Email security and spear phishing secrets of an ex-hacker

Technology and user training together can help CISOs protect their data against the attacks demonstrated by Kevin Mitnick

Email security and spear phishing secrets of an ex-hacker

The role of the chief information security officer (CISO) is evolving and expanding every day. What was once considered a side role of the CIO or the admin-focused CSO (who babysat firewalls and such), the CISO today has a much larger responsibility to ensure two key things take place in your organization:

  1. Block every digital door, window, and entryway.
  2. In the event something bad gets through those blocks, eradicate it immediately.

To accomplish these goals, the CISO of course needs to be up to date on security technology, both established and new. The CISO must also focus on user training, because people are both a key target and a line of defense against digital intrusions. And the CISO must have a quick-response strategy in play should there be a breach. As one security expert told me, being a good CISO is about prioritizing and using the right "recipe of people, processes, and technology."

Last week, I spoke at the SecureCIO event in Dallas about protecting the front end of your email messaging services (in Exchange or Office 365). The concerns from CISOs in the audience revolved primarily around spear phishing, which is very hard to defend against because it combines technology and social engineering to breach your environment.

My focus was on using cutting-edge technology to provide advanced protection, including against spear-phishing attacks. I believe you need to look closely at third-party tools, and you must layer security from multiple vendors to get that protection. In a Microsoft environment, you would add other vendors' technology atop Exchange's or Office 365's included protections.

The notion of layering tools from multiple providers is not new, but sometimes organizations let budget pressures thwart such wise risk prevention. They use the built-in defenses and cross their fingers.

J. Peter Bruzzese and Kevin Mitnick

InfoWorld columnist J. Peter Bruzzese (left) and hacker/security consultant Kevin Mitnick (right)

Technology is essential, but it's no surefire cure. There is a tremendous need to train users to be more alert. The keynote speaker at the event was Kevin Mitnick, the famous hacker who was at one time on the FBI's Most Wanted list. Engineering in such awareness has long been one of his central tenets in advising IT.

Stealing data and infiltrating networks is not that hard

Mitnick did a few demonstrations at the event that scared the bejeebers out of the audience. He showed how he could steal a person's identity within two minutes by simply using his or her name. He pulled up their Social Security numbers from legitimate websites -- one site charged only 50 cents per number -- plus their last 20 years of addresses, driver's license information, birth certificates (which includes mother's maiden name), and more.

It would seem the point is you cannot protect yourself from your information being obtained. But that wasn't Mitnick's goal. Instead, he advocated knowing what can be obtained about you should guide you as what to use instead in your security practices. For example, don't use your mother's maiden name as a security question for credit card information. Instead, use something that wouldn't be in a government or corporate database about you, such as your favorite flavor of ice cream.

Mittnick also showed how he could use spear-phishing attacks to get users to click on links or call numbers that would lead to network infiltration or identity theft.

Security layers to consider adding

This is what the CISO is up against and why the CISO must be ever vigilant.

One tool that Mitnick uses is KnowBe4, which tests users via a white-hat phishing tool to see if they really have learned the lessons and have changed their behavior as a result. That way, you can see how well the training is paying off, and you can see who needs to take it again.

Other technologies I suggest the CISO bring in include DNS security as a new layer of defense. At the same time, I also have warned CISOs to ensure that security systems don't overburden users, which often leads to users working outside the system -- which is very risky.