What should information security professionals be doing to ensure their organisations are protected from phishing scams aimed at private enterprise?
John Walker, ISACA member, chief technology officer of Secure-Bastion
Experience tells us that the computing world has excelled at the art of untimely acceptance of new vectors of risk. This was the case with computer viruses, and Trojans (where later, some anti-virus suppliers actually removed Trojans from their applications, as they did not meet the purist definition of a virus). Then there was the continued acceptance of spam, which was considered only a nuisance in its early days. Of course, the one fact that may be relied on is, once such risks are identified, the machines of some security supplier and their experts will kick in, albeit after the wave has arrived at the beach.
The same level of early risk acceptance applies to phishing. In its early incarnations, this new, quirky and imaginative threat was somewhat tolerated, notwithstanding it demonstrated all the attributes of crimeware - it was going where the money was, and targeting the susceptibility of the end-user, no matter who he or she may be.
By 2010, so successful have phishing attacks become, they now represent a popular tool in the kit-bag of the cyber-criminal, and are in regular and daily use. The real question this poses is just how does an organisation defend its perimeters and users, and above all, protect its assets? Although no single silver bullet solution exists, one may consider four interlinked steps.
Step 1: Notwithstanding they do not represent all encompassing protection, ensure that anti-virus, anti-spyware, and any anti-malware applications are maintained up-to-date - ensuring that at least two different supplier technologies are in operation.
Step 2: Ensure that applications and operating systems are up-to-date, and fully patched.
Step 3: Consider subscribing to cyber-intelligence services which may be used to identify on-line threats, misrepresentations, or online fraud's targeting brand(s) - one example supplier is Cyveillance.
Step 4: As phishing attacks are predominantly targeting end-users, drive to the heart of the problem by investing in a security education and awareness programme to raise the profile of risk - including your clients.
It is not rocket science, but more a case of delivering joined up multi-layered pragmatic security.
Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management
Tackling e-mail-based scams and spam starts with reducing the volume of spam by filtering and is completed by the educating the users from the top of an organisation right down to the most junior levels to recognise spam and scams and to delete. Why? Because it is not possible to screen out 100% of these message types using specialist appliances, add-in applications to e-mail servers or external services. In the end a human will have to read the messages that get through the electronic screening. An appliance, e-mail server add-in or external service should reduce spam levels by about 95% (this will vary supplier to supplier and from time to time).
Using an appliance or add-in is not a "fit and forget" exercise; maintenance is required, from manual over-sight of the spam queues to maintenance of its parameters settings. For example, if you get a lot of spam a Bayesian-based filter can "learn" that you like spam based on the volume received and if the parameter settings are too sensitive, then there is a risk of an unacceptably high "false positive" rate (legitimate messages being tagged as spam) that could be business impacting. If you have opted to use an external service, then that too will need managing and maintaining. Education is not a "one shot" deal either; you will need to organise regular campaigns to maintain user awareness.
Until the "industry" gets its joint act together and decides on common ways for e-mail to be initiated and managed through the various internet networks (governance perhaps?) then we will all have to put in place mechanisms to handle the large volumes of spam.
Raj Samani, ISSA UK
Phishing works. If it were unsuccessful then we would not be bombarded with e-mails from former dictators requiring our assistance in exchange for the GDP of a small country. Although the impact of a successful phishing scam may appear to only impact employees (providing their bank details), the cost to their employer is also often high.
The Anti-Phishing Working Group activity trends report for Q4 2009 has identified a growing trend of phishing attempts targeting individuals within organisations with financial authority. These trends are supported by high-profile losses, most recently within the carbon market through the theft of an estimated 250,000 permits worth more than three million euros.
E-mails were sent to thousands of firms around the globe, with seven German organisations reportedly falling victim to the scam. They handed over registration details that allowed the thieves to steal their emissions permits.
Technical controls do exist that can reduce the number of phishing e-mails. Such controls may alert users to fraudulent websites, or advanced spam filters to actually try to stop mails entering the corporate perimeter. Many technical systems are very successful at blocking large quantities of fraudulent e-mail. The application of defensive controls is not only recommended, but should be the foundation for any IT strategy for any organisation receiving e-mail. However, in an age where organisations cannot use white lists (as it may block legitimate mail) there will always be an element of trust in the judgement of users.
With a growing trend in whale phishing (targeting high-net-worth individuals, or those with financial authority), additional security awareness should be provided to those in such positions. If fraudsters are taking the time to research their potential victims, then additional measures should be taken to ensure that targeted staff are fully aware of the threat; after all, the next attack may come in the post or via the telephone.
