• SHA-1 Has Been Broken: Now What?

    by Daniel Maloof | Feb 24, 2017

    Friday, February 24, 2017 By Dave Shackleford, IANS Faculty

    We all knew this day was coming, but that doesn't make it any better. Researchers fromIANS Faculty Dave Shackleford Google and the CWI Institute in Amsterdam have announced the first documented SHA-1 collision. Basically, this means that two entirely different files can generate the same hash value due to a flaw in the mathematical algorithm in use.

    But what does this actually mean in practice? Well, in a nutshell, any use of SHA-1 for verifying trusted content goes out the window, essentially. An attacker could substitute a malicious file with the same hash for a trusted file and no one would know, based on the output of a SHA-1 operation.

    This has already happened with the MD5 hash algorithm, and many at the time moved to SHA-1 to replace it. And despite the fact that we’ve known about attacks against it since 2005 (plus NIST officially deprecating it in 2011), SHA-1 is still one of the most commonly used hashing algorithms in the world for verifying website certificates, validating files and content and providing any other number of operations involving integrity validation. With the SHA-1 algorithm now in serious doubt, an enormous number of sites and services will need to rescind its use to prevent a serious degradation in trust.

    Fortunately, while we now know SHA-1 is broken, it’s not exactly easy to compromise it today. The Google and CWI researchers documented the level of effort needed to produce a viable collision, and it’s pretty significant. In fact, the CWI researchers really needed Google’s help with the project, in part because of its massive computing power. The following numbers (taken from the original blog post announcing the collision) should provide some idea of how intensive this research was:

    • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
    • 6,500 years of CPU computation to complete the attack’s first phase
    • 110 years of GPU computation to complete the second phase

    Using their custom attack model (dubbed “SHA-1 Shattered”), the researchers were able to perform the computation in about a year, using 110 GPUs and incredible scale of system processing, meaning this attack is really only viable today for nation-states or companies like Google that have that sort of power available to them.

    Steps to Take

    For organizations still relying on the SHA-1 hash function, it’s important to start taking the necessary steps right away to avoid problems down the line. Of course, start by moving to a better algorithm like SHA-256 or SHA-3 now. Most major platforms support these today and switching should not be an issue for modern systems and applications.

    For legacy environments, this could be a bigger problem, but security teams need to at least begin documenting which systems aren’t compatible with stronger hash algorithms and planning for migration down the road if possible (or ideally, replacing those systems altogether).

    Next, start putting the pressure on your vendors and service providers to stop using SHA-1 in their technology, and ask for public validation that this has been done. Google has proactively protected all of its services and users from SHA-1 by adding collision detection techniques and removing SHA-1 from its algorithms in use. Google Chrome removed support for SHA-1 certificates in January (Mozilla’s Firefox had previously announced it plans to remove it early this year).

    Finally, the research team behind the SHA-1 collision also released an informational website (https://shattered.io/) that describes the attack in more detail and includes a testing engine for files to see if they are susceptible to a collision attack.
  • Podcast: Larry Walsh on Making Good MSSP Choices and Avoiding Vendor FUD in Pursuit of Better Security

    by Chris Gonsalves | Feb 23, 2017

    Thursday, February 23, 2017 By Chris Gonsalves, IANS Director of Technology Research

    Well-known IT security and services expert Lawrence Walsh, founder and CEO of The 2112 Group, joins me this week to share his deep insights for vetting and working with managed security services providers (MSSPs) in a variety of settings. Larry and I also share a wide-ranging discussion of infosec industry trends, hits and misses from the recent RSA Conference, and the impact of the Trump administration on the tech sector. 

  • IoT at RSA: A New Focus on Old Problems

    by Daniel Maloof | Feb 21, 2017

    Tuesday, February 21, 2017 By Kevin Beaver, IANS Faculty

    Kevin-BeaverWell, another RSA Conference has come and gone. I attended this year’s show and, as expected, saw and heard a lot of the same stuff that we've been hearing over the past several years. The threat landscape is evolving. The cloud is still a big topic, especially if you’re a security vendor rebranding and pushing your product/service to be cloud-friendly. The “legal” and “career” tracks at the conference helped point security professionals in the right direction (and I actually think there’s a lot of real value in this).

