[BreachExchange] I admit it, I'm a cyber security professional and I fell for a phishing email

Destry Winant destry at riskbasedsecurity.com
Sat Jun 10 01:45:38 EDT 2017


https://www.crn.com.au/feature/i-admit-it-im-a-cyber-security-professional-and-i-fell-for-a-phishing-email-464535

By lunchtime I had received flashing notifications of two emails that
arrived in my Inbox that were important enough to warrant me to stop
what I was doing, click on my Outlook and read them.

The first email, purportedly from the Australian Securities and
Investments Commission (ASIC), reminded me to renew my business name.
It looked legitimate. As legitimate as any ASIC email I have ever
seen. The email and page links contained within the email all pointed
to verified ASIC addresses.

The second email, purportedly from Origin Energy, advised me of my
quarterly electricity bill. Again, it seemed perfectly legitimate and
all links in the email pointed to valid Origin energy pages.

Both emails lacked any attachments that could have aroused suspicions.
On both emails there was a call to action - a "Renew your Business
Name" link was in the ASIC email, and a "View Your Bill" link was in
the Origin email.

When is an email legit?

Here were two very authentic looking emails. But as an infosec
professional, I know better, right? Back in the day, checking
hyperlinks stringently to determine the integrity of an email wouldn't
have entered most people's minds. Today, this is no longer the case.
It's all part of being "web smart".

I instantly knew the "Origin Energy" email was fraudulent. Why?
Because Origin are not my electricity or gas supplier and I know
enough about the energy retail sector to know that they are not
affiliated in any way with my actual energy supplier. So I cast the
miscreant email off to the Deleted folder without a second glance.

Tony 1 - Hacker 0.

The "ASIC" email on the other hand… well. Like many people looking to
make ends meet, I operate a part-time business and I am aware that my
business name renewal is coming up.

Again, the email seems, feels and looks legit. So, I clicked on the
"renew your business name" link. A download commenced and shortly
thereafter and upon completion, it was picked up by my endpoint
anti-malware software as a malicious file.

I had scored an own goal before recovering a goal in the last second
of the game.

Tony 2 - Hacker 1. Coach furious.

Even professionals stuff up sometimes

Years ago, I read the story of Eastern Air Lines Flight 401. A flight
crew with over 50,000 hours combined flying time had managed to crash
their plane into the Everglades in Florida because a blown indicator
light had diverted the entire crews attention away from the fact that
the autopilot had disengaged.

That story came to my mind while I was pondering my actions only a few
seconds earlier.

I was fortunate because I had a number of mechanisms to protect me.
Our organisation deploys a full suite of layered security and I can
attest to the quality and reliability of the systems we have in place.

Our corporate network runs a plethora of security platforms and
scanning utilities to prevent any lateral movement of malware if by
some chance it managed to infect my laptop. In addition, my corporate
workspace and personal workspaces on the BYOD laptop are segregated.
At no point was the corporate network ever in jeopardy.

My corporate email account rarely sees fraudulent email come through
the door due to these excellent defences. However, my part-time
business email account, isn't filtered by the corporate spam and
ransomware filters.

And that's where these two emails came in from. The outer technical
defences of the corporate network (the spam filter and firewall) were
completely bypassed due to my private email address being the source
of the malicious emails.

To add to this, my usually spot-on decision making capabilities were
duped, partially due to a very convincing email and partially due to
the heightened state of urgency I felt I had to renew my business
name.

Fortunately for both my organisation and myself, the last line of
defence, the endpoint security solution, was up to date, current and
industry-leading. Failing this, I also have an up to date backup of my
data in numerous locations that I could restore from if absolutely
necessary.

Some people will argue "well, this is what happens when you bring a
BYOD device". Fair point. However, 74 percent of organisations had
either adopted or were planning to adopt BYOD back in 2015 and I would
tentatively say this number is now north of 90 percent. Hardly a
compelling argument.

The experiences of the day were a simple case study in why layered
security plus a backup policy is the most effective protection against
hackers.

The victim blame game

I am certain that some of my contemporaries in the infosec space will
read this and think to themselves "you idiot!"

This misplaced arrogance demonstrates the biggest problem in today's
cyber security world.

There are very few areas of society where we treat the victim of a
crime with the same level of contempt that cyber security
professionals treat victims of cyber crime.

Many of those in the infosec industry think that everyone should know
how to identify fraudulent emails, malicious links and dodgey websites
and if they fall victim to a phishing scam, they are stupid.

To challenge this, recently, there was an article about hackers using
letters in the Cyrillic alphabet to create websites for phishing
purposes.

Even the most eagle-eyed infosec professional would have trouble
distinguishing between https://www.аррӏе.com and https://www.apple.com
and yet they take you to two completely different websites.

I argue that blaming the victim is very short sighted and in fact
downright egotistical.

Education is key

Today's world means that from birth, children are surrounded by
devices that form part of the age of information. My soon-to-be three
year old daughter knows how to use an iPad and iPhone, can switch
between her favourite apps and has recently decided to enjoy Daddy's
Spotify music, flicking through songs she likes and adjusting the
volume as she sees fit.

In a few short years' time, my children will go to school. It is
likely that a tablet will be part of their school backpack and an
essential part of their learning. And yet, even right now, there is
little to no emphasis on including information security awareness as a
compulsory subject in the school curriculum that, in my view, should
commence in kindergarten and continue to Year 12.

Social media is everywhere and children, especially, want to feel part
of social groups with their friends and be part of society. Yet again,
there is little formalised education around social media awareness
offered at a school level to children who are learning to become
adults.

Little by way of teaching children what is appropriate to volunteer
publicly. Little by way of what should be communicated electronically
and what is in their interests not to.

My mother started using an iPad several years ago purely to keep in
contact with family and friends overseas through social media. For
many adults, the age of information came to them later in their lives
and most are simply not aware of the risks associated with living
online.

I have no doubt that not only should information security should be
taught in schools as a compulsory subject similar to home economics
is, it is in the national interest to provide free education to all
adults on information security principles.

I'll leave it to the policy makers to determine how Home Economics for
the Digital Era should look like - whether it's through change to
state and federal education curricula, through subsidies to employers,
or by offering free training for adults, a holistic approach to being
educated in the digital age should be as essential as mathematics,
English and science are.


More information about the BreachExchange mailing list