Have you “Gone Phishing”?

So, your security perimeter is tight, right?  Your corporate email has advanced threat protection. You have deployed an anti-virus system.  That means you are all good and it is time for you to hang up the sign: Gone Fishing and with not a care in the world.

This might be an effective approach in a world where the people using the devices never leave the office and always and only have access to information when seated safely behind your firewall. It would be great if they never searched for anything online and also never saw a web based advert or used any personal email service such as Outlook.com or Gmail. If all of the foregoing is the case - rest easy and happy fishing.

But it never is the case.

The reality of the modern business is quite far removed from this scenario. When looking at computer usage in South Africa and the rest of the continent – the vast majority of computer users have access only to the machine provided by their employer. A very small percentage have the luxury of personal home devices and because of this, virtually every corporate security policy allows for personal use of company equipment. Whether it is for internet banking, school projects or entertainment - we cannot escape the fact that most corporate devices are used for many different purposes.

Due to the fact that people are using these machines outside of the controlled environment it is no longer good enough to only provide corporate coverage. Today staff make use of file sharing services and free-to-use email services to do their personal business. We all receive invoices, handle tax returns and send personal information to banks or government departments.  So when your user falls prey to a fake invoice or SARS refund email and clicks on that link in their Gmail account, not knowing that is has happened will hurt you and your business. The prevalence of the digital world means that we now have no choice but to know what happens beyond the click.

Recently we have seen an increase in invoice or refund related attacks. Cyber-criminals never keep office hours and are innovating all the time. Whether it comes around tax season or other events, they work hard to get your people to fall into their traps. When your user gets the refund confirmation or tax invoice that just won’t open, they hit the link to follow instructions. This innocent looking document can be laden with threats. The innocent user has been sucked in and they are sent to malicious sites, to enter their personal information or install a seemingly innocent web application.

Malicious websites can contain malware or applications that can be loaded with key loggers and software designed to spy. The prevalence of password re-use on every site and platform also means that there is a massive probability that your user has the same password for Facebook, internet banking and corporate login.

Now that they are hooked it is simply a case of the phisherman reeling in their catch.

The modus operandi has changed, our modern phisherman now practice a great deal of patience. The infection no longer means immediate action but we now see prolonged periods of reconnaissance. The attacker will monitor the user before moving in for the kill.

This time is used to gather information, learn about the user, see what sites they are accessing and use this information to leapfrog to a more powerful position before delivering the real attack. It may takes days, weeks or even months. Cyber thieves have infinite patience.

So while you have deployed enhanced protection on your corporate email system, where these clicks will be blocked, the user does not have that protection when tricked via Gmail.

What can be done?

The truth is without visibility of the end point, with the user working at the device, you are at heightened risk. The Phish may not immediately encrypt files because rather like bellbottom trousers - this is so last season. Our new attackers are there to learn and siphon. When they learn they have more power and with more power they have a bigger pay day. This could be your entire network or highly sensitive IP.  

Layered security measures must go beyond the perimeter and anti-virus. Anomaly detection and immediately identifying changes are a crucial part of a comprehensive security strategy. You can only pick up anomalies once you know what activity is actually taking place; no matter where they are. We have to place far more attention on understanding behaviour to better understand and identify inconsistencies.

Layered defence, while vital, is also not always going to save you if the various layers are not bound together. Let us not fool ourselves because it will not help when an alarm is triggered by a trip wire and everybody is focused only on the electric fence. A consolidated view with built in intelligence and up to date global feeds will ensure the alarm systems are always armed and your response team is always prepped.

With visibility, behavioural monitoring and immediate response, powered by automation, you can rest easy that even when you are caught fishing you are not the trophy.

John Mc Loughlin, MD, J2 Software, Article originally published on ITWeb