[BreachExchange] 6 ways to equip your phishing tackle box

[Destry Winant]

https://www.csoonline.com/article/3342201/6-ways-to-equip-your-phishing-tackle-box.html

Cyber attackers would likely unanimously agree that using “social
engineering” to exploit human vulnerabilities where software and
hardware cannot limit all threats is one of the top tools of the
trade.

These methods of human deception have become uncomfortably widespread.
Phishing attacks can range from basic individual financial theft (such
as stealing credit card numbers) to sophisticated campaigns against
organizations, companies, or people of interest.  This article will
help to raise awareness of the threat landscape and introduce six
common problems and solutions that can prevent you from minimizing
risk for your company.

Most companies buy tools that promise to filter out a majority of
nefarious email traffic and adopt “ethical phishing” programs that
teach employees not to click on links or attachments.  Despite these
two common investments, companies still experience significant
successful attacks. Tools and phishing programs can also create false
confidence that prevents leaders from adapting to change or thinking
about the bigger picture.

Efforts to prevent phishing or train employees can also backfire or
yield the wrong behaviors. For example, we have seen cases of
individuals (occasionally leaders directing staff) nominating one
person to click the link to confirm it was “a test” from the company
so they can warn others.  In another real example, a senior engineer
forwarded the suspected email to his personal email account and opened
it (also on his company laptop) to see if it was a company test. In
yet another example, a corporate email filter blocked an official
notice to a violent crime victim about the early release of his
attacker from prison.

>From a technology standpoint, companies can find themselves somewhere
between inadequate protective and detective security tooling and
having so many tools that they are conflicting, partially implemented,
understaffed, or forgotten about.

Whether you work at a school, church, doctor’s office, SMB, or a
Fortune 500 company, your organization should be taking a
comprehensive risk-based approach to combat phishing versus playing a
random game of whack-a-mole with technology or flavor-of-the month
training.

There are 6 common problems that get in the way of progress:

The target is moving (and growing)
Ethical phishing programs suffer from diminishing returns
Excessive focus on reactive measures
The traditional username/password model is fundamentally broken
Personal and corporate communications are intertwined
Companies lack key process controls that can prevent serious harm

Let’s unpack these challenges one at a time:

1. The target is moving (and growing)

While email phishing is currently involved in over 80% of reported
breaches, attackers are noticeably changing tactics to include social
media messaging (Facebook, LinkedIn, etc.) and SMS/text where most
companies lack the investment in protection, they have made in their
corporate email systems. Kapersky reports that 20 percent of all
phishing attacks are launched on social media.

Key Take-away: Companies should look at all vectors of phishing and
social engineering that is occurring and place a representative
investment across each. Educate yourself and your workforce on the
types of attacks and understand what your current controls protect
against. (See “Deep Sea Phishing: A Taxonomy for Email Threats” for a
deeper dive into the email threat landscape.)

2. Ethical phishing programs suffer from diminishing returns

Awareness and behavior change are fundamentally important to cyber
security.  However, many organizations are fatigued by their ethical
phishing programs (simulating a phishing attack and responding with
remedial training if an employee does not pass). In some
organizations, these programs provide 95% of the security education
being provided to the workforce.

Myopic focus on not clicking links or opening attachments diminishes
the employee’s broader ability to protect themselves and the company.
Moreover, as organizations start using phishing metrics in discipline
or compensation decisions, employees disengage, feeling it better not
to interact with a real email than risk “failing” the phishing test.
Fear and shame create an annoyed and deflated organization (often
angry at the security team in particular) instead of an empowered
culture.

Key Take-away: There is a balance to strike when deploying ethical
phishing programs and they must be a well-articulated component of a
broader vision.

3. Excessive focus on reactive measures

Organizations react to increasing phishing attacks by upgrading the
email server, adding the latest spam/malware filtering, or countless
other measures that shore up technical defenses. Many companies focus
exclusively on these reactive measures instead of taking a proactive,
risk-based approach to define and build the right controls for the
threats and business risks that exist.

With a solid understanding of business risk, multiple options emerge
that could significantly reduce risk with a combination of people,
process, and technology solutions.  Companies typically spend more on
security tools and services after a breach or major security event
than if they would have proactively when reactiveness is not a driver.

Key Take-away: Use a threat and risk-based framework to understand
your current controls and what is needed to manage risks to an
acceptable level and be fit-for-purpose for your business.

4. The traditional username/password model is fundamentally broken

The human and organizational approach to passwords must change.  One
of the most damaging outcomes of phishing attacks is the exposure of
passwords and other credentials (often used to pivot to more important
accounts and systems beyond email). Preferably, companies should move
to multi-factor authentication (such as FIDO U2F Security Keys, a
method by which Google eliminated most password compromise risk
through distributing Yubikeys to 50,000 employees worldwide).

In organizations with password behaviors and technical limitations
that prevent full multi-factor adoption, efforts should focus on
reducing the severity and impact of a password compromise.
Individuals must commit to consistent and secure account behaviors in
their work and personal life starting with strong passwords.  In many
cases individuals are using the SAME credentials across many accounts
both personal and professional.

Key Take-away: Organizations should push for secure password vaults
(tools like LastPass), unique strong passwords for each system that
doesn’t offer single sign on, and multi-factor login options that
greatly limit impact if passwords are compromised.

5. Personal and corporate communications are intertwined

The majority load personal and professional accounts onto the same
device. This creates opportunity for malware and compromises in one
sphere to impact the other and creates channels for unauthorized data
movement that may not be secured. In one real-world case, a senior
manager had both personal and corporate email loaded on his laptop.
His personal email was compromised, and the malware was able to use
the global contact list to email itself to thousands of suppliers and
customers in addition to the entire company.

Key Take-away: Help your workforce get better in their security
related behaviors at home and work. Promote and/or offer guidance,
processes, and tools that enable both (integrating where possible with
the right controls in place)!

6. Companies lack key business process controls that can prevent serious harm

Many Business Email Compromises rely on urgency and seeming importance
of the sender to pressure recipients into financial transactions with
the attacker. In many cases, strong processes around transaction
approval, verification, and other safeguards could prevent a malicious
transaction.  The W-2 scam in the US is a classic example.

In this identity and tax fraud scam, the attacker poses as the CEO or
another key finance/HR leader needing access to employee W-2s.
Unfortunately, they are very commonly sent to the attacker without
question.  Beyond technical and human behavioral training, there are
key processes in the company that should be helping individuals and
departments guard their Crown Jewels.  Public Service Announcement:
There are no circumstances where the CEO needs a zip file of all
employee W-2’s in the next half hour.

Key Take-away: Ensure your company has built controls into the
processes that surround your critical data and business assets.

Phishing is a widespread problem and one without easy and instant
fixes. These six challenges can help you think about what your program
needs to be concerned about and the key take-aways can give you a
concrete place to start.  Like many of the threats in cybersecurity,
using a comprehensive and business-driven approach to reveal risk can
help you focus your efforts on what matters most.