    And finally, "artificial intelligence" stood out to me as the new security term for this year. It didn’t quite overshadow the term "cybersecurity" (which unfortunately seems to be ingrained into the vocabularies of all but us veteran security practitioners), but there certainly seems to be a lot of pressure being put on artificial intelligence to solve all of our security problems for the foreseeable future. We'll see how that goes.

    Ultimately, though, one thing that did stand out to me in a positive way is all of the focus being put on IoT security. There’s no doubt IoT is that next wave of systems that we are going to be responsible for locking down, not unlike wireless networks and mobile devices in recent years. The devices are small. Their software can be unfamiliar. Heck, sometimes we don't even know the devices exist or what type of risks they’re creating!

    But here's the thing about IoT: Just like wireless, mobile and even the cloud, IoT threats and vulnerabilities waiting to be exploited are really nothing new. Sure, the threat vectors and attack mediums may be a little different than what we're used to seeing, especially when IoT devices are creating business risks from afar (i.e., employees' home networks and vendor-related systems). But at the end of the day, it’s still about the basic security flaws that exist in IoT (a number of which I heard talked about at RSA), which include:

    • Weak passwords
    • Missing software updates
    • Unencrypted or poorly configured communication protocols
    • Unsecured storage
    • Unmonitored systems
    • Systems that do not fall within the scope of penetration tests and vulnerability assessments
    • Device manufacturers that don't understand security
    • IT shops that can’t find the time to manage IoT security
    • Poorly implemented fixes and improperly managed devices
    • Security policies that are unknown, don't address IoT or, worst of all, are unenforced

    I could go on and on, but you get my point. The bottom line is that vulnerabilities affecting IoT devices – as well as the fixes necessary to get things under control – are nothing new. In fact, most organizations already have one or more programs, processes or controls in place to manage all of this. It's just a matter of bringing IoT devices into the scope of security oversight and, of course, addressing the basic security flaws present across your network. Unless and until that happens, none of the newfangled, IoT-centric security technologies at RSA and elsewhere will be helpful to you.

    I believe IoT adds a whole new layer of complexity and risk to any given business network. But be careful chasing down new tools, technologies and processes. Everything you need to get IoT under control is right before your eyes.

    The Value of RSA

    Getting back to the show, I know it sort of sounds like I'm trying to talk myself and others out of attending future RSA conferences. That's certainly not my intent. The learning opportunities, networking and camaraderie alone (not to mention great food and drink) make it a worthwhile visit, in my opinion. If you have not attended the RSA conference before, you need to. Put it in your budget for next year. They have a very reasonable, low-cost offering to get you in and see not only the vendors’ presentations, but many of the general sessions as well.

    Whether you lead an entire information security program, serve as an independent information security consultant or are simply interested in learning more about the field, you should check out the RSA Conference. Just don't forget about locking down your ever-growing IoT environment in the meantime so you’ll be in better position next year when RSA Conference distracts us with something new and shiny.
  • CrowdStrike, NSS Dust-up Erodes Trust in Product Testing

    by Daniel Maloof | Feb 17, 2017

    Friday, February 17, 2017 By Daniel Maloof, IANS Managing Editor

    crowdstrike-logoWith RSA Conference 2017 wrapping up this week, there’s plenty to talk about in the realm of security technology and innovation. But one story that may not be going away anytime soon and could have wide-ranging implications in the security product testing space is the ongoing feud between next-gen endpoint security firm CrowdStrike and NSS Labs, a security product research firm.

    At the heart of the dispute between the two companies are the findings in the most recent NSS research report on Advanced Endpoint Protection (AEP) products, which were released at RSA earlier this week. The report, which rates the effectiveness of endpoint security products from 13 different vendors using a range of criteria, assigned ratings of “Recommended,” “Security Recommended,” “Neutral” or “Caution.” In the report, CrowdStrike’s Falcon Host next-generation endpoint protection product was one of two products that fell under “Caution,” which is the lowest rating.

    The other products NSS tested included:

    Prior to the release of the report this week, CrowdStrike filed a lawsuit in federal court in Delaware last week seeking a temporary restraining order in an attempt to prevent NSS Labs from releasing the results of its report at the RSA conference. In the suit, CrowdStrike claimed that NSS’ testing of its Falcon product was incomplete and that NSS had obtained the software illegally after CrowdStrike had attempted to halt NSS’ testing of its product over methodology concerns. The push for a temporary restraining order ultimately failed (though the lawsuit is continuing), with the court ruling the public release of the results would not cause irreparable damage to CrowdStrike.

