Wednesday, July 6, 2011

Spear Phishing

By now most everyone has heard the term “phishing”.

Wikipedia defines phishing as an attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

IDP recently carried out an authorized phishing attack for one of its customers and found that over 50% of the staff gave up their email passwords in an email that, if examined closely, was obviously bogus.

So what is spear phishing?

The difference between phishing and spear phishing is while the former floods thousands or even millions of inboxes, the latter targets a small group of previously-identified people, sometimes only a handful who work at the same company or in the same organization.

With the increased popularity of social networking sites (Facebook, Twitter, etc.), the bad guys are now able to select specific individuals (and businesses) and direct their malicious activity in a very granular fashion, just as you’d spear a fish.

"Today's spear phishing is not only more prevalent but also much more technically proficient," say Dave Jevans, chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft.

"They're not going for a password, anymore, they're getting people to install crimeware on their computers," said Jevans.

Like the more common phishing, spear phishing attacks are launched as emails that try to con the recipient into clicking a link that leads to a malicious Web site. Those sites can take almost infinite forms, from fake account log-in screens to ones that tout a software upgrade to widely-used software, such as Adobe Flash.

Once the malicious link or email is clicked the attacker is able to install a program that infects the computer, giving criminals access to that machine -- and through it, others -- or to confidential information, like account passwords obtained by secretly monitoring the PC's keystrokes.

According to reports by the likes of Bloomberg, the recent IMF spear-phishing attack targeted one of its workers and planted malware on a machine, which was then presumably used to scout the network for data to steal.

But the IMF incident is only the most recent in a series of specialized attacks this year aimed at targets from the Oak Ridge National Laboratory and the French foreign ministry to Google's Gmail.

All have one thing in common: They relied on spear phishing to fool users into installing malware or revealing account information.

So what can individuals you do?

Well, very simply, maintain awareness, think before you click, keep your antivirus and antimalware software up to date and remember that anyone can be an unwitting target.

What about businesses?

Educating staff is first and foremost. Make sure there are polices, processes and procedures in place that everyone follows – but more importantly, that they understand.

From a technical perspective, ensure that your perimeter defenses (stateful firewalls, IDS / IPS, VPNs, blacklists, access control, etc.) are current, properly configured, monitored and regularly tested.

In summary, maintaining a defensive posture is not rocket science. Common sense, diligence and thoughtfulness is 90% of the game.

Friday, July 1, 2011

Defending Against Insider Threats To Reduce Your Risk

Insider threats are often overlooked when it comes to information security, but in fact insider threats account for the large majority of information theft and compromised systems. Who better to leverage their access and knowledge than those who often times have the keys to the kingdom.

I read a good white paper this morning by CA Technologies (ca.com) entitled Defending Against Insider Threats To Reduce Your Risk. You can read an excerpt here:

http://www.idpnow.net/documents/Defending_Against_Insider_Threats.pdf

The focus of the article is that insider threats are increasing. The 2009 e-Crime Watch surveyed 523 organizations and found that 51% of these organizations had experienced an insider attack, up from only 39% of organizations three years earlier. That number is probably much higher in that insider attacks often go unreported. The point is that businesses must be vigilant in looking at insider risk the same way they do external risk – perhaps even more.

The white paper goes on to talk about how insider risks manifest themselves and how these attacks are carried out, but the recommendations to reduce these risks is the important takeaway. If businesses would ensure these relatively simple “best practices” are in place, the odds of an insider attack being successful are greatly diminished.

Develop and enforce comprehensive written acceptable use policies. All organizations should have detailed acceptable use policies for all employees and should make employees review and sign the policy annually. This is a basic step but one that organizations often overlook. Having a written security policy will not necessarily prevent insider attacks, but it can still be useful for providing the entire organization with a baseline of what is acceptable usage and the proper methods for handling sensitive data.

  • Ineffective management of privileged users. All IT environments have privileged users (admin, root) that have total access to key systems, applications, and information. This is not only a security risk, but it can also make compliance much more difficult. Sharing administrator passwords is another common problem which could lead to inappropriate access to your systems and information and an inability to identify specifically who performed which action on each system.
  • Inappropriate role and entitlement assignment. The management of user roles and entitlements is one of the biggest challenges that many IT organizations face. Overlapping roles and duplicated or inconsistent entitlements are all common problems that can Lead to improper access to, and use of, sensitive information. In addition, the lack of automated de-provisioning can Lead to excessive entitlements or orphan accounts, both of which provide openings through which disgruntled insiders can Launch an attack.
  • Poor information classification and policy enforcement. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.
  • Weak user authentication. Access to highly sensitive information often only requires simple password authentication, and does not take into account other contextual information (e.g., the user's location) that might raise the risk of breach.
  • Poor overall identity governance. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.
  • Inadequate auditing and analytics. Many companies have no way to continuously audit access to help ensure that only properly authorized individuals are gaining access, and that their use of information complies with established policy. Even if they have auditing tools in place, the sheer volume of Log data generated makes it very difficult for organizations to sift through the data and identify breaches or threats.