Phishing and Social Engineering have been a growing concern. The latest Phishing Activity Trends Report of Q4 2009 from Anti- Phishing Working Group (APWG) shows alarming figures of increasing sophisticated phishing attacks. As per the report, the financial services industry has again topped in all targeted sectors in Q4.
Anti-Phishing Working Group (APWG) Chairman Dave Jevans said, “Spear‐phishing and whale‐phishing, where targeted individuals inside of corporations, or of high net worth, appeared to be increasing. Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.”
Consider this scenario: An organization has perimeter security configured. Multiple detective controls like IDS, IPS, firewall etc. are deployed. Still the employee gets an email with embedded link which points to a malicious website. Once dragged to this website; unwitting employee is exposed to an array of risk.
One such risk could be like crimeware (which is designed with the intent of collecting information of the end‐user to steal credentials) or malware is downloaded and installed on the local system without user’s consent. Once installed, it may allow scammers to compromise other network systems, steal sensitive information, create backdoors inside the corporate networks etc. Another significant risk is where the website attempts to sway the recipient to reveal personal information or credentials of online corporate applications. This kind of mails is often pictured as coming from trusted source like HR or IT department, outsourcing partners etc. and makes usage of legitimate layout, graphics, links and content etc. to look like original website.
Most times, it is very difficult to determine the source of the phishing attacks because a well orchestrated phishing attack understands the weak links in People, Process and Technology inside an organization in order to carry out successful attack. Most worrying, there are no quick, witching tools which can help you mitigate phishing risks overnight. Then how would you address the Phishing Risk?
Organizations can adapt the Deming Cycle [Plan-Do-Check-Act] to best counter phishing attacks and it would improvise over period of a time. Steps to follow -
- Understand the current level of preparedness of employees and define a strategy to address this gap [Plan]
- Implement policies, procedures and incident response plan to guide employees on “How to identify phish websites“ and “What to do” when Phishing attacks actually occur [Do]
- Conduct drills periodically to check readiness of the employees on phishing attacks and determine who are vulnerable [Check]
- Provide awareness training to vulnerable users and also regularly update employees on new threats and techniques used by Phishers by possible means of communication [Act]
In summary the message is very clear; the key to protect oneself is continuous education and awareness. Organizations should start working towards employee education for its better cure
Is your organization ready to fight against Phishing Risks?