Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday August 20 2019, @05:54PM   Printer-friendly
from the do-you-have-a-phishing-license? dept.

Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.

But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.

"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.

[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.

"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.

[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.

This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by RandomFactor on Tuesday August 20 2019, @09:46PM (2 children)

    by RandomFactor (3682) Subscriber Badge on Tuesday August 20 2019, @09:46PM (#882807) Journal

    A corporate email system should flag EXTERNAL emails to alert internal users that this email comes from an outside source.

    I've implemented this in various environments over the years.
    It's great if you've got the top level backing to make it stick properly and a user base that understands (or can be taught) the difference between 'outside the company' and 'malicious'
     
    However, there can be...issues...

    For example - your company has outsourced HR and Retirement and five different helpdesks and Sales and Distribution and Marketing and Communications and random unknown other critical functions to external systems.
    Go implement these dozens and dozens of exceptions for these unsecured and easily spoofable external email senders (and more as we go along) and also for these partners (or you are fired.)

    And of course if you do remove the flag/stamp/annotation for exceptions things get even cooler as then you get it from both sides - NOW your users and random managers are pissed because WTF? This came from outside and isn't flagged! Fix this, we need to be able to rely on the stamp.
     
    Hey YOU! Department X has told their workers to NEVER open anything flagged so you need to exempt from flagging everything outside they work with (no they didn't check with you first.)
    Hey YOU! Salespeople can't scan down through their emails on handhelds because the subject has your stupid stamp in the way.
    Hey YOU! The guard shack has to scroll down in emails on their handheld device because you put your dumb annotation at the top of the text.
    Hey YOU! Can you flag emails from this (DMARC P=none) company as "TRUSTED SENDER" somehow for us?
    Hey YOU! We brilliant devs, who know more about email security than you lot, did NOT set up our dozens of shadow IT AWS systems (that are now production) in SPF/DKIM/DMARC and yes we HAVE to use the primary company domain and no we can't change it.
    Hey YOU! Can you make it a highlighted stamp for us? You can? Great, can you do it in the subject?
    Hey YOU! We need a stamp, but it needs different wording. And make sure we don't get both. OH, so does this other division. And that one too. Can you do it in different languages for Europe?
    Hey YOU! These five different divisions have contracted with their own marketing deliverability firms. Add all these entries to your DMARC records (and we don't care how many the spec says can be in there)
    Hey YOU! We need emails to this system exempted because the stamp breaks email processing and we don't want to tweak (or can't even find to tweak) a few code lines.
    Hey YOU! Can you help me to carry a stone? 

    --
    В «Правде» нет известий, в «Известиях» нет правды
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 2) by legont on Wednesday August 21 2019, @12:05AM

    by legont (4179) on Wednesday August 21 2019, @12:05AM (#882867)

    Yep, we have all this. I am getting a real phishing email and a couple of training attacks from security per week. And a list of quarantined emails has a few corporate's every week; self-prison is a bitch. This does not count a dozen or so per day that I simply delete as opposed to reading or reporting them.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
  • (Score: 3, Insightful) by edIII on Wednesday August 21 2019, @02:43AM

    by edIII (791) on Wednesday August 21 2019, @02:43AM (#882919)

    I read all of that as, "the fuckers deserve it" :)

    You can bring a horse to water, but sometimes all you can do is drown the son of a bitch in it.

    --
    Technically, lunchtime is at any moment. It's just a wave function.