Phreedom Phrom Phishing
By Chris Reese
According to the most recent data, over one half of Internet users receive at least one phishing email per day.
What is phishing? Simply stated, it’s an email or phone call from an organization posing as legitimate targeted at an individual to acquire login credentials, financial information, or entice them to install malicious software. “Spear phishing” is the term used for a targeted phishing attack on an organization or specific individual.
Who would voluntarily give login credentials to a complete stranger or install malware? According to research by Google, almost half of generalized credential phishing attempts succeed. Furthermore, 20% of those credentials were used to compromise accounts within 30 minutes of the successful phish.
Spear phishing is even more successful. In a survey of over 300 U.S. and U.K. organizations, 84% reported being compromised at least once. Almost 40% of those breached organizations reported financial costs of the breach averaging $1.8 million. 18% of the breached organizations suffered a decrease in stock price.
Most phishing scams contain links to spoofed web sites. These sites look virtually identical to the legitimate web site. Some will even refresh after the login information is entered and send the user to the correct site. The user thinks they fat-fingered their password, re-enters their credentials into the legitimate site, and gains entry. The thief now has the user’s credentials, and the user has no idea the credentials have been compromised.
Other phishing scams entice users to install malicious software (malware) on their systems. This software is contained either on a website provided in the email as a legitimate looking link or as a seemingly legitimate attachment.
What can be done?
First and foremost, implement a structured, on going, employee education and awareness program. It should educate employees about their responsibility in protecting the organization. It should also inform employees on the organization’s standard help desk and email practices as well as how to spot and where to report anything suspicious. They should be coached to err on the side of caution.
Second, make sure all systems have the latest patches and are locked down regarding the ability to install applications. This is easier said than done in the age of bring-your-own-device, but there are strategies that can be used such as virtual desktops and browser-based applications. Network and machine scanners should also be implemented to detect suspicious network traffic and unknown services or applications running on servers and workstations.
Third, implement email and attachment screening software and make sure it is kept up to date. There are many software, services, and appliances to choose from here. Make sure it can handle the scale of the organization.
Finally, close the front door. Make the stolen credentials useless by implementing adaptive multi-factor authentication (AMFA) on all user credentials. Amazing as it sounds, according to the latest Verizon data breach report, two-thirds of breaches involved stolen or weak credentials. Most organizations have resisted implementing 2-factor authentication because of the inconvenience to users and the additional support burden on IT. Until recently, authentication software with enough intelligence to maintain a frictionless user experience and only engage when necessary has been too expensive to implement across organizations and customers. However, the Adaptive Security Manager from aPersona takes that argument off the table.
The Adaptive Security Manager is designed for you to run in your own datacenter. Bluemix developers can simply bind the service to their application and complete a few integration steps. We've tried to remove all the excuses from protecting your applications.
Phishing is a serious problem for organizations of all sizes. With the proliferation of broadband and cloud services, cyber criminals in every corner of the globe now have virtually limitless resources at their fingertips. The good news is there are things that can be done to protect your organization, and those solutions are now financially within reach of even the smallest companies.