JRB - Fotolia

Security veteran urges firms to prioritise spear phishing defence

UK firms should prioritise defence against spear phishing as a key component of cyber attacks, according to security veteran Peter Wood

Protection against spear phishing attacks should be top of organisations’ cyber security priority lists for 2017, according to Peter Wood, chief executive of security consultancy First Base Technologies.

This means a combination of security technologies and user awareness training to ensure employees are aware of the technique, know the tell-tale signs and can respond accordingly.

“Our investigations show that phishing, particularly spear phishing, is the most prevalent threat to organisations, and is a key component in just about every cyber attack,” he told Computer Weekly.

“Passwords are currently the single biggest vulnerability in most organisations’ IT networks, which is why credential theft is a common and popular attack technique.”

Phishing is typically used by attackers, and penetration testers like Wood to steal legitimate users’ credentials to access IT systems in the target organisation without detection or restriction.

“Once an attacker has legitimate user credentials, few security technologies are able to prevent those credentials from being used to explore targeted networks, to install malware and to steal data,” he said.

There are some technologies available that are designed to detect and stop anomalous behaviour, but without this capability, stolen credentials effectively give attackers free rein.

“Stolen credentials also grant attackers access to external services such as virtual private networks (VPNs) and web mail access, and gaining access to these services can provide an attacker with full remote access into a network,” said Wood.

For this reason, it is important for organisations to ensure that everyone in the organisation is on the lookout for phishing emails to reduce the likelihood of being tricked into giving up their credentials.

Read more about phishing

  • Whaling attacks take phishing to the next level, with much bigger targets.
  • Security experts say a phishing attack on US retailer Sprouts Farmers Market shows the need to educate employees and correctly configure IT systems.
  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.

In a recent penetration exercise, Wood’s team sent 3,066 phishing emails, and 2,398 recipients clicked the link to the fake website and entered their usernames and passwords.

“In that case, we had a 78% hit rate, which is consistent with findings that 60% or more tend to fall for well-designed spear phishing emails,” he said.

Wood recommends a continual cycle of education and testing to keep awareness levels high and reduce the likelihood of employees being tricked into giving up their credentials. “We typically find there is little or no staff education around phishing attacks,” he said.

In addition to stealing passwords, attackers are often able to guess passwords or use a brute-force cracking attack to find a valid password due to poor password practices.

“We often find that domain admin accounts are protected with a password that is simply ‘password’, or something similar, such as ‘password1’,” said Wood.

“As a result, an attacker can exploit this issue to gain privileged access to the domain and servers, which can be used to launch further, more damaging attacks.”

To eliminate these vulnerabilities, Wood recommends the use of passphrases, the implementation of password safes, and education around the risks and benefits.

He also recommends regular password audits to ensure staff are following password polices and best practice guidelines.

Read more on Hackers and cybercrime prevention