Phishing
Phishing is the attempt to obtain sensitive such as user names, passwords, credit and bank card details, from an entity posing as a legitimate and trustworthy entity, usually via email or clicked link.
A little over two thousand years ago, Cicero noted that the security of the city could be compromised by a single “traitor within”, opening a lesser gate to the enemy. So it is today in our busy and complex IT controlled lives. Much is spent on Enterprise grade firewall solutions, network security, segregation of services, anti malware, anti virus and ransomware solutions…yet it just takes ONE user to absent-mindedly click a link…
Much like my articles on ransomware, there are some key actions that should be considered.
- Make your staff aware of the constant attack on the integrity of your systems. Use real life examples to demonstrate the latest attack.
- The Phisher’s strategy may include some simple attacks, such as an email to “the accounts department” or “hello there”, but don’t assume that more sophisticated attacks are not being planned. A careful analysis of the company structure, key players and their associates, his or her favourite sport….results in endless information streams from social media pages, to be used in making the source and content of the attack more legitimate, and therefore more likely to be “clicked”.
- Key positions are likely to be targeted in different ways to the usual “rats and mice” attacks. An instruction from the CEO to the Finance manager to pay a specific payment will be more likely to succeed than a similar instruction sent to the tea lady.
- Vulnerabilities are exploited; staff members who access social pages as part of their job may well be a first target.
- In larger corporate structures, generic mails from say the HR or the IT department could be exploited, and thus clear policies in this regard should be communicated to the staff in absolute terms. As an example, make it clear that the IT department will NEVER ask you for your password, and a request for this is thus a phishing attempt.
Ultimately, the security of your IT systems, data and IP is dependent on your staff awareness, and their regular training and updating in this regard. Keep in mind that your security solution has to win every time, the Phisher only once…
There is the occasional “win” for the good guys, where the tables are turned http://www.419eater.com/
Please feel free to call me, or drop me a mail if you would like me to come and chat to you and your team about this or any of your IT issues. My team and I are ready to assist you.
Anton Schutte
027 524 9995
anton.schutte@selectit.co.nz