PiChris - Fotolia

Catching phish: How to avoid users getting hooked

Effective IT security boils down to user education. We find out how one company got on with testing its staff

Housing company Radian Group extended its e-learning security documentation after a security audit that involved penetration testing (pen testing) its IT security.

Sound IT security policies are effective only if everyone follows them, so the company decided it needed to assess how well its employees adhered to its policies.

Radian has an extensive corporate wide area network (WAN) based on a BT IP/MPLS network, and in some places DSL/MPLS service, connecting its many different locations.

It also has a services datacentre and an infrastructure based on a Citrix thin client model.

It employed pen tester MTI to test its security defences. I kept everyone in the dark about the penetration testing. We really enjoyed it,” said Ian Butcher, head of IT operations at Radian Group.

In the test, MTI targeted 150 internal email addresses with three potential scams, which were released over three consecutive days. MTI was also able to register a domain that looked very similar to ours,” said Butcher.

This meant email addresses and websites appeared genuine. “Unless you looked very carefully, you wouldn’t notice the difference,” he said.

Phishing scams can often be spotted because they tend to use poor English and have spelling mistakes. “But the MTI engineers wrote in a professional way, without bad punctuation,” said Butcher.

One of the fake websites created by MTI used Radian’s own logos. “Most people are smart enough to spot unsavvy phishing attacks,” said Butcher. “But when it’s more clever, and the scammers use our branding, that’s when users can really struggle.”

As well as targeting email accounts, MTI also tried to get into the building. “The assumption is that once you’re in the building, it’s a secure environment,” he said.

The right level of trust

Tim Leather, head of IT at Radian Group, said the exercise was valuable for staff both in their professional capacity and personally.

One of the lessons learnt was that the organisation needs a change in culture. “Trust is one of our core values, but you can take it too far. We need to define trust with people and systems we know and we must feel free to challenge things. It is the right thing to do,” said Leather.

Radian’s IT team was also targeted as part of the pen test. “We encourage staff not to be over-trusting,” he said. For example, Radian tells IT staff not to engage directly with Microsoft.

“One of our colleagues engaged directly with the pen testers and became suspicious,” he said. “I advised her not to follow any of the instructions.”

Best practices in IT security

  • Never accept a call claiming to be from Microsoft.
  • Lock computer screens.
  • Check with IT before opening dodgy-looking emails.
  • Watch out for fake domain names, especially sites that look genuine but have slightly different URLs.
  • Be aware that hackers could target Google and Facebook-based authentication.

One of the technologies MTI has installed at Radian is the CyberArk password safe. Under this system, if service desk staff need to perform administration duties, they request a secure connection, which is recorded. They do not get the direct admin password, said Leather.

The company has also deployed token authentication for logins and now completely blocks USB drives.

Along with the employee pen testing, MTI recommended firewall upgrades, a Forcepoint platform for web and email filtering, and upgrades to a Trend Micro platform for endpoint protection and device encryption. This protection was then built upon to incorporate advanced endpoint security, including port control, app control and encryption across the network.

“We had a mixed bag of encryption tools and wanted a more cohesive approach,” said Butcher. “For instance, some IT guys at different sites would use different encryption methods. With MTI’s help, we introduced a more uniform approach by using trusted encryption across the network. At the same time, we also introduced new security features, such as the ability to disable USB devices when they are inserted into computer ports.”

Virtualisation security

To ensure Radian’s legacy servers were secure, the company turned to MTI and Trend Deep Security to provide virtualisation security and server protection, while also providing anti-malware and intrusion prevention from a single integrated platform.

“We can now apply virtual patches when the need arises,” said Butcher. “We still have a few old servers, and ensuring these are well protected is, of course, important. Being able to fully protect these servers provides us with a level of comfort.”

Among the concerns going forward is that employees will expect to log in to websites through their Facebook account or Google, which could easily be targeted. This was recently demonstrated on Google, which Butcher said was the first attack that exploited a third-party application programming interface (API) to get into people’s accounts.

This attack in early May used a scamming site to access a fake Google Docs app. The malicious site then used a Google API to prompt the user to give the attacker’s malicious app access to their email account to access the fake document.

In terms of best practices, Butcher said: “Always challenge people who don’t have a visible pass. People should lock their PC screens, and ensure bins don’t have confidential paperwork in them.”

Lessons from the MTI penetration testing exercise have now been incorporated into Radian’s e-learning material on IT security.

Read more on Security policy and user awareness