This is the third part of this on-going series on cyber risks which has come about as part of the past 2 courses I have taught at Scaling New Heights. Information related to cyber crime, threats, and mitigation methods are changing almost as fast as a person can stay abreast of them; however, some fundamental principles continue to apply no matter what evolves in the way of new threats. To discuss a few of these principles in this article I am going to begin by discussing 'phishing', but then look at some of the variants of this most common threat.
Phishing is a serious problem because it provides cyber criminals with access to steal your corporate or personal finances, sensitive employee data, intellectual property, customer information and even patient information along with other valuable content on your computer or network. Phishing attacks and their variants including spear-phishing, whaling, smishing, and vishing are having devastating impact upon individuals and businesses of all sizes.
Phishing which is today the delivery mechanism of choice for malware and other cyber threats must be addressed by ever organization. Despite how prolific phishing and related cyber crime attempts have become there is plenty that individuals and businesses can do to protect their data, employees, customers and themselves from cyber threats.
Among the many practices that can be employed to prevent or minimize the threats posed by today’s cyber criminals are the deployment of systems that can detect and eliminate phishing (and related variant) attempts, inspecting and remediating security vulnerabilities of hardware and networks, multiple backup methods and techniques including off-site backups, and threat intelligence.
In addition to the practices listed above, training and testing are two of the best ways to fight phishing and other devastating attacks that can slip through your hardware or network security. Today’s evolving and sophisticated attack methodologies are designed to put your personnel and business resources at risk for data loss, financial fraud, and embarrassing exposure.
Cyber security awareness training and testing are essential areas for improvement in protecting yourself and your organization against phishing (and variant) attacks. Proper training and testing are key to turning your employees from being vectors for attack into a layer of defense against cyber threats.
The reason why cyber security awareness training and testing are so important is because ‘humans’ are just that, ‘human.’ Cyber criminals understand ‘human vulnerability’ and they exploit it. The reason phishing attacks are so successful is because people generally are gullible and lack skepticism when it comes to things like ‘opening emails’, ‘accepting text messages’ or ‘listening to voicemails.’ As a result, cyber criminals have plenty of opportunities to fool the typical employee or home computer user.
Cyber threats are becoming more sophisticated than ever before, that means that almost anyone can be phished by more than just email. Cyber criminals are getting better at creating content that can fool users so as to bypass detection technologies. They make use of official logos, professional appearing messages, and personal details that make their phishing attempts seem so believable that an individual is convinced the message ‘is for real.’ Then the email recipient simply opens the email, or clicks on a link or attachment, and the malware content is delivered.
Not only are cyber criminals becoming more skilled at producing malware and phishing mechanisms, but such malware and mechanisms are becoming increasing cheaper to acquire. No longer do fledgling cyber criminal types have to learn to write code, or do their own dirty work, they can purchase an appropriate set of ‘phishing’ templates, or ‘dirty-data sets’, along with task specific malware for a few hundred dollars from the ‘Dark Web.’ In no time at all a cyber criminal ‘wannabe’ is in business distributing thousands of malware attacks against any willing takers. You or your business could very well be the criminal’s next victim.
But simplistic phishing attacks, no matter how sophisticated, are not the only threat that computer users should be aware of. As a computer user and business owner you and your personnel need to be trained on phishing threat variants like spear-phishing and whaling as well as threats like Smishing (SMS/Text), Vishing (Voicemail) and even unknown media threats.
Business personnel especially need to be trained to recognize unfamiliar text messages that could contain potential smishing threats. But that’s not all, did you realize that your telephone system’s voice-mail may pose a potential threat? Your employees receive numerous phone calls daily, and just one of them could result in a voice-mail based vishing attack. Can your personnel recognize voicemail phishing threats?
When is the last time you picked up a USB or SD Card and plugged it in wondering what was on it? It is an all too common occurrence that can result in an invader making their way into your computer or network. How long has it been since you tested your personnel to find out who among them is willing to plug found physical media into your hardware and network?
Your training and testing must actually begin with insuring that you have the proper policies in place at work. You need detailed polities for the various types of threats describing how your personnel are to deal with not only potential threats, but threat prevention. You should clearly define acceptable ‘information technology practices’ and unacceptable behaviors, and then you must enforce those policies to show that you take cyber risks seriously. What good does it do to have a policy of ‘no password sharing’ if you turn around and give your assistant or secretary the password to access your computer?
Among these IT practices should be:
- Password security protocols
- Back-channel communication protocols
- Cyber-security testing protocols
- Risk-reduction protocols
- Hardware protection protocols
- Data-security protocols
As we continue this series we will look at greater depth into these protocols and others.