Mitigate phishing attacks in the cloud: A how-to

As Indian enterprises increasingly move to the cloud, so are phishing attempts. Here are some ways to mitigate the risks of phishing in the cloud.

The black art of phishing has kept pace with the times and followed enterprises to the cloud. While phishing attacks on end-users are invariably carried out with financial gain in mind, phishing in the cloud is targeted against organizations and typically incorporates a long-term intelligence-gathering approach. According to a Symantec study released in May 2012, phishing attacks against Indian brands saw a 187% rise during  the first few months of 2012.

Phishing continues to be one of the top attack vectors for infiltrating enterprises today. While phishing technology has essentially remained the same, tactics and motivations vary. Phishing attacks have been quoted as the starting point of compromises in cases involving high-profile organizations such as  RSA, Salesforce, Dropbox and Cloudflare. In a recent phishing attack in the United States, the South Carolina department of revenue's systems was breached, exposing millions of records, using several legitimate account credentials.

Phishing attacks in the cloud

In a traditional setup with internal hosting of applications, employees accessed IT resources and enterprise applications internally or via VPNs within the organization's perimeter. With cloud services being used, the ability to access these services from anywhere makes the potential for a successful phishing-based compromise easier.

Phishing is most relevant when the application in question is exposed to Internet — typical of public cloud apps. Although private cloud hosted apps usually have the added security of a VPN, they are also susceptible to a determined phishing attack. Knowing the URL of the cloud service, an attacker can perform targeted phishing attacks on employees and infiltrate the organization's perimeter.

Generic phishing attacks are analogous to an email marketing campaign for which highly customized email databases are available in the market. Predominantly used for sales and marketing, these databases could also be misused for phishing. Spear phishing is much more selective, and involves a good degree of research, using highly targeted content relevant to the specific target group.

Phishing attacks can result in sensitive data landing in the hands of a competitor, with devastating consequences for the business. Cloud services using only a password for authentication are especially susceptible to this. Here are some processes and controls you can put in place to guard against phishing attacks in the cloud.

Process controls

  1. Training: Employee training is of course the first bastion of defense against phishing attacks. With phishing now casting a wider net, awareness is the starting point for any anti-phishing initiative. Training needs to cover all stakeholders, and should be extended beyond employees to include customers and vendors as well.

    Not being part of the typical training curriculum, vendors might not be aware of the company's IT policies. As part of the ecosystem, even independent vendors need to be educated regarding the dangers of phishing attacks. While corporate employees might be protected from phishing attacks by anti-phishing measures already in place, vendors associated with an organization might not have the same benefits from the corporate IT security policies. This needs to be innovatively addressed rather than just laying out the policy, to ensure the vendors get involved.
  2. Identify risks: Once the organization makes a move to the cloud, phishing risks pertinent to the cloud need to be factored in. Many organizations understandably do not have the processes or technology in place to do this. Taking time to plan for these gaps and factoring this into the risk assessment prior to moving to the cloud can help an organization select the correct solution as per their level of risk.
  3. Mock exercises: Mock simulations of phishing can be performed in order to assess employee behavior. This helps finalize the processes that need to be put in place and the level of prevalent awareness. This also helps to determine the correct technology to be used to counter threats from phishing attacks.

Technological controls

  1. Two-factor authentication (2FA): This is one of the best ways to combat the risks arising from phishing attacks. Even if a user is compromised, an ever-changing second factor of authentication ensures that the attacker cannot gain access to the enterprise IT infrastructure. Cloud services typically don't provide two factor authentication, barring a few exceptions. However, there are options to plug in third-party authentication — most offerings support SAML-based authentication protocols.

    More on Phishing, Social Engineering

    Password-based authentication just does not work in a phishing scenario. Neither does having a strong password policy that requires frequent password change. The onus thus falls on the enterprise to ensure that the infrastructure and controls to implement 2FA are put in place.

    Moreover, while it may be possible to monitor and filter mail to corporate email accounts, this might not be possible in case the employees' personal IDs are targeted. Given such multiple entry points, 2FA becomes an effective counter-measure. Cloud-based hosting provider Dropbox recently decided to implement 2FA to mitigate risk from phishing attacks.
  2. Spam filtering: Traditionally, spam was considered an inconvenience that affected productivity. Today however, it is a clear and present danger causing harm to the company. Most organizations today have spam filters that typically filter out around 95% of all spam. These function quite well, even in the cloud. However, this is an area that should be considered for future upgrades and investment to deal with targeted spear-phishing attacks. Spammers and phishers are constantly upgrading their technologies and sending out increasingly complex emails to trick these tools, and enterprises need to keep up with this trend. the author: Rakesh Thatha is the CTO and co-Founder of ArrayShield Technologies. He leads the company's solution consulting and technology development aspects. Thatha was also part of the core team which carried out the network design phase of the Government of India's National Knowledge Network (NKN) project. He has an MS (by research) from Indian Institute of Technology (IIT), Madras.

As told to (Varun Haran)


Read more on Data breach incident management and recovery