“Target – The Human” in the May 2011 issue of Information Security provides a detailed discussion of the social engineering schemes that are being used to compromise data processing systems. The article quotes Shawn Moyer, managing principal research consultant with Accuvant LABS R&D team:
A common mistake enterprise security managers make is focusing on infrastructure and system defenses instead of people. A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. … The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.
The article describes how scoundrels use social networks to collect personal information to devise clever schemes of deception. Lance Spitzner, director of SANS Securing the Human Program, describes how network attackers used publicly available information from the internet to obtain personal information to create an enticing email. For example, attackers identified employees who attended a conference. The attackers created a spear-phishing email that pretended to follow-up on the conference. Spitzner noted:
By customizing the email, two things happen: They’re far more likely to click on it and by having a small number [of targets] it’s more likely to slip through. It goes under the radar of antivirus companies because they don’t have signatures [for it].
Heather Adkins, information security manager at Google, describes the recent security breach at Google. In this case, the miscreants gathered information posted by employees on social websites and used this information to create a phony photo website. The bad guys then sent emails containing links that appeared to come from people the employees trusted. The links downloaded malware that allowed the criminals to infiltrate Google’s servers.
The article concludes with a discussion of training to combat the spear-phishing threat. While Iconix agrees that training is an important element of a multi-layered defense, training is not enough. The Iconix whitepaper “Phishing Training – A Losing Cyberwar Strategy” discusses the deficiencies of training in detail.
When human factors are considered in the threat profile, human factors must be deployed in the defensive measures. A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.
SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm. Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:
SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard is available now from Iconix.
Your systems are under attack from clever and determined opponents employing Advanced Persistent Threats. The opponents’ preferred method of the initial incursion into your systems is spear-phishing. As has been demonstrated in numerous cases, that opponent is persistent – eventually an employee will respond to a carefully crafted email and that response will initiate a series of events that will result in system compromise. The point of vulnerability is the person interacting with a compelling email. Training is not effective in defending at the point of vulnerability. At that point of vulnerability, SP Guard provides the person with a defense against the spear-phishing attack.