Two security experts face a phishing attack but the story ends as a dark day for one of them ... Discover how to better deal with phishing risks all along our story!
Our cyber security awareness story - written by Emmanuel Nicaise, our human-centric security expert with more than 20 years experience - will be weekly published during the Summer. So stay tuned, the Approach team is already a fan of it ;-)
Meet in this first chapter our security experts: Ben, Head of Security Engineering at B.com and Alice, Chief Security Officer of A.com. Both are well aware of the phishing risks and implemented multi-layered protections within their company but only one implemented a human-centric security awareness program.
1. It started out as a good day
Friday afternoon, on a dark winter’s day, Alice, the Chief Security Officer of A.com, is talking over the phone to her friend Ben. Ben is the head of Security Engineering at B.com and Alice is giving him some feedback on the new Email Security Services they recently implemented. Ben had recommended it to reduce the risk of phishing. With four different layers of security using different technologies from different vendors each, they had succeeded in stopping most spam, phishing and scam.
Alice looks through her office’s window. It is raining outside. Suddenly, Ben stops talking in the middle of a sentence.
- Damn!, shouts Ben. I have ransomware on my network.
- What! How is it possible?
- I don’t know, but my computer is locked.
At that moment, Alice receives a message from her incident response team. A massive worldwide ransomware attack using phishing is currently underway, but they manage to block it.
2. What happened?
Phishing is a significant threat to enterprises. 13% of data breaches involve social engineering attacks (Verizon Data Breach Incident Report 2018), mostly in the form of spear phishing.
Phishing and spear phishing are attacks using emails to lure the recipients into clicking on a web link to a malicious website or into opening a malicious attached file. The phishing web sites mimic legitimate one (like Microsoft Office365 or Google mail), often inducing the victims to enter their username and passwords or their credit card information. They can also induce users to install malware, willingly or unaware. Criminals will then use the credentials or the malware to take control of the victim’s computer.
Alice and Ben are well aware of this risk. A.com is a cloud service provider. Alice knows how important security is for A.com to keep their customers and their position on the market. B.com is an industrial leader. Ben reports to the Chief Security Officer of B.com. Between the Intellectual Property concerns in the R&D department and the fully computerised industrial control system, Ben is well aware of the importance of cybersecurity for B.com. Still, he sometimes feels his management does not fully understand it yet. As seasoned cyber-security experts, they both have implemented multiple layers of mitigation. Were they all equally efficient, however? Let us go back a year from that day and discover what they did (or did not do) to get to this stage.
3. Why should we care about phishing?
“Why” is a fundamental question we should ask ourselves before embarking on any activity. So, why should we care about phishing?
Like most organisations, the goal of A.com and B.com is to deliver goods or provide services and to make some profit. At the very least, they try to be sustainable. They accordingly manage their risks and maintain them at an acceptable level so as to sustain their activity while still making a profit.
As phishing represents a large part of the successful attacks against organisations, it is a direct and indirect threat to their businesses. Phishing emails are a cheap and effective way of bypassing most of the peripheral security systems (i.e. the ones protecting you against external attacks like firewall, proxies, or gateways). As a threat with a significant likelihood and a high potential impact, phishing was high on the list of Alice and Ben.
4. What are the risks associated with phishing?
Alice, like Ben, has identified three primary risks associated with phishing attacks:
- Malware: In many attacks, criminals use phishing emails to drop a payload, a malicious content. They do so either directly, using an attachment, or indirectly, using a link to a malicious file or a webpage with a malicious script. The payload can be a trojan horse, a simple virus or ransomware.
- Data leakage: Sometimes, the link in the phishing email points to a website mimicking a trusted website. The victim will be induced to type his or her credentials or sometimes other information needed for a later phase of an attack.
- Fraud: Fraudsters use phishing emails for a classic scam attempt. Often, it is nothing complicated, just some impersonation and a pretext to get people to wire money to the wrong person.
Recent events have shown the potential impact of ransomware such as Petya1 / NotPetya on organisations. Petya/NotPetya caused $10 billion in losses and services or in manufacturing companies being unable to work for weeks.
The European General Data Protection Regulation has moreover increased the perception of the risks. Losing personal data can have a severe financial and reputational impact on European organisations nowadays. Neither A nor B wants to face the PR nightmare and the potential impact on their customer relationship. The respective boards of directors of A.com and B.com understood the risks presented by phishing. Both agreed to allocate a budget to address the issue, but not the same way.
In the case of A.com, despite all the IT security controls in place, criminals can succeed with minimal means. Using emails and phone calls to make employee wire money to an account is technically easy and still works. Alice reminded them of the €72 million lost by a Belgian bank which fell victim to a social engineering attack a few years ago. They understood how essential people are for their security.
Ben has a different view. He also knows that people are at the heart of any company, but for him, they are the weakest link and there is no way of knowing what the return on investment will be. He would rather put his money on technologies.
Alice and Ben discussed the risk with their respective security analysts and risk officers. They all agreed that avoiding the risks is somewhat challenging. It would require foregoing emails to communicate. Alice had heard of companies that had implemented a radical change in their IT, and had banned nearly all emails. A.com was not ready for such a drastic step however.
Accepting the risk would not do either. Without mitigation, phishing will likely drive their company out of business. Mitigating the risks therefore seems to be the best option.
While slightly different, both Alice and Ben‘s plans had very similar approaches. They address the issue with three complementary approaches:
- Reduce Exposure and impact: Learn more in the second chapter of our cyber security story
- Train the users
- Facilitate detection
The complete mitigation plan of Alice and Ben will be explained in the next chapters :-)
Discover our security awareness solution and contact us!