Mar 15, 2023

March 15, 2023 Attempting to fish is like fishing in a barrel. Given enough time, there is a 100% chance that a threat actor will snatch a victim. Phishing attackers target companies with poor cybersecurity hygiene and go fishing again and again. Johanna Baum, CEO and Founder of Strategic Security Solutions Consulting (SSSC), said, “The attackers are motivated and well-funded. You only need to attract 1 victim in 1 attempt. But companies need to protect all potential victims.” ⓒ Getty Images Bank Ignoring or misjudging IT security hygiene greatly increases attack susceptibility. Even if you follow very clean security practices, provide training to your employees, continually remind your employees to verify suspicious communications, and detect the latest unscrupulous campaigns to trick the unwary, your business will now and will always be vulnerable. will be. Why are corporate phishing strategies ineffective? There are 6 reasons. Phishing attacks are becoming more believable and sophisticated Cybercriminals are constantly developing new strategies to trick victims into handing over sensitive information. As a result, phishing attacks are becoming more sophisticated. “Many anti-phishing solutions detect phishing attacks based on static rules, which attackers can use more advanced techniques to easily circumvent,” says Chrissie Safi, managing director and global attack and penetration testing activity leader at consulting firm Protivity. can do. Also, with the release of ChatGPT, there will be cases where the grammar and English are perfect, making it difficult to identify phishing emails from cybercriminals.” With threat actors free to use open-source programs like ChatGPT, stolen communications from a company are becoming a panacea for fraudsters. This is because when AI learns data, the probability of finding an attack target increases. Even without adopting chatbots, attackers are getting more adept. Consider the data breach accident of Twilio, a cloud-based communication solution provider in 2022. At the time, the attackers used public databases to match employee names and phone numbers. In an incident report, Twilio said in a social engineering attack, “some employees were tricked into providing their credentials. And the attackers used the stolen credentials to gain access to some internal systems and gain access to specific customer data.” rely only on technology Many companies try to solve the phishing problem using technology alone. These companies buy all the latest tools to detect suspicious emails and give employees the means to block suspicious emails after reporting them. But Eric Libowitz, Americas CISO of Thales Group, a defense firm, said, “It’s nice to do that, but you will eventually be beaten by more sophisticated threat actors. Few companies focus on training their employees. Even if you have all the great tools in place, if you don’t train your employees, you’ll run into problems.” “Some companies have put in place the right tools and have workflows and processes in place to respond to phishing campaigns, but they haven’t configured these tools to be proactive,” said Justin Hani, head of security for North America at IT consultancy Avanade. Explained. “Let’s say you have a tool that can check and detect malicious email, but doesn’t automatically block it. In these cases, companies should leverage Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) technologies to deploy specific playbooks for potential phishing campaigns identified, rather than manual work by analysts.” did. Does not adopt a holistic defense-in-depth strategy Most companies whose anti-phishing strategies fail don’t have a holistic defense-in-depth strategy. “You can focus on specific technologies like email phishing prevention, multi-factor authentication, data encryption, endpoint/mobile security and not look at other technologies that mitigate risk along the cyber kill chain, such as detecting compromised identities,” says Hani. ” he said. If you rely solely on anti-phishing programs without implementing a holistic defense-in-depth strategy, even one successful attack will bring the entire system down. Email-based defense approaches or practices that rely entirely on user training are also problematic, says Brian Willett, CISO of Lexmark, a printer maker. This is because it is easy for users to make mistakes, and even a single mistake can lead to a successful attack.” Willett emphasized that the best way to defend against phishing attacks is a layered defense approach. This includes ensuring that all workstations have appropriate endpoint detection and response (EDR) systems in place to create a robust vulnerability management program, enabling multi-factor authentication for all user and administrator accounts, as well as segmentation across LAN/WAN to prevent compromised systems from being detected. This includes limiting the spread. “By paying attention to these points and implementing multiple defenses, businesses can better protect against phishing attacks,” Oulet said. You have to use a comprehensive, layered defense approach, assuming that attackers will one day succeed.” Neglect on staff training Assuming you are implementing a holistic defense-in-depth strategy, it is very important to train your staff on how to recognize fraudulent emails while educating them not to click on links or open attachments in emails from unknown senders. “An authentic voice is the most important factor in recognizing fraudulent emails,” said Jim Russell, CIO of Manhattanville College. Anyone trying to communicate quickly on email is a kind of security gap. Fortunately, most people write complete sentences. This part is missing or ‘How are you, Lauren?’ “If it’s missing a common greeting, it’s an inauthentic email.” Employees at Manhattan University were trained to forward suspicious emails to members of Russell’s team. Dell Technologies CISO Kevin Cross also said educating employees on how to check for and report phishing emails is the beginning of a successful anti-phishing strategy. This approach is very different from the common “don’t click” strategy used by many companies. A 0% click-through rate is an outrageous and unrealistic goal, says Kross. “Instead, training employees on how to report suspicious emails will allow security teams to quickly assess potential threats and mitigate the impact of others targeted by similar attacks,” Cross said. can “Companies can embed tools into their email platforms to make it easy for employees to report suspicious emails.” But this type of training isn’t enough, says Jacob Ansari, head of US PCI cybersecurity activities at consulting firm Mazars. “User behavior is just the tip of the iceberg,” says Ansari. Anti-phishing education that targets user behavior has limited effectiveness. He explained that phishing schemes are only effective when they can be separated from legitimate business activity. Anti-phishing efforts centered on education soon fail when employees are expected to engage in the kind of activity that bears resemblance to phishing schemes. “The value of anti-phishing training, for example, when a typical activity requires users to click on a link sent by a third-party sender for background checks or to apply for a payment by entering personal information into a web form hosted elsewhere,” Ansari said. is diluted,” he emphasized. In addition to educating users, Ansari advises minimizing the use of linking links in emails and revamping business processes to ensure that third-party interactions with employees adhere to standards for secure communications, so that common processes do not resemble phishing schemes. “All parts of the business, including human resources, marketing and finance, must engage in a responsible way,” he added. There is no coercion and lack of incentives Safi said that even if companies have strong training programs and policies in place, they may not be effective unless there are penalties for employees who violate the policies. For example, measures should be put in place to ensure that employees who fail to report a phishing email after being duped will behave better in the future. According to Russell, at Manhattan University, employees who are tricked by phishing emails must complete a certain number of online training sessions over a 10-day period. If you click on the malicious link, you only have to complete 1 training session, or 3 if you actually provide your credentials. “Check the list of employees who have been duped by phishing attempts to see if they have someone with high authority, such as a vice president, and talk to them,” Russell says. He also keeps track of people who have been repeatedly named on the list and people who are not educated, and he also talks to these people,” he added. Rely on simulated phishing tests Aiming to educate all employees to avoid being tricked is also the Achilles heel of today’s anti-phishing strategy, says Susila Nair, head of cybersecurity services at IT consulting firm Capgemini. “The premise of blaming the end user for falling for a phishing attack is pervasive,” Nair said. But companies should ask themselves, ‘What value do you find in the goal of ensuring that 100% of your users don’t fall for phishing simulations, and how are you measuring that?’” If your tests are sophisticated, many people will fail. If the test is fairly easy, everyone will succeed. Some CISOs may want to present improved metrics at board meetings. But security chiefs have to admit that no matter how educated the company is, someone will click on the link, and click-through rates will increase under stress. “Many companies simulate phishing by clicking on a link that takes them to a portal that says ‘You’ve been tricked,'” Nair said. However, forcing training through simulation has the opposite effect. You are more likely to click on a link. When you have a training on a busy, stressful day, you may click on a link in the hopes of getting it done as soon as possible without paying attention.” “Phishing simulations also affect how users respond to phishing emails. “I’m not going to click on a weird email, I’m not going to report it, I’m thinking of it as a test.” Anti-phishing programs often fail because people can end up being tricked. Despite education and best efforts, there are times when people make mistakes. “People often respond intuitively to phishing emails that are emotional, demanding of urgency and necessity,” said Elizabeth Shealy, an attorney at law firm Burr & Forman LLP and co-chair of the Cyber ​​Security and Data Privacy team. This environment will not change. Phishing emails will continue,” she said. editor@itworld.co.kr *The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr . If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much! *We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language. *We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards! Report Content