The headline is eye catching: a data breach at a highly respected security training organization when an employee falls for a phishing email.
It is easy to be snide about this story… the irony is strong here. But I think that there is also an important lesson for us all here as well: Phishing attacks have come a long way since the days when Nigerian princes wishing to dispose of their cash were state of the art scammery. Today, phishers have upped their game, both making their lures and landing pages almost indistinguishable from the real thing and using an understanding of human psychology in general and their targets in particular. Social media and corporate web sites provide the attacker with the information needed to convince their victims of the authenticity of their messages.
This puts security types in a bind. We need to train our colleagues to try and recognize suspicious messages, but the old “hover your cursor over the link” or “look for spelling errors” advice is now showing its age.
So what do we need to do?
First, we need to get our colleagues to view emails holistically, starting with the business context of the message. Were they expecting a message with an attachment from the sender? Does a request for cloud authentication in order to access a link seem unusual? Does the message appeal to emotions such as fear or greed in order to prompt action? These are the questions we need people to ask themselves – and if they are not sure about the answers, we as security professionals have to provide them with fast and accurate analysis of messages they submit for checking.
Second, we have to make sure that our organizations are resilient and can deal with the inevitable situation when someone makes the wrong choice. Having filtering solutions which are updated with known bad URLs is table stakes these days, as is an endpoint security solution which detects and blocks bad behavior and provides responders with the tools needed to analyze and contain threats. Is your remote access protected with multi factor authentication? When was the last time you checked to make sure that your critical systems are being backed up – and when was the last time you performed a restoration from backup media just be be sure?
Third, we need to attack this problem from a business process point of view. Business email compromise (BEC) scams are an absolute gold mine for the baddies. BEC is an attack on process, not technology. Having multi person verification of payment requests (and changes to payment destinations) from any source (but especially email) before a wire transfer is authorized will stop many BEC attacks in their tracks.
Fourth, we need to acknowledge that no matter how much tech and training we throw at this problem, no matter how sophisticated our colleagues are, they could fall victim to a phishing attack. The attackers ply their trade all day, every day and their targets (us) are trying to deal with overflowing inboxes and do their jobs – blame is not helpful when their defenses fail. We need to make people feel comfortable reporting when they think they may have made a bad choice so that we can respond quickly.
This is a hard problem – in order for business and society to work, we need to have a baseline level of trust between people and organizations. But that trust is under attack by weak technologies and more importantly savvy attackers. We need to train our colleagues to have a healthy level of skepticism without paralyzing our businesses. The baddies have the advantage – plenty of targets, and very low costs. We need to make our organizations harder targets so that (unfortunately) the attackers will choose to move on somewhere else.