by Bryan Cruickshank

Five ways to skin and clean a phish

Aug 09, 20114 mins
IT LeadershipSecurity Software

IT leaders cannot be sleeping well lately. It seems that barely a day goes by without news of another stalwart company brought to its knees by cyber-attackers.

Many IT leaders are starting to realise that today’s threat is significantly different from the waves of attack that came before.

A new environment For one, cyber-attackers’ motives have changed. In the past, hackers tended to be teenagers and malcontents, hell-bent on mischief and focused on destruction.

Their main objective was to inject viruses or mount massive denial-of-service (DOS) attacks to cripple any corporation or organisation within their reach. Today’s hackers (or, more specifically phishers) are much more sophisticated.

They are generally activists, criminals, competitors or even national governments who use stealth tactics to steal valuable information, either for personal gain or to expose company secrets to the world.

The mode of attack has also evolved.

Where hackers used to use programming to muster a full frontal attack on firewalls and servers, today’s cyber attackers use information to con employees into opening the door for them.

As a result, they easily slip around the firewalls and sit — unnoticed by virus detectors — on networks collecting valuable data.

Phishing season is open To better understand the risks faced by companies, we recently examined the publicly available information for companies on the Forbes 2000 list.

Using only the meta-data found on their websites, our security analysts were able to acquire potentially useful information from more than three quarters of the websites they examined.

Besides hundreds of thousands of usernames and email addresses, our cursory review was even able to identify cases where companies were using out of date software with potential vulnerabilities. The full study findings will be released in September.

So if firewalls and anti-virus software are all but useless in today’s security environment, how can IT leaders work within their organisations to neutralise the threat?

For one, IT functions need to move more nimbly in order to identify and respond to potential vulnerabilities.

Today, phishers have an incredible advantage over corporate IT functions: they are not beholden to approval cycles, budget requests or bureaucracy and can develop, deploy and disband an attack in a matter of hours.

To effectively respond, corporate IT functions must be able to not only respond to these threats, but anticipate and neutralise them before they occur.

Our experience shows that there are a number of steps that IT leaders can take to help reduce the risk of phishing attacks:

1 Quantify your current exposure:Before you can plug any leaks, you must have a clear understanding of where the greatest risks lie within your organisation. IT leaders will want to run simulated phishing attacks against their own organisation to identify vulnerabilities and ascertain opportunities for improvement. In many cases, professional, ethical hackers may be employed to conduct penetration testing across your infrastructure to provide a real-world assessment unhampered by internal politics 2 Remove information leaks: This is not merely a case of plugging holes or deploying a new security update. Most information leaks are small, relatively innocuous breaches, such as employee email addresses, usernames or software versions, that are often widely dispersed across both corporate and external websites. Tons of information can be gleaned from employees’ social media profiles, for example 3 Perform regular security audits: These types of information leaks are not one-time events. Left unmonitored, the risk will quickly return. Over the medium to long term, security audits also help to raise awareness of the threat within the enterprise, which effectively reduces the chances of new leaks arising 4 Classify data and information: Clearly, some corporate data is more sensitive than others and should command more stringent controls around its security. But most organisations don’t think about the relative value of data, but rather tend to treat all data in the exact same way. For inspiration, IT leaders may want to emulate government data management controls where data is classified according to risk and value, which then dictates the level of control required 5 User awareness and training: In the face of a phishing attack, your organisation’s security relies heavily on the awareness and diligence of your employees. Everyone in the organisation — from the boardroom to the mailroom — must understand the value and sensitivity of the information they possess and, more importantly, how to protect it

And while there is much that IT leaders can do, it will ultimately take a fundamental culture shift throughout the organisation to properly neutralise the threat of phishers. Based on our research, it may be some time before IT leaders are able to get a good night’s rest again.