Phishing- Are you ready to be caught out?

By Anthony Mortimer, Account Manager, Netutils

AnthonyMortimerViews expressed in this post are original thoughts posted by Anthony Mortimer. These views are his own and in no way do they represent the views of the company.

In the age of commercialised hacking, organisations are experiencing greater frequency and sophistication of attacks than ever before, this is driven simply by the commercial value corporate data represents to criminals. According to Trend Micro 90% of all known successful data breaches in 2012/2013 were attributed to Phishing attacks.

At Netutils we see and talk to a broad range of organisations all with very different views to the risk these threats pose. For many smaller organisations the presence of a firewall and basic security is seen as sufficient; but here’s why these smaller businesses should be concerned.

For a start criminals are now regularly targeting suppliers or customers of big organisations as the staging point to attack the bigger network. More importantly we are seeing a trend for large businesses to dictate security policy to their suppliers for them to continue to trade with them or to win new contracts.

A significant growth area is in the use of targeted Phishing emails and more focussed spear phishing attacks tailored to specific individuals based on pharmed data. These types of attacks are becoming more difficult to mitigate against putting significant stresses on IT department’s budgets.

We have witnessed organisations handling these threats with 2 broad methodologies:

  • Deployment of technology to counteract attacks
  • End user training

It is generally accepted that by far the greatest risk to the security of your corporate data are your employees themselves who may unwittingly fall victim to phishing attacks. According to industry figures 60% of UK office workers receive a Phishing email at least once a day. In addition the greatest issue with regards to end user training is that for most organisations it is difficult to deliver such a course in a way that will make a real difference. Businesses will often run a single awareness session and hope that will mitigate the risk. Unfortunately Phishing attacks are dynamic, although they follow a similar pattern the content and mechanisms change, unless staff are made aware of these on a regular basis the training deployed may only have value for a few weeks after delivery until a new form of attack is devised.

The second method of combating these threats is via the deployment of technology, this poses real issues to businesses and it can be argued many traditional signature based solutions offer little real protection. This is essentially because they rely on a known database of attack signatures to spot and block an attack. However with the rise in commercial hacking activities self-service malware portals can provide the enterprising hacker with a unique piece of malware for as little as $100 that can sit undetected on corporate machines, up until it is discovered and the signature published.

At Netutils we believe that effective mitigation requires a layered approach to handling these issues. At the heart of our solution set are 2 key elements: ongoing security training via our interactive training platform (PhishAware) and cutting edge signature less technology.

If you have any concerns about the impact of Phishing in your business then do please contact a solutions expert from our team on:

t: 020 8783 3800
e: info@netutils.com

PhishAwareTrial

 

 

Think Before You Link: 3 Tips to help educate your employees on the dangers of Phishing attacks

Take your pick – GameOver Zeus, CryptoLocker, Dyreza or Dyre – they are all out there and the weakest link to your organisation is your employees. Take a look at our short video blog for some hints and tips to keep your network protected through employee awareness and education.

Phishing attacks are evolving – what you need to know to stay one step ahead

Guest blog by Greg Atkins, InfoGuardian

Views expressed in this post are original thoughts posted by Greg Atkins. These views are his own and in no way do they represent the views of the company.

Over the past 3 to 4 years, there has been a shift in focus by cybercriminals away from reasonably basic, generic phishing attacks designed to get individuals to part with a relatively small amount of money to today’s more targeted attacks aimed at specific individuals or groups of individuals within specific organisations, designed to earn the cybercriminal much more money.

In its report “The evolution of phishing attacks 2011-2013“, Kasperksy identified an 87% increase between 2012 and 2013 in the number of attacks, with over 37 million individuals targeted.

These types of attack, which some call spear-phishing and others call targeted attacks, have seen a number of high profile victims, including Microsoft, Google and RSA. However, please do not be misled; this could happen to any organisation as the following story demonstrates.

At the end of last year members of the finance department of a small manufacturing company, with fewer than 200 staff, in the North West of England, received what they believed to be a legitimate email from a respectable authority. But as the content of the email seemed to be more relevant to another department, the email was forwarded to HR and 2 members of that team, who, unaware of the hidden threat, opened the attachment. Clicking on the attachment resulted in both members of staff installing the Cryptolocker Ransomware. This proceeded to encrypt files on their machines using different 256-bit RSA keys, then on network drives and finally on other machines connected to those network drives. Compared to the remediation costs and loss in productivity for the company, the ransom figure demanded for supplying the keys to decrypt the data was relatively small. As you can see, this is not a high profile company in a lucrative financial sector. It is one of many thousands of UK companies carrying out its normal business, as your organisation is probably doing.

Whilst more expensive for the cybercriminal to set up, spear and targeted phishing attacks are far more lucrative in terms of results. The objective of the attack is to dupe the targeted individual or group into clicking on an attachment or a link to a fake website containing malicious code, where clicking on a link or button will result in the individual unknowingly installing malware on his device. As in the case above, this could be blatant ransomware or it could be a more sinister Trojan, used to make a point of contact within the targeted organisation from which the attacker can gather more information which will help him to his objective.

It is commonly accepted that overall spear-phishing attacks have a high success rate of 20%, compared to less than 5% for general phishing attacks. Various sources report that as many as 70% of targeted individuals are likely to open such an email. Trend Micro has reported that 91% of all successful data breach attacks in 2012 started with a spear phishing email, and in 2013 Allen Paller, director of research at the SANS Institute reported this figure to be 95%.

Why are Targeted Phishing Attacks so effective?

Any specific email used to launch an attack is likely to come from a known or trusted source, using authentic logos etc. The attack is made simpler for the attacker by the various social media sites and information about individuals readily available on the Internet. In a recent high profile case, the target was identified on LinkedIn. All the information required is nicely packaged for the cybercriminal.

What can be done to stop these attacks?

One of the problems with these types of attack is that they are quite individual, meaning that email security systems have a difficult job identifying them.

Dealing with it technically is certainly a challenge. It is commonly accepted that users are the greatest threat to any organisation’s security. No matter how big the security budget or level of security compliance, it may take only one user to make a mistake, which could cause huge financial damage.

While user education must certainly be part of the solution, opinion seems to be divided on the effectiveness of IT security awareness training for non-IT users. Essentially we have been trying to educate users about security for the past 20 years, but how much really sticks and at what real cost to the organisation? In the past most awareness programmes were to tick the box to meet compliance requirements. As a result, these bare-minimum awareness programs are a PowerPoint presentation once a year or security newsletter once a quarter. To effectively reduce security risks of targeted email attacks, you will need to start changing user behaviour.

William Pelgrin, director of New York’s Office of Cyber Security, organised a fake spear-phishing exercise in which 10,000 state employees were prompted to link to a password checker. 15% of the targeted employees clicked on the link, denoting failure. One month later a second email was sent where staff were asked to enter personal information. Click results showed a 40% reduction of people clicking on the links in a single month over only 2 emails. The effectiveness of this type of “live situation” training is enormous. Pelgrin was able to use common user behaviour to educate and bring about positive behavioural change to reduce the risk of targeted attacks.

To speak to a Netutils security expert about how to protect your organisation against attack please get in touch. sales@netutils.com 020 8783 3800