Dec 23, 2014 By Jean-Paul Bergeaux In Blog

Lessons from recent news in cyber security (Part 2)

Last week I established the need to really get Email phishing under wraps.  This needs to be attacked from both from a technology perspective and from a user perspective.  The first step is getting your senior management–beyond the security team and even beyond the CISO–on board with more intensive user education and training .  If senior management resists, then you have to document that a problem exists.

My first recommendation is to ensure that your Email Security software is one that is integrated and updated to the most recent features and technology available.  A silo’d product that hasn’t had a major refresh in several years isn’t going to cut it.  Three particular features to look for are continuous monitoring of activity, malware testing and infrastructure integration.

The first relates to older Email Security products that check links when the server first receives the Email only.   They do not have the ability to test again when the user clicks on the link.  A common hacker work around is to send the Email with a link to a host that is benign when sent, but dynamically changes later to a malware infested link.

The second features refer to checking against known threat databases (maybe more than one) and not natively having a way to test malware internally or externally in a sandbox.   External is highly preferable, and leads to the final important must-have.  You need a product that is well integrated with your SIEM, NGFW, malware testing products and Situational Awareness dashboard.  (You can add your IPS and DLP if you have one you’re happy with.)  It must be able to pass information back and forth in both directions.

If you can’t afford to purchase a new one, we, at SwishData, can help you set up a proof of concept (POC) to gather data to bring to your management.  Once you have data in hand, you can start to identify how much your organization is being assaulted and it doesn’t matter if they are successful or unsuccessful attempts.   I’m pretty sure that your organization is getting so many phishing attempts that your management should be alarmed.  If the data was collected in a POC, the first step is to purchase the new Email Security product.  Second, the organization needs to establish a training regimen and a user testing regimen.

Remember when I said that one of my recommendations could possibly cause your users to get up in arms?  Here it is.  You need a user testing regimen, where either an automated tool or a manually managed tool sends example phishing Emails to your users to find out if any of them will be duped into clicking on it, opening an attachment, or responding.  This sounds devious, but it’s really not.  Once you find users that fall for the tricks, you can do additional training with them and prevent a REAL hacker from getting through.

You will need senior management to be behind this effort and ready to back you up.  But in the end, everyone should want this entire system put in place to protect us all.  Users aren’t supposed to put personal data on computer, but we know everyone does, so this only helps protect the agency and themselves.

For a sample of what these “test e-mails” would look like, check out this phishing quiz from McAfee / Intel Security: You will be surprised how clever these phishing e-mails can be.