    Since the court ruling, NSS Labs has, of course, defended its methodology and reaffirmed its mission to “arm the public with fact based and objective information required to get secure and stay secure.” CrowdStrike president and CEO George Kurtz, however, told Dark Reading, that the testing methodology was flawed and that the lawsuit was not simply an attempt to block negative press.

    “This is not about trying to silence independent research,” Kurtz explained. “We welcome open, fair, transparent and competent testing. We didn’t necessarily see it here. This isn’t the Consumer Reports of cybersecurity. It’s bad tests, bad data and bad results.”

    In particular, Kurtz noted that during initial testing, NSS Labs was flagging well-known, legitimate software such as Adobe and Skype as malicious. This, Kurtz said, along with other red flags during the initial testing, led CrowdStrike to decline to participate in the public testing. But NSS continued to test, allegedly using access to the software that it had illegally obtained from a reseller.

    IANS Faculty Dave Kennedy, president and CEO of the infosec consulting firm TrustedSec, says that this is an important point, and it even demonstrates why testing such as that from NSS Labs may be inherently flawed.

    Dave-Kennedy“At first glance, it appeared CrowdStrike was attempting to suppress negative findings, but based on the latest details I’ve seen, I actually understand where they’re coming from,” Kennedy said. “Most of the other vendors were allowed to configure and tune their own products to appear more effective than they actually are. CrowdStrike, on the other hand, apparently was not able to configure its own solution, its protection capabilities appear to have been disabled and NSS used third-party [access to facilitate] the testing.”

    “Further, as a pen tester, I find these results highly alarming from an accuracy perspective, Kennedy added.” “Many of the solutions that received extremely high ratings would have to be configured in a way that’s unusable for the enterprise to be anywhere near as effective as the testing showed. To me, this report is more about gaming the system than it is actual capabilities and effectiveness. Based on the 100 percent rating Carbon Black received from NSS Labs, for instance, I would assume the product was simply configured to block everything and only allow ‘known good.’ In other words, it blocked everything except what was needed in order to make it test effectively.”

    Because of these apparent deep flaws in the testing methodology, Kennedy said he recommends security teams dig a little deeper in their research into all of the endpoint vendors evaluated and “not simply rely on the NSS report as a determining factor on endpoint protection.”

    As for the overall state of new, “next-generation” security technology itself, Kennedy emphasized the importance of taking a more measured, realistic view, particularly at conferences like RSA, where seemingly every product is hailed as the “next big thing” in the industry. 

    “Every year at RSA we hear about the latest technology and new math-driven artificial intelligence solutions that are being released,” he said. “To date, we haven’t seen a major improvement in the effectiveness of these products as ‘game changers’ and those that offer a lot of promise are still very much in the infancy stages.”
  • Van Wyk: Market Share the Key to Mac OS vs. Windows Security Debate

    by Daniel Maloof | Feb 13, 2017

    Monday, February 13, 2017 By Ken Van Wyk, IANS Faculty

    iansviewsI recently learned of some new Mac-based malware when a friend posted an analysis on Facebook. My reaction as a Mac user? “Yawn.” Why? Glad you asked…

    Every few months, there’s an urgent warning about some new Mac malware, but it always seems to fizzle away into nothing, or darn near nothing. Often, as in this most recent case, the malware triggers a user dialog that requires the victim to accept the malware. In this case, the malicious software was written as a Word-based macro, and Word diligently warned the user of a macro before running it if, and only if, the user consented.

    Now, don’t get me wrong. Many users are absolutely gullible enough to fall for a dialog box. And I’m definitely not saying that Macs are inherently immune to malware. Both Windows and MacOS have seen malware that can propagate without user intervention.

    But why, then, is MacOS – along with its distant cousin Linux – seemingly less susceptible overall to malware infestation than Windows?

    Understanding the Marketplace

    Ever notice when flocks of geese fly in a “V” formation, one side of the “V” is longer than the other? Why is that? The answer to the joke is that there are fewer geese on the shorter side, of course. So, why are Mac and Linux machines less plagued by malware? Simply put, it’s about market share, and there aren’t as many people creating malware targeting these machines.

