entitled Password Security Guidelines and a link to download it. Donahue hesitates for just a second, but finally clicks the link. You asked him to change his password. When he downloaded the PDF. What he downloaded was the keylogger. That's Donahue typing his new password twice and the keylogger picks it up. Hemsworth uses the top secret no form Black Widow web client to log in as Donahue with the new password. And just between you and me, I would have fallen for this attack too. But maybe if Donahue would have received more simulated phishing emails, he might know to suspect any security recommendations concerning the super secret Black Widow network. I'm just saying. Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Pettrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.