If you purchased an iPhone 6 recently, you probably received this email:
Some of you may have even clicked the “Verify Now” link and entered your Apple ID account information. I hope not, though, because this email is not from Apple. It’s a phishing email meant to trick recipients into giving sensitive information to the attacker who sent it.
This email illustrates two things:
The market for enterprise network and cybersecurity grows each year highlighting the emphasis companies are putting on preventing modern threats from infiltrating their internal networks. However, the impetus is focused on technological preventative measures. Could an education in cybersecurity — who the attackers are, what they’re after, and the appropriate level of scrutiny that should be practiced — significantly bolster an enterprise’s cyber defense?
Yes. In 2011, RSA was the target of a spear phishing attack made successful by at least one employee opening the malicious attachment even after their spam filter had correctly placed the email in the “junk” folder. RSA suffered a data breach as a result.
More recently, a spear phishing attack targeting physicians at a Tacoma-based medical group led to the breach of 12,000 patient records. Emails were crafted to appear as though they were sent from the group’s parent company, and prompted targets to click on a link and enter their email account username and password. The group has since rolled out a company-wide phishing prevention system, including retraining the employees who fell for the initial phishing email.
Spear phishing attacks are:
Lucrative. The black market for data is huge, estimated at multiple billions of dollars, meaning that the person or organization behind the attack may not actually use what they steal to make money. Unfortunately, this also means they’re more difficult for authorities to track down.
Successful. Because hackers take pains to get their targets to fall for their schemes, they know what company and department you work for, what applications you use, who you report to, and what kinds of projects you’re likely working on. They know which job titles are likely uninformed or unwary of potential threats. This makes spear phishing campaigns one of the most highly-favored APT attack methods.
Simply a means of getting in. Once a target is duped into clicking a link, opening a file, etc., the attacker can carry out his mission, whether it’s stealing personal information, using a target’s personal account to transfer money, extract intellectual property or insider information.
A real threat to both corporate and consumer spheres. Both have data that attackers want to use to make money, and most people who work for targeted companies have a home computer or mobile device for personal use that is not protected by enterprise network or endpoint security policies.
Recognizable… sometimes, if you know what you’re looking for.
Cyber best practices like these aren’t just for those who deal with security as part of their daily job duties. They need to be taught company-wide.
What kind of corporate policies and programs promote a healthy balance between paranoia and productivity?
I’ve heard of one corporate program where basic cybersecurity best practices are taught as part of the new hire training class for every employee. Another IT-run program periodically assesses its employees by sending fake phishing emails to different groups within the organization; those who fall for the faux scam by either opening an attachment or clicking a link are then required to take a cybersecurity seminar. The goal of these programs is to arm the company’s workforce with knowledge and deploy them as another layer of cyber defense.
Using the right tools to prevent attacks is key, and one of those tools is familiarity with the kinds of tactics cyber criminals are using, and how to recognize and avoid them. What processes or programs have you seen put in place that educates employees and encourages cyber scrutiny?