Avivah Litan, vice-president and distinguished analyst at Gartner
Protecting an organisation from the damage incurred by phishing and malware scams requires a layered security approach. Unfortunately, there is no single silver bullet to protect an organisation from the damage these attacks can wreak. Still, an organisation that layers several protective security applications together can mitigate the harmful effects from these attacks and keep damage to a minimum. Gartner advises that organisations take the following three steps:
1. Be proactive
Take a proactive approach and engage in external threat monitoring against your brand, assets, and intellectual property. This monitoring, performed by companies such as Cyveillance and Mark Monitor, proactively seeks out threats against an organisation that can be discovered across the public and hidden internet, such as targeted phishing or malware attacks, so that they can be taken down and demolished before they succeed.
2. Go for layers
Employ a layered security approach around your company's assets and accounts. Organisations should start with relatively strong user authentication that requires more than a user ID and password to gain access to accounts. Second, use fraud detection and monitoring for sensitive applications that compares user and account activity to continually updated profiles of what constitutes "normal behaviour", using predictive fraud scoring models. Finally, employ out-of-band transaction verification that asks a user to validate a "high risk" transaction using a communication channel, for example, a phone call or SMS, that is different from the channel the user is using to communicate the transaction request, such as a PC or web page.
3. Monitor users
Implement user monitoring systems that check privileged user access, such as those of database or network administrators, to ascertain any suspect activity, and that monitors data movements across and outside the organisation to guard against sensitive data leakage.
Ollie Ross, research analyst, Corporate IT Forum
Online scams aimed at senior executives or specific functions within the business are potentially very damaging. Surveying The Corporate IT Forum's Information Security Service members over the last few years has highlighted this issue, bringing specific instances to the fore, and telling us that such attacks are becoming increasingly sophisticated and targeted at enterprises.
When we put your question to the membership, the response was, "Awareness is key to reducing the likelihood of this threat." And it is not simply a matter of including guidance or instruction in your IT usage and security policies. It is about taking practical steps to ensure staff - particularly senior staff - really do understand the nature of the threat and know what to do about it.
Information security professionals point out that the danger must be communicated to people both at work and at home, because this delineation is becoming increasingly blurred because of the ubiquity of mobile devices and flexible working practices. They make this straightforward recommendation: take care not to "flood" staff with too many alerts, and use "near misses" to publicise the message in a personal way.
Confidential sharing of real-world examples reinforces awareness that falling victim to corporate scams can happen to "someone like me" and can also help you spot phishing trends across roles or industries.
Additionally, one organisation commissioned a specific penetration test to include a social engineering attack on senior managers. This was built in a "spearphishing" style, and included the ability to check whether people had actually clicked the link. Obviously no malicious payload was present, but this then enabled the security team to target their awareness-raising programme at those staff who were lulled into the clicking.
Ionut Ionescu, (ISC)2 Advisory Board Member, members' community co-ordinator for Germany, and managing director of Serinomics Ltd
Phishing scams are not new, just the latest technological means of perpetrating them are. As long as humanity has lived in social gatherings, some individuals tried to fool others into doing something they did not want to do, or something that was clearly to their disadvantage when they finally realised what was happening.
The advent of distance communication technologies (telephone, telegraph - remember that?, telex, fax, then e-mail and web) meant that the con artists could now insulate themselves physically from the victim, thus lowering their risks when attempting the con.
It is easier and safer to "sell" fake or substandard goods, or to trick people out of their cash, by sending thousands of e-mails or setting up a malicious website in a territory with very lax laws than it was to walk from village to village in the Middle Ages.
So, speed, geographical reach and perpetrator mobility have increased, whilst risk and resources needed to mount such an attack have decreased. Are we surprised? really, we should not be.
It is all down to human nature. The latest scams attacking the carbon market were inventive, but so were the ones targeting Madoff's victims offering the chance to retrieve some of their lost money.
Technology changes fast, our genetic code and learned behaviours not so.
As security professionals, we must concentrate not on technical measures, but on education, education, education. Security awareness programmes must be part of every organisation's life, in the same way that yearly fire safety training is mandated by the HSE. We can put some technologies in place to try to detect when such scams come into our company and when people may fall prey to them, but the best line of security defense has been and always will be educated users.
Phishing scams will evolve and we need to evolve with them. Technology is only a medium and that will change too (how about malicious links embedded in Kindle books?). But, if we educate the users, the management and society at large (school children are a good starting point), we should be better prepared for these things.
Let's stay informed and not be afraid.
This was first published in March 2010