BRING SPEAR PHISHING PROTECTION TO THE MASSES

Similar documents
ADDRESSING TODAY S VULNERABILITIES

SUPPLEMENTARY DEFENSES FOR ENDPOINT SECURITY

E-Guide CLOUDS ARE MORE SECURE THAN TRADITIONAL IT SYSTEMS -- AND HERE S WHY

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

NETWORK-BASED CONTROLS: SECURING THE INTERNET OF THINGS

PREVENTING PRIVILEGE CREEP

SSL Certificate Management: Common Mistakes and How to Avoid Them

AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER?

ADOPTING FIDO SearchSecurity

Desktop Virtualization: What Windows Managers Should Know

Identify and Eliminate Oracle Database Bottlenecks

SECURITY MONITORING: BE EVERYWHERE AT ONCE

Server Hardware for Virtualization: Exploring the Options

Utilizing Windows Server 2012 without the GUI Key workarounds for avoiding the Modern UI

Evolution of Spear Phishing. White Paper

E-Guide BENEFITS AND DRAWBACKS OF SSD, CACHING, AND PCIE BASED SSD

E-Guide WHAT WINDOWS 10 ADOPTION MEANS FOR IT

Evaluating the Security of Software Defined Networking

10 Cloud Storage Concepts to Master

BUYING SERVER HARDWARE FOR A SCALABLE VIRTUAL INFRASTRUCTURE

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

WHAT NETWORK VIRTUALIZATION TECHNOLOGY CAN DO FOR YOUR NETWORK TODAY

Storage Virtualization Explained

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Panda Security 2010 Page 1

Disaster Recovery Planning: Weighing your customer s options

Your security on click Jobs

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Best Practices for the Hybrid Cloud

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

falanx Cyber Falanx Phishing: Measure your resilience

Requirements for virtualizing Exchange Server 2010

Disaster recovery planning for health care data and HIPAA compliance regulations

ELECTRONIC BANKING & ONLINE AUTHENTICATION

KNOW THE FEATURES OF WINDOWS SERVER 2012 R2

How Breaches Really Happen

Cyber Security Risk Management and Identity Theft

LESSONS LEARNED FROM AN OFFICE 365 MIGRATION

Solid State Storage: Trends, Pricing Concerns, and Predictions for the Future

An introduction to the VDI landscape

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

SDN Technologies Primer: Revolution or Evolution in Architecture?

VMware vsphere Beginner s Guide

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

E-Guide DATABASE DESIGN HAS EVERYTHING TO DO WITH PERFORMANCE

Duplication and/or selling of the i-safe copyrighted materials, or any other form of unauthorized use of this material, is against the law.

Train employees to avoid inadvertent cyber security breaches

E-guide Getting your CISSP Certification

Mobile Security and Public Networks

Understanding the Changing Cybersecurity Problem

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

New Zealand National Cyber Security Centre Incident Summary

Personal Cybersecurity

Legal Aspects of Cybersecurity

But it Was Such a Little Phish February 2016 Webinar

IC B01: Internet Security Threat Report: How to Stay Protected

Understanding the Value behind Enterprise Application-Aware Firewalls

Whitepaper on AuthShield Two Factor Authentication with SAP

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Security Gaps from the Field

The Evolution of Threat Detection and Management

STORAGE NETWORKING TECHNOLOGY STEPS UP TO PERFORMANCE CHALLENGES

How to Build a Culture of Security

Chapter 12. Information Security Management

OA Cyber Security Plan FY 2018 (Abridged)

Webomania Solutions Pvt. Ltd. 2017

June 2 nd, 2016 Security Awareness

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

Keep the Door Open for Users and Closed to Hackers

Must Have Items for Your Cybersecurity or IT Budget in 2018

A primer to SQL Server 2012

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Sage Data Security Services Directory

Cyber Security. Building and assuring defence in depth

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Protecting from Attack in Office 365

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Security Using Digital Signatures & Encryption

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

How to recognize phishing s

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Cyber security tips and self-assessment for business

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

FAQ. Usually appear to be sent from official address

Norton Online Reputation Report: Why Millennials should manage their online footprint

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Financial scams. What to look for and how to avoid them.