    Windows still owns a far bigger market share than MacOS and, certainly, Linux. Generally speaking, you can also purchase a Windows computer for a lot less than a comparable Mac. If you’re deciding to write malware, your cost and ease-of-entry are lower on a Windows system, as a general rule. And yes, over the past five to 10 years, Macs have seen their market share slowly increase, but they’re still just not quite there. As ubiquitous as Macs seem to be, their market share is still dwarfed by Windows.

    Many of us in the security world have feared we might start seeing more Mac-specific malware as the market share rose, but that just hasn’t significantly materialized to this point. Perhaps it will change, but with market numbers like the above, I don’t think it will any time soon.

    Now, that doesn’t mean we should smugly sit back and not be concerned either. That would be downright foolish. Mac malware does exist, and targeted attacks do happen. If an attacker chooses to target an enterprise that is predominantly Mac-based, those market share numbers go right out the window.

    So, what can we do? Well, there are a few things:

    • Lock down and manage our security configurations on our Macs as though the malware threat were real.

    • Use the principle of least privilege by not giving every user administrative capabilities.

    • Get endpoint protection for our Mac users in addition to our Windows users.

    • Run software updates frequently. MacOS includes a behind-the-scenes malware detection and prevention tool that is updated daily.

    With a bit of luck, our Mac world may never get as bad as it is for Windows users. Let’s try to keep it that way.



    Ken Van Wyk is president and principal consultant at KRvW Associates and an internationally recognized information security expert, author and speaker. He’s been an infosec practitioner in commercial, academic, and military organizations and was one of the founders of the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

  • Podcast: David Kolb on the Soft Skills That Spell Infosec Success

    by Chris Gonsalves | Feb 10, 2017

    Friday, February 10, 2017 By Chris Gonsalves, IANS Director of Technology Research

    This week I'm joined by IANS faculty member and Incite Learning founder Dr. David C. Kolb to talk about his popular series of organizational engagement and leadership skills courses now in their second year at the IANS Information Security Forums. David shares his thoughts on new sessions for 2017 targeting negotiation skills and the ability to thrive in the chaos that defines most infosec environments.

    We also get in some Super Bowl LI talk and discuss how David's years as an outdoorsman and Outward Bound program leader have informed his work helping corporate executives hone their soft skills.

  • Trump’s Cybersecurity Executive Order Could Incentivize Private Sector to Bolster Security

    by Daniel Maloof | Feb 03, 2017

    Friday, February 2, 2017 By Daniel Maloof, IANS Managing Editor

    While President Donald Trump has postponed the signing of his Executive Order on cybersecurity, a draft copy leaked to the Washington Post indicates the government is considering incentivizing private companies to improve their security posture.

    The order calls for the establishment of a committee to include the Secretary of Defense, Secretary of Homeland Security, Director of National Intelligence, Assistant to the President for National Security Affairs and Assistant to the President for Homeland Security and Counterterrorism. Within 60 days of the order’s signing, this committee would be tasked with submitting recommendations on a range of cybersecurity issues, including protecting critical infrastructure by working with private sector owners and operators.

    Like the Cybersecurity Information Sharing Act (CISA), signed into law by President Obama in December 2015, Trump’s draft executive action also encouraged the sharing of threat intelligence information between the private sector and government.

    The committee would “review and expand on existing reports on economic and other incentives to: induce private sector owners and operators of the Nation’s critical infrastructure to maximize protective measures; invest in cyber enterprise risk management tools and services; and adopt best practices with respect to processes and technologies necessary for the increased sharing of and response to real-time cyber threat information.”

    The six-page draft document also indicated the Administration’s goal of improving education around cybersecurity, calling on the Secretaries of Defense and Homeland Security to assess information from the Secretary of Education on “computer science, mathematics, and cyber security education from primary through higher education to understand the full scope of U.S. efforts to educate and train the workforce of the future.”

    Nothing Groundbreaking, But It's a Start

    IANS Faculty Dave Shackleford, founder and principal consultant with Voodoo Security, said that when reading between the lines a bit, there seemed to be some positives in the draft order.IANS Faculty Dave Shackleford

    “First, cyberwarfare is now in the same breath as air, water and land attacks,” Shackleford noted. “The order also acknowledges that the current state of affairs is not great – the government agencies tasked with cybersecurity are not well organized to collectively respond to attacks.”

