UPDATED 22:26 EST / MAY 21 2020

SECURITY

GitLab runs phishing test against employees – and 20% handed over credentials

There’s always a lot of talk in cybersecurity about the importance of training employees to be aware of phishing attempts. Training does work but it’s not a panacea, the reality being is that there will always be employees who get tricked even with training.

Although there are various industry estimates, code repository management firm GitLab Inc. decided to phish their own employees to see what would happen. The result was not good: One in five employees fell for the fake emails.

The exercise announced Wednesday involved GitLab emulate a phishing campaign against GitLab employees with the intent of capturing GitLab.com credentials. Defenses such as multifactor authentication were not considered part of the test, with the fake phishing attack designed to mimic a basic attack concentrating on primary authentication credentials via a fake login page.

The GitLab team behind the exercise purchased the domain name gitlab.company, then used G Suite to facilitate the delivery of the phishing email. The domain name and G Suite services were set up to look legitimate, complete with SSL certificates to make the emails look less suspicious to automated phishing site detection and human inspection.

Fifty GitLab employees were targeted with an email that asked them to click on a link to accept an upgrade. The link took them to the fake gitlab.company website where they were asked to enter their login details.

On the positive side, only 17 of the 50 targeted employees clicked on the provided link. However, 10 of those 17 then attempted to log in on the fake site. Those who logged in on the fake site were then redirected to the phishing test section of the GitLab Handbook.

Six of the 50 employees who received the fake phishing email reported the email as suspicious to GitLab’s security operations team.

The 20% figure is roughly on par with broader industry expectations. The Verizon 2020 Data Breach Investigations Report released earlier this week found that phishing was involved in nearly one-quarter of breaches.

“Phishing is a great example of something that cannot be fully prevented,” Chris Rothe, co-founder and chief product officer at threat detection firm Red Canary Inc., told SiliconANGLE . “Because email is a critical business function, it has to be optimized for its business function and not security in most cases. There are many strategies IT teams can use to reduce the number of successful phishing attackers — email blocking, stripping and analyzing attachments, awareness training — but there is no 100% solution.”

Image: Wallpaper Flare

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU