Govciooutlook

Users, Don't Take the Bait!

By Martin P. Rose, CIO, Pinellas County Government

Martin P. Rose, CIO, Pinellas County Government

Information Technology Security is a sum of many parts. Border security involves layers of security systems across multiple networks. Virus protection involves updated virus datasets and tools. Physical security involves facility access and locking down wall jacks. Wireless system security involves credentialing and transmission encryption. Data security involves hardened systems and at-rest encryption. But the hardest security threat to adequately cover is the user who inadvertently lets a hacker into their system by accident.

"Phishing is now the number one method for hackers to gain access to a computer or network"

This user attack concept is very similar to a fun and relaxing sport, fishing. Everyone loves to fish. It is exciting the first time you set your bait and then cast the line into the water to catch your first fish. Unfortunately, within the technology world we live in today, we are the fish when it comes to the easiest way hackers can penetrate your systems defense.

Phishing

Coincidently, this user based attack is a homophone called “Phishing”. Phishing is now the number one method for hackers to gain access to a computer or network. Phishing is the same concept as real fishing. A hacker will send “bait” in the form of an email with a request for sensitive information or an attachment to open or a link to click on. Once the user takes the bait, the hacker exploits the user’s action by gaining access to your computer.

One of the first phishing attacks were performed by phone. Hackers calling individuals saying they are from an institution or organization. They ask for your credentials to accomplish some audit or to verify a fake assumption. Sometimes the caller also incorporates basic data about the user that someone could pull off of a search engine. The information they collect are bank accounts, usernames, passwords, pins, Social Security numbers, etc.

Impact of Phishing on Day to Day Activities

With the adoption of email as the main technology medium for communication, Phishing has become more widespread. The email version of the phone phishing attack can reach thousands of people at one time. The simplest email phishing attack asks the user to change their username, password or pin. This is usually part of an email from a fake internal department, banking intuition or other like-entities. The request for a username and password is usually displayed within a graphically enhanced and branded email but with some slight variation. Once personal information is supplied, the hacker now possesses your credentials and can access personal data and networks. With an email attachment, a piece of software code known as the “payload” is imbedded into the attachment. Once the user opens the attachment, the payload is deployed giving the hacker access to your computer. Similarly, with an embedded email link, once the user clicks on a link, the link will send the user to the fake website where a payload is sent back to the computer and deployed giving the hacker access to your computer.

Another variant of phishing is called “Spear-phishing”. Spear-phishing is again a single targeted attack. Spear-phishing takes more effort on the hacker’s part to identify a person of interest, usually a high ranking member of the organization. With Spear-phishing, a person of interests’ personal or professional information is gathered through common websites. The information about the user can be provided through a search engine, corporate website or even social media. The attack could use personal or private information. Some of these spear-phishing attacks are very believable to the user as information that is not easy to gather is used to gain the users trust.

Once a hacker has control of your computer, they can plant other payloads that can log your keyboard strokes collecting usernames and passwords, search your private data for sensitive information, turn on cameras or microphones, propagate to other users throughout the network or attack other systems outside the network.

Prevent Phishing Attacks

So what can you do to help the organizations defend against these attacks? Trained users are foremost the most critical defense mechanism. The user is in complete control of responding to emails, opening attachments or clicking on links. All phishing attack emails have a flaw and it is up to the user to recognize that flaw. The flaw could be in the senders email address or in the link address or the attachment properties. Something is just not quite right. Phishing training shows the user what to look for and what to do with the suspect email. First time training is a starting point but repetitive training reinforces the initial training. Training can be coordinated through internal staff or with the use of third party remote tool.

Testing is also a necessity with the phishing training. Sending out test phishing emails to users with fake payloads can provide your security team with metrics on who took the bait. The users who activated the fake payload would be retrained until they can recognize a phishing email. This is a self-impose challenge to users. It’s human nature to want to do better next time. The testing can be accomplished through your internal security team but that can be a lot of work especially if you have a small staff. There are also companies who can remotely design and launch test phishing emails to your users.

Even with great training and testing, the odds are a few users will open an attachment or click on a link in their email without looking at the email carefully. With that inevitability in mind, looking at security as the sum of many parts is the only answer. Keeping your virus protection up to date is critical. Limiting admin rights to each computer also helps. Segmentation across your network can limit the damage to a single part of your network. These are just a few of those needed parts. Lastly, quick detection and response can help you limit the damage. Awareness is the key. So users don’t take the bait!

Read Also

Seven Security Priorities for 2017

Seven Security Priorities for 2017

Jeff Harris, VP, Security Solutions, Ixia
Climate Action Plan for Sustainable Development

Climate Action Plan for Sustainable Development

Cody Hooven, Chief Sustainability Officer, City of San Diego
How the New CIO Adds Value to Smart City Projects

How the New CIO Adds Value to Smart City Projects

Fred Ellermeier, VP & Managing Director, Black & Veatch

New Editions