    “President Trump’s calling for a universal review of capabilities and gaps in U.S. cybersecurity - with involvement from many groups like the NSA, CIA, DOD and Homeland Security - shows the sense of urgency involved, and hopefully some direct action will result,” Shackleford added.

    Shackleford did add that some in the defense and intelligence communities were left “scratching their heads” over the possibility that the Office of Management and Budget (OMB) could have primary oversight of cybersecurity. Further, some legal and cybersecurity experts were surprised by the fact that the FBI was never mentioned in the document, after President Obama had included the agency in his incident response coordination policy signed over the summer.

    Ultimately, though, Shackleford said he was viewing the draft document with cautious optimism, as much information is still to come.

    “Overall, this is a positive step, but the actions taken after the 60-day reviews occur will really tell us what direction the administration plans to take,” he said. “We should all be paying very close attention to this in the weeks and months to come.”

    *Check back with IANS for updates on any changes to the Executive Order once it is signed by President Trump.

  • Poulin: 3 Complications Making it Difficult to Secure IoT

    by Daniel Maloof | Jan 30, 2017

    Monday, January 30, 2017 By Chris Poulin, IANS Faculty

    Chris-Poulin Let’s play amateur psychologist for a second. What’s the first word that pops into your mind when someone says “IoT?” I’ve conducted this test on a variety of subjects (e.g., my colleagues, friends and family) and the results are all over the board. Throw “security” on top, and the results spread out like a crate of Slinkys on the Spanish Steps.

    This brings up a truism: if a concept is too amorphous that it defies concrete definition, you can’t act on it in a meaningful way.

    Complication #1: The IoT is Not One Thing

    If you ask your non-technical friends and family, chances are they think of IoT - if they even know it - in terms of smart home devices, such as smart thermostats, connected lightbulbs and voice assistants like the Amazon Echo and Google Home.

    Auto manufacturers think about the IoT in terms of telematics, and vehicle-to-vehicle and infrastructure-to-vehicle communication. They might also think of predictive maintenance and electronic control units (ECUs), which control engine functions, brakes, cabin controls, and just about every feature in a modern car.

    Finally, talk to someone in the defense industry and they’re probably thinking about battlefield telemetry, with ground vehicles communicating status and position to helicopters and fighter aircraft, all of which report back to operations command.

    Complication #2: Platforms aren’t Homogenous

    When you write a mobile app, you pretty much choose Apple iOS or Google Android as the primary platform, then decide whether to write a complementary version to cover the other.

    IoT is much more fragmented. Granted, many common devices are built on some Linux distribution, but most of them are heavily customized, both to interface with the sensors inherent to the “thing” in question, and at the maker’s whim. There’s no guarantee that software written for a generic version of a Linux distro or kernel version will run on every - or even most - devices that use distro or kernel.

    Then, there are true real-time operating systems, such as VxWorks from Wind River, Nucleus RTOS from Mentor Graphics and Integrity from Green Hills. Google has its Brillo framework, Microsoft has rolled out Windows 10 for IoT (with three main targets), and Apple is working on Embedded iOS and OS X. Each supports a variety of hardware architectures, ranging from ARM to XScale.

    Complication #3: It’s More than Just the Devices

    Finally, an IoT device is connected, collects data and often interacts with the physical world. It will connect across a local network, often needing a gateway to translate IoT-specific protocols to IP, then send that data to a storage and processing center (I’m trying hard not to say “cloud”). Humans may interact with the analyzed data, perhaps through a console at a manufacturing plant, perhaps on a mobile device. Commands may be sent from the processing center, or even directly from a mobile phone, to the IoT device.

    That whole infrastructure - devices, local network, gateway, wired, Wi-Fi or mobile network, cloud (there, I’ve said it), and human interface - are all components of IoT. Each one provides an opportunity for vulnerabilities and exploitation, and all of them need security.

    What Do We Do?

    So how do we secure IoT? First off, we need to stop using that phrase. It’s the “World Peace” of concepts.

