Gannett Co, the American media company, was recently hit by a phishing email attack that potentially compromised the accounts of as many as 18,000 of its current and former employees. Such large phishing attacks are unfortunately becoming more and more common. For those that need to defend data and networks it has become clear that there has never been a more profitable time to be a cyber-criminal. Attacks are becoming more frequent, more sophisticated and more varied.
Attackers know that misspelled, non-legitimate emails no longer yield results. As an industry, we have steadily been educating users to be wary of email links and, as a result, attackers are orchestrating more sophisticated attacks to dupe users.
Attackers are moving from just sending links to hatching new ways to deceive. We know, for example, that both malware and non-malware attacks can be utilised by cyber-criminals through email. There are also instances where cyber-criminals are prepared to do their research to conduct targeted attacks, such as setting sights on a travelling CEO. Targeted attacks can be extremely effective and, from the cyber-criminal's point of view, neatly complement mass-scale attacks.
The problem for those charged with maintaining enterprise security is that email use is so widespread. Despite training, a 24/7 working life also means mistakes are made, links are opened carelessly and nefarious messages are mindlessly forwarded. If a 20-year security veteran can fall victim, what chance does a new hire in accounting have?
For a great example of how easily emails can wreak havoc look no further than the NHS. Last year, it was reported that the NHS email server crashed after a test email was accidentally sent to all 1.2 million employees. NHS staff then “replying to all” significantly compounded the problem. While this was not a scam, it's a clear illustration of how email can create problems when it comes to maintaining security.
A study conducted at Columbia University showed the efficacy of email as a form of attack. Researchers sent out 2,000 phishing emails, which got 176 opens. Those 176 people were then warned that they'd fallen for a phishing attack. The researchers later sent another round of phishing emails to those same people, and 10 of them once again clicked. After another warning, and a third batch of phishing emails was sent out, three people fell for it again. It wasn't until the fourth round that no one opened the emails.
As that study shows, it's often people who are the weak links. Consequently employee training continues to be a vital part of the defence strategy and the need for vigilance is vital and ongoing.
Email will continue to be a top vector when it comes to breaching systems. We have relied far too heavily on email for far too long. We need to move away from email. It's time. We need to begin to seriously look at other communication modalities to help protect against these types of attacks. There are better, arguably more secure solutions out there for communications, examples being an internal intranet via Jive or social business applications such as Yammer or Slack.
Given that email is not going anywhere soon, measures need to be put in place to keep an organisation and its staff protected.
Given the current reliance on email, CISOs and their organisations need to prioritise training and other defence around email. This will involve training at all levels. Also, keep up to date with the latest developments as these attacks become more sophisticated. Outdated knowledge and technology can seriously inhibit an organisation's ability to remain secure.
Next time you consider opening or forwarding an email, take a second to think. Does this look right? If this was sent to my personal email address, would I click on that link or send to someone else? If the answer is ever no, then investigate further. A successful attack will cause far more harm, disruption and stress than simply taking the time to really think whether an email is genuine or not.
Contributed by Rick McElroy, security strategist, Carbon Black
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.