Teach your execs well: Stop phishing in the C-suite

To keep company information and systems safe, IT needs to blend user training with technology defenses

Teach your execs well: Stop phishing in the C-suite

Phishing as an attack vector is nearly old as the Internet, spearphishing (targeting individuals via individually crafted emails meant to fool them into revealing information or downloading spyware) has been a favored attack technique for a good decade, and targeting senior executives (who have the most valuable information and access, after all) in what is called whaling has been an established technique for years.

Despite the long history of phishing attacks, employees -- even top executives -- keep getting fooled. There’s no real technology solution to this issue -- maybe you’ll catch a spyware attachment, but it’s nearly impossible to detect from an email link sites that inject spyware. Once a person has been fooled, the criminal is in. In the case of whaling, the attacks are few and targeted, so they typically don’t get flagged by tools like OpenDNS and filtering that rely on seeing a swarm of suspect emails or entry attempts to identify a possible phishing attack.

Worse, criminals are good at mining social networks like LinkedIn and a vast array of both open source and private intelligence tools and databases. Thus, they get the right information to craft convincing but spoofed emails from people an employee is likely to know and trust.

Even in 2015, it’s essential to train executives about the risks of using social media sites like Facebook, Linkedin, Twitter, and Instagram. Although they might not change their usage pattern and degree of sharing about their personal lives, such training might convince them that better use of social networks’ security and privacy settings can help ensure only people with a real relationship with them can view the content.

I recommend you supplement such training with red-team testing, where you create fake phishing emails and send them to your employees to see who gets fooled. That’ll tell you who needs extra attention and may pose a greater security risk. Services that can help include KnowBe4, Phishme, and Wombat (although Phishme and Wombat are pricey).

Another deterrent to these kinds of attacks is the use of email stationery. There are tools, such as Mimecast and Exclaimer, that can flag emails coming from outside the organization and put them in a different stationery (or skin) than in-house emails use. That way, the recipient knows to be extra-cautious.

Of course, people will make mistakes or get fooled, even if trained. It’s essential to have technology that can intervene when users click a dangerous link they believe to be legit with time-of-click protection or real-time protection at the core.

You might also consider subscribing to a domain-name alerting service, such as DomainHole or Safenames, so you get an alert should someone try to register a domain name similar to your own

With targeted threats remaining a significant problem, it’s essential that IT admins take every precaution to protect their environment from top to bottom. Protect your company by providing employees who deal with sensitive information and systems -- especially your execs -- proactive training, then supplement it with vulnerability testing and aggressively protective technology.


Copyright © 2015 IDG Communications, Inc.