'The Fortitude' is we45's maiden Information Security Newsletter. Our aim is to bring the latest news, views and information from the world of Information Security. This month's articles focus on the following:
Website Security - Organizational Identity Attacks: This attack will focus on some of the newer threats that are affecting an organization's online identity, its website. This has been authored by Rahul Raghavan and the we45 Consulting Group and provides real life examples into the world of website security.
Information Technology Act 2000 - An Evolution: Is the IT Act 2000 enough for a dynamic and ever changing Information Security landscape? Sumana Naganand, Partner-Justlaw, explores some of the evolutionary trends of the Information Technology Act 2000 with reference to 'Phishing'
Access Control Flaws - Chinks in the Web Application Armour: we45's CTO, Abhay Bhargav delves into some of the serious flaws in access control logic that can cause your company to lose reputation and revenue.
Download it here!
Hope you enjoy it.
Saturday, March 27, 2010
Wednesday, March 17, 2010
Targeted Phishing - for the Big Fish
Another article on the topic on the similar topic prompted me to chronicle my own experiences with "Targeted Phishing". Targeted Phishing is a variant of phishing that is specifically directed at an organization and its employees. So, someone pretending to be a part of (or somehow connected to your org) would send you an email with some news of an "Important Update" requiring you to login to an application to perform the update. The rest, as they say is history. While some would scoff at this notion, that employees of an organization would fall for this sort of thing, I would like to tell you that my experience with some organizations (some of whom are our clients) is otherwise. Let us explore the why and how and more importantly some of the sticky situations that can transpire as a result of Targeted phishing:
The Situation: More organizations are taking to SaaS apps and apps in the proverbial Cloud. While this is great for cost savings and ROI, it is also great for an individual intent on harvesting your organization's most sensitive information, leveraging on the lack of awareness your people have about phishing in general.
Imagine someone inside your organization setting up a dummy application copying HTML code from Google Apps, Salesforce.com, or several others with a login page, interfacing to a database that he/she controls. Worse, imagine someone on the outside setting up a similar application and sending emails to your employees requesting them to login to this application with their usernames and passwords. An even worse situation would be if this was setup targeting an internal application that your organization has hosted that may be carries customer data or other sensitive information.
What is the aftermath? Mostly, nothing. It is quite likely that this sort of an attack would never be detected (even if you have a security team, sometimes - personal experience with one of our clients). This attack would never be published on the Internet as an attack (because it is targeted at YOUR organization). There will be no advisories or newspaper articles (a la the Income Tax phishing email) This attack, most likely will never be discovered unless someone really at every form he/she is submitting and a lot of other details like the SSL, etc. Most people want to believe things and they would forget about this "Update" as soon as they "sign in" to the dummy app. So, CRM application may be harvested by an attacker for months.
What is the Solution?
I am sure all of your first reactions would be "No more SaaS and no more Cloud", but I urge you to abandon this abstinent approach and focus on some of the constructive solutions.
Education: My first one would be to educate users on such attacks. Some of our clients engage us to conduct Targeted Phishing attacks against their organizations and prove this point beyond doubt (because most of them fall for it), forcing their employees to take the Security Awareness training reaally seriously. In my opinion, the Awareness trainings that happen today lack in solid material and live examples and case studies. Ensure that your awareness trainings have solid material or get an outside agency to perform awareness training to drive this point home to your employees.
Monitoring: Monitoring is rarely taken seriously. People are the only defense (or vulnerability) in case of Social Engineering attacks like Phishing. Regular monitoring in the form of security surveys and questionnaires would provide the organization with some info on user security awareness and responses. Supplementing this with email pattern-matching emails flowing into the organization might also be a good way to keep this sort of attack at bay.
The Situation: More organizations are taking to SaaS apps and apps in the proverbial Cloud. While this is great for cost savings and ROI, it is also great for an individual intent on harvesting your organization's most sensitive information, leveraging on the lack of awareness your people have about phishing in general.
Imagine someone inside your organization setting up a dummy application copying HTML code from Google Apps, Salesforce.com, or several others with a login page, interfacing to a database that he/she controls. Worse, imagine someone on the outside setting up a similar application and sending emails to your employees requesting them to login to this application with their usernames and passwords. An even worse situation would be if this was setup targeting an internal application that your organization has hosted that may be carries customer data or other sensitive information.
What is the aftermath? Mostly, nothing. It is quite likely that this sort of an attack would never be detected (even if you have a security team, sometimes - personal experience with one of our clients). This attack would never be published on the Internet as an attack (because it is targeted at YOUR organization). There will be no advisories or newspaper articles (a la the Income Tax phishing email) This attack, most likely will never be discovered unless someone really at every form he/she is submitting and a lot of other details like the SSL, etc. Most people want to believe things and they would forget about this "Update" as soon as they "sign in" to the dummy app. So, CRM application may be harvested by an attacker for months.
What is the Solution?
I am sure all of your first reactions would be "No more SaaS and no more Cloud", but I urge you to abandon this abstinent approach and focus on some of the constructive solutions.
Education: My first one would be to educate users on such attacks. Some of our clients engage us to conduct Targeted Phishing attacks against their organizations and prove this point beyond doubt (because most of them fall for it), forcing their employees to take the Security Awareness training reaally seriously. In my opinion, the Awareness trainings that happen today lack in solid material and live examples and case studies. Ensure that your awareness trainings have solid material or get an outside agency to perform awareness training to drive this point home to your employees.
Monitoring: Monitoring is rarely taken seriously. People are the only defense (or vulnerability) in case of Social Engineering attacks like Phishing. Regular monitoring in the form of security surveys and questionnaires would provide the organization with some info on user security awareness and responses. Supplementing this with email pattern-matching emails flowing into the organization might also be a good way to keep this sort of attack at bay.
Subscribe to:
Posts (Atom)