To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it
Welp, at least that's better than industry averages, says code-hosting biz
Code hosting biz GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.
The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.
The GitLab Red Team – security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google's GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab's IT department.
"Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain 'gitlab.company'," explained security manager Steve Manzuik in a GitLab post.
Insider threat? Pffft. Hackers on the outside are the ones mostly making off with your private biz data, says VerizonREAD MORE
"While an attacker would be able to easily capture both the username and password entered into the fake site, the Red Team determined that only capturing email addresses or login names was necessary for this exercise."
Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.
According to Verizon's 2020 Data Breach Investigations Report, 22 per cent of data exposure incidents involved phishing or about 90 per cent of incidents involving social interaction. The DBIR, however, suggests the click rate for phishing messages should be far lower, 3.4 per cent, than the 20 per cent rate found at GitLab.
Another security firm, Rapid7, has said that phishing message link click rates vary from 7 per cent to 45 per cent, depending on the survey. A 2018 report from KnowBe4, a security training awareness biz, puts the average percentage of phishing-prone employees across industries at 27 per cent.
In an email to The Register, Johnathan Hunt, VP of Security at GitLab, said it was encouraging to see that the company's results were better than industry averages.
The team had the assumption that more people would fall for the phishing scam but that assumption turned out to be false
"Initially, the team had the assumption that more people would fall for the phishing scam but that assumption turned out to be false," said Hunt. "Some vendors claim that the average rate of successful phishes is somewhere around 30-40 per cent so it is nice to see us trending below that."
GitLab's findings underscore security concerns about people working from home, a group that keeps growing thanks to the COVID-19 pandemic and growing corporate tolerance for, or even encouragement of, remote work. People working from home become their own IT administrators and many are not up to the task.
Hunt, citing the continued prevalence of phishing, stressed the need for employee education, wherever workers are located.
"This means that companies, whether remote or not, should be training their staff to have a healthy level of caution when it comes to email communications," said Hunt. "As organizations move to being more remote and potentially leveraging cloud services, user identity management and multi-factor authentication become very important."
Hunt said GitLab has implemented multi-factor authentication and that would have protected employees had the attack not been a simulation. Future tests, he said, will attempt to subvert these extra security measures.
Manzuik concluded that GitLab workers should be encouraged to review the company's handbook, which explains quarterly phishing drills, and that GitLab's security team should communicate more frequently with employees about phishing. ®