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Employee Security Awareness Training

Transcription:

E-Guide BRING SPEAR PHISHING PROTECTION TO THE MASSES SearchSecurity

phishing. I n this expert tip, David Sherry describes how a combination of technical controls and user awareness training can help put a dent in phishers attempts at spear PAGE 2 OF 8

BRING SPEAR PHISHING PROTECTION TO THE MASSES David Sherry Phishing attacks continue to be successful and are a genre of email attacks becoming more focused through spear phishing, which is a directed attack against a certain individual. We ve already seen spear phishing used in highprofile incidents such as the attack on RSA, the security division of EMC Corp. and its SecurID two-factor authentication infrastructure. Specially crafted emails were sent to particular individuals at RSA in the hopes they would open the attached infected files and launch credential-stealing malware into the RSA network. In order to counter this threat and ultimately keep data safe and compliance efforts in line, organizations need a mix of technical controls and awareness training of high-profile targets. The term phishing was started by cybercriminals to indicate the act of tricking someone into revealing their private or sensitive information. These cybercriminals know if you ask a large number of people to provide such information, a small number will respond. PAGE 3 OF 8

A majority of phishing is automated and perpetrated across botnets, and is considered to be an opportunistic attack, not a targeted one. However, the criminals also know that one successful attempt against a person of great wealth, responsibility or notoriety can be of great profit, and targeted spear phishing was born. ANATOMY OF THE SPEAR PHISHING ATTACK While a mass phishing exercise may revolve around something that could be of interest to a large amount of users (such as banking or credit cards), spear phishing creates an attack that is specific to the intended victim. An email and webpage will still be built for the attack, but reconnaissance is necessary as prelude. The hacker will scour the Internet looking for information on a certain individual. Through public documents, chat rooms, social networks, blogs, and company websites, a digital dossier is developed about the target s interests, employment, responsibilities, charities, background, and family life. Therefore it s necessary to craft policies to address social media use and monitoring technology to watch content entering and leaving an organization that could put data at risk. PAGE 4 OF 8

The construction phase comes next in a phishing attack, where the attacker will build an email and website specific to the individual to be attacked. Both the message and the landing page will contain information that is not only relevant to the victim (such as corporate information, economic or financial interests, or news about the person directly), but also is professional and legitimate looking in its presentation. The message will be developed to be so believable that the intended victim will not think twice about responding. Users have to be wary about following links in suspicious email messages and about the information they input into an online form or website. The harvesting begins when the victim clicks on a link or visits the webpage. At this point, even if the victim is phishing aware and savvy enough to not provide personal or private information, malicious code can start in the background to scan and steal data from the victim s computer (or gain access to the corporate network). It then collects that data sends it to a command computer for analysis and use. From there, the attacker can sell the information, steal the identity, steal finances, seek to traverse the organization s network, or attack the victim s contacts. PAGE 5 OF 8

HOW TO PREVENT PHISHING ATTACKS: SPEAR PHISHING PREVENTION To reduce the threat of spear phishing, security awareness and training to the right individuals is key. While a cybercriminal could use this type of attack on anyone, the data shows the targets are usually people of responsibility, notoriety or wealth. With this in mind, security professionals should address this issue with their organizations executives and leaders. Remember to also include executive assistants as well, as they may not only provide communications triage for their responsible executive, but could also be a target themselves. Through the use of training memos, in-person demos and awareness campaigns, ensure the leaders of your organization know the risks of falling for a phishing attack, as well as the signs of an attack in process. Inform them to never click on a link in an email, chat session, blog or other medium. Eliminating this one action severely reduces the success of an spear phishing attack. They should also be instructed to be careful of unsolicited messages, especially ones containing public information about them. Vanity hacking (in which the victim falls prey to their ego) is on the rise, and is thought to be part of many recent high-profile breaches. Because of the time demands and responsibilities of the people you are training, remember to make the messages short, memorable and professional in nature. PAGE 6 OF 8

Silly graphics and mascots are normally not effective in conveying security in the corporate boardroom. Teach them the risks, as well as how to prevent phishing attacks. Finally, while you raise the level of awareness of spear phishing for the end user, do not neglect the technical controls as well. Ensure all antivirus, antimalware, personal firewalls and browser antiphishing controls are in place and up to date. A combination of phishing-aware users and a comprehensive technical strategy reduces the chance of a successful phishing attempt. AS CHIEF information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown s information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. A CISSP and CISM, Sherry has 20 years of experience in information technology. He previously worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. PAGE 7 OF 8

FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 8 OF 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback