Computerworld Malaysia's security roundup, in conjunction with this year's Security Summit in Kuala Lumpur, continues with an industry view of the war against phishing. Often, one of the flaring vulnerabilities facing business and security leaders is the human element: it is dangerously easy to click on a link in a highly targeted message.
Sumit Bansal (pic below), director for ASEAN & Korea for UK-headquartered Sophos, offered some advice in the following 'rapidfire' interview.
First, I asked him for an opinion on the state of phishing in Malaysia, and Asia.
(SB). Globally, phishing still remains one of the most common attack vectors for hackers who exploit end-user behaviour as the weakest link in a company's cyber-defences.
Last year, it was reported that the national regulator Malaysian Communications and Multimedia Commission (MCMC) blocked 1,129 phishing websites, which included fake pages created to acquire personal information such as usernames, passwords, banking information and credit card details by masquerading as a trusted entity in an electronic communication.
The use of targeted phishing and now 'whaling' is definitely growing. These attacks use very detailed information about company executives to trick employees into paying fraudsters or compromising accounts.
Phishing attackers are also increasingly targeting critical financial infrastructure, such as the attack involving SWIFT-connected institutions, which cost the Bangladesh Central Bank US$81 million.
And how have phishing attacks changed?
Traditionally, users receive a 'spoofed' email that appears to come from a legitimate website they frequently have online dealings with, like their bank, credit card company, or ISP, or in some cases even their employer.
The phishing email informs the user their account is somehow at risk, and that they may need a security update, or to reset their password. The phishing email may also direct the user to a spoofed website or pop-up window which looks exactly like the real site, but has been set up for the sole purpose of stealing personal information. Unaware that the site isn't real, unsuspecting users are fooled into handing over credit card numbers, passwords, or other details.
Over the years we've seen phishing scams imitating every retailer and organisation imaginable, from iTunes to Bitcoin. The phishing campaigns keep growing as it is difficult to spot fake sites and emails.
Phishing has evolved in lockstep with the 'Malware-as-a-Service' phenomenon. Today, we see phishing emails as a primary delivery method for ransomware payloads, which effectively latch on to organisations' files to encrypt them, holding them ransom.
Is the human element still the main vulnerability?
As phishing attacks are becoming more sophisticated, it is actually easier to convince users into compromising themselves.
For example, it is common to see an email that addresses the recipient by name, claiming they have an outstanding debt the sender has been authorised to collect. Shock, awe or borrowing authority by pretending to be law enforcement are common and effective tactics.
The email directs users to a malicious link that users are panicked into clicking on, opening them up to attack. Unfortunately, such phishing attacks are seemingly authentic and can no longer be recognised by obvious mistakes in the email.
What must IT have in place?
Traditional online security training programs are academic, therefore 'blind' to the current attack landscape and somewhat disconnected from the rest of IT security management. This makes for a difficult burden for IT managers who are striving to effectively integrate 'anti-phishing' into routine risk assessments.
Therefore, enterprises now need a solution that allows their IT managers to eliminate risky behaviour in a 'simulated' and practical way.
As an example, our recently launched Phish Threat Attack Simulator provides rapid risk detection and incident response. It dramatically reduces the time and resources required to affect real change in employee behaviour when faced with sophisticated and rapidly evolving cybercrime techniques.
Sophos Phish Threat replicates the mind-set of a real attacker, using the complicated methods and techniques in use today. This means assessments are modelled after potential attacks that organisations may face from real hackers. We also wanted to make it more transparent and easier for IT to collate and analyse results.
What can top management do to improve the main vulnerabilities?
User education is still definitely a key area to focus on when trying to better tackle vulnerabilities among employees.
For the first time, with an aim to help organisations and staff understand phishing attacks, our Phish Threat Attack Simulator helps IT managers to create authentic phishing simulation and training sessions, and start course corrections for their employees. This approach will expose end users to automated attack simulations, and deliver better quality security awareness training. Also, actionable reporting metrics are included to help foster a more positive 'security awareness culture.'
I would also recommended other best practices such as:
Never respond to emails that request personal financial information
Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond until you verify with the company by phone or by visiting their website. Always choose to type the website URL in yourself rather than clicking on a link in a suspicious email.
Keep a regular check on your accounts
Regularly log in to your online banking accounts and check your statements. If you see any suspicious transactions, report them to your bank or credit card provider.
Check that the website you are visiting is secure
Before submitting your bank details or other sensitive information, there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data. For example, check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://."
Keep your computer secure
Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Installing antivirus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you.
The latest edition of this article can be found at Computerworld Malaysia.
Sign up for CIO Asia eNewsletters.