Security is important and you really should never, ever, scrimp on it because one day the consequences will catch up with you. Just ask Sony, Citibank, The IMF, Codemasters, Eve Online and even the US Senate – all have fallen victim to internet-based attacks recently.
All of these are big organisations, with big budgets and – you would think – the business incentive to protect their networks. It is almost certain that they employed expensive firewalls, up-to-date Intrusion Prevention Systems (IPS) and the like.
In at least one case, however, it seems that one of the most basic chains in the security fence was broken – employee awareness.
The weekend’s revelations that the servers of the International Monetary Fund (IMF) have been breached using a spear phishing attack have been met with equanimity by the IT security industry.
According to David Beesley, managing director of Network Defence, the problem with spear phishing is that it is difficult to defend against owing to the fact that it primarily targets users and not PCs.
Spear phishing – where a targeted email is sent to an employee, which encourages them to open an infected attachment that in turn leads to compromise of the network – is not new. It is not sophisticated and it is, basically, something anyone can attempt. It is such a basic form of attack that there should be no excuse for your entire network falling prey to it.
It is not difficult to defend against, you just cant rely on technology and tools. There is a difference.
As will all things security related, having many layers of defence is the best strategy. The danger from spear phishing is that you are basically being attacked by a legitimate user who has legitimate access rights to resources on your network. You still need your anti-virus in place, you need your firewall, your IPS/IDS etc. All the good stuff that security technology companies will sell you, you still need it just as much as before.
However, and this is important, if you do not properly train your staff, make them aware of the security risk and what to do to defend against it then all of this technology spend is wasted. Keep this in mind: You can spend £500,000 on a firewall only for it to be compromised by an email attachment that a 14 year old has put together in his spare time. By saving small sums of money and not having an employee training program, you can effectively undermine massive expenditure on security technology.
The reverse holds true. If you spend wisely on employee training, everything that makes up your security will be better. You may still have breaches – that is an unfortunate fact of life – but you will have less, you will respond to them better and life will be harder for the hackers. It just makes sense.
So, dont waste time – check your HR (or whatever) records and see when the last time your staff were all given appropriate training in how to identify suspicious emails and what to do about it. If it was more than six months ago, you may be overdue for a new round of training. If you dont feel your own resources are up to putting together an effective training package for this, or you would rather have external presenters deliver the information then have a look at the Security Education Services provided by Halkyn Security Consulting. We are always happy to help spread the word and have extensive experience delivering security training to both technical and non-technical audiences.
Pingback: Spear phishing attacks, prevalent & successful – Halkyn Security Blog