Another article on the topic on the similar topic prompted me to chronicle my own experiences with "Targeted Phishing". Targeted Phishing is a variant of phishing that is specifically directed at an organization and its employees. So, someone pretending to be a part of (or somehow connected to your org) would send you an email with some news of an "Important Update" requiring you to login to an application to perform the update. The rest, as they say is history. While some would scoff at this notion, that employees of an organization would fall for this sort of thing, I would like to tell you that my experience with some organizations (some of whom are our clients) is otherwise. Let us explore the why and how and more importantly some of the sticky situations that can transpire as a result of Targeted phishing:
The Situation: More organizations are taking to SaaS apps and apps in the proverbial Cloud. While this is great for cost savings and ROI, it is also great for an individual intent on harvesting your organization's most sensitive information, leveraging on the lack of awareness your people have about phishing in general.
Imagine someone inside your organization setting up a dummy application copying HTML code from Google Apps, Salesforce.com, or several others with a login page, interfacing to a database that he/she controls. Worse, imagine someone on the outside setting up a similar application and sending emails to your employees requesting them to login to this application with their usernames and passwords. An even worse situation would be if this was setup targeting an internal application that your organization has hosted that may be carries customer data or other sensitive information.
What is the aftermath? Mostly, nothing. It is quite likely that this sort of an attack would never be detected (even if you have a security team, sometimes - personal experience with one of our clients). This attack would never be published on the Internet as an attack (because it is targeted at YOUR organization). There will be no advisories or newspaper articles (a la the Income Tax phishing email) This attack, most likely will never be discovered unless someone really at every form he/she is submitting and a lot of other details like the SSL, etc. Most people want to believe things and they would forget about this "Update" as soon as they "sign in" to the dummy app. So, CRM application may be harvested by an attacker for months.
What is the Solution?
I am sure all of your first reactions would be "No more SaaS and no more Cloud", but I urge you to abandon this abstinent approach and focus on some of the constructive solutions.
Education: My first one would be to educate users on such attacks. Some of our clients engage us to conduct Targeted Phishing attacks against their organizations and prove this point beyond doubt (because most of them fall for it), forcing their employees to take the Security Awareness training reaally seriously. In my opinion, the Awareness trainings that happen today lack in solid material and live examples and case studies. Ensure that your awareness trainings have solid material or get an outside agency to perform awareness training to drive this point home to your employees.
Monitoring: Monitoring is rarely taken seriously. People are the only defense (or vulnerability) in case of Social Engineering attacks like Phishing. Regular monitoring in the form of security surveys and questionnaires would provide the organization with some info on user security awareness and responses. Supplementing this with email pattern-matching emails flowing into the organization might also be a good way to keep this sort of attack at bay.
No comments:
Post a Comment