The September 26, 2011 edition of the Wall Street Journal contained a special section dedicated to information security. In an article entitled What’s a Company’s Biggest Security Risk? You., reporter Geoffrey A. Fowler details the security gaps that are created by people. Fowler writes:
We are the weakest link.
Hacking attacks against companies are growing bigger and bolder—witness a string of high-profile breaches this year at Sony Corp., Citigroup Inc. and others. But gone are the days when hackers would simply find holes in corporate networks to steal valuable data. Large companies have grown wise to the threat of hacking, and have spent the past 30 years hardening the perimeters of their networks with upgraded technology.
These days, criminals aren’t just hacking networks. They’re hacking us, the employees.
“The security gap is end users,” says Kevin Mandia, chief executive of security firm Mandiant Corp. The majority of corporate security breaches his firm is currently investigating involve hackers who gained access to company networks by exploiting well-intentioned employees.
The article provides details on how hackers use personal data which is now readily available on the internet to craft highly personalized emails which trick the recipient into compromising their systems — a hack called spearphishing. The article describes the compromise of information at RSA in which the email was so convincing, the employee recovered it from the “junk mail” folder and acted upon it.
The article concludes with the importance of training people so that they are not enticed by fraudulent emails.
Unfortunately, training people to avoid suspicious emails is essentially impossible because, as Lt. Col. Gregory Conti, IT professor at West Point observed in the New York Times,
“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”
The tools to improve the criminals’ craft are becoming more robust every day. A little internet research yields substantial personal information that can be used to deceive the recipient. Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient. Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.
Social engineering deceives the users into becoming the agents of the criminals. What can be done to defend the enterprise against spear-phishing? The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.
SP Guard provides the recipient with three confirmations that a message is real:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard now offers a fraud filtering enhancement. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.
SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.