    We live in a world where we want a neat solution wrapped in a pill form and marketed to us on television, in online advertising and at conferences. But IoT security isn’t exactly a product, because of the diversity we just discussed. For example, it would be very difficult to create an IDS for a vehicle control area network (CAN Bus); the architecture could be different even within the same model year, but with variations in builds (e.g., standard vs. sport version).

    On the other end of the spectrum are legislation and standards. If makers can infuse security practices into their design and build processes, they can eliminate the low-hanging fruit, such as hardcoded passwords, insecure default parameters and lack of encryption. Even better, if IoT manufacturers can agree on a standard means of detection and prevention, and instrument these standards in disparate components, it would be easier to create generalized security monitoring and defense solutions.

    I hate to end on a pessimistic note, but all the great ideas in the world won’t make a bit of difference unless there’s a perceived need and financial carrot to motivate device manufacturers. Currently, manufacturers are simply trying to build the cheapest “things” possible and create a market. Security isn’t causing enough pain in most markets for them to agree to incur an additional cost.

    And that right there is a bonus complication. You’re welcome.


    Chris Poulin is Director of IoT Security and Threat Intel for Booz-Allen Hamilton's Strategic Initiatives Group, where he is responsible for building countermeasures for threats to the Internet of Things. He has a particular focus on connected vehicles, as well as researching and analyzing security trends in cybercrime, cyber warfare, corporate espionage, hacktivism, and emerging threats.

  • Podcast: Rich Mogull on 'Tidal Forces' Set to Upend Information Security

    by Chris Gonsalves | Jan 24, 2017

    Tuesday, January 24, 2017 By Chris Gonsalves, IANS Director of Technology Research

    This week, Securosis founder and CEO Rich Mogull joins us to elaborate on his popular new blog series "Tidal Forces: The Trends Tearing Apart Security as We Know It." The thought-provoking articles, which will form the basis of Mogull's RSA talk next month, focus on fundamental changes in the nature of endpoints and the grand transformation toward cloud-based, as-a-service IT delivery. These changes, Mogull posits, are inflection points that will roil the multibillion dollar IT security market and require a significant rethinking of infosec by both vendors and practitioners.

    The former Gartner vice president tells us what kinds of skills this security new world order will demand, and he shares how his previous experiences as a firefighter, paramedic and mountain rescue expert shape his approach to managing risk.

  • Are You Making This Mistake With Your Phishing Awareness Campaign?

    by Daniel Maloof | Jan 23, 2017

    Monday, January 23, 2017 By Kevin Beaver, IANS Faculty

    As we've all heard and, as many of us have learned, email phishing is no joke. GivenBeaver the numbers we've seen in various ongoing studies and the gigantic breaches that were initiated by email phishing in recent years, phishing is arguably the greatest risk that enterprises face today.

    In my experience, more and more businesses, nonprofits and government agencies are integrating email phishing exercises into their security awareness and training programs. However, I'm seeing many security organizations approaching email phishing awareness the wrong way, and it’s not good.

    More and more frequently, I'm seeing IT and security managers perform their internal email phishing awareness testing using more traditional phishing emails. By "traditional" phishing emails, I'm referring to those that we are all accustomed to receiving, such as those purporting to be from PayPal, Wells Fargo, UPS and the like.

    The people I'm speaking to who utilize these types of emails in their phishing campaigns are telling me that they're getting pretty low response/click-through rates from their users – in the ballpark of 1 to 5 percent. I believe this is creating a false sense of security because most users are accustomed to receiving such emails and know how to handle them by now. 

    Improving Your Phishing Awareness Program

    What's not being properly addressed, however, are attempts to spear phish individuals or smaller groups of people (i.e., within a department) with more legitimate-looking email messages that look to be originating from someone they know inside the organization. On various occasions, I have performed these targeted spear phishing campaigns for clients who are already performing their own email phishing testing and I'm seeing upwards of 40 to 50 percent click-through rates. My clients are often quite surprised with, emotions ranging from embarrassment to anger.

    It's human nature to be more accepting of email messages that appear to come from someone you know or trust, especially if it's your manager or an executive in the organization. It's not just the message, but rather the instructions that go along with such messages, such as "click this link and provide x, y, or z information in order to acknowledge the request." It's scary how successful this has been for me and I'm not even that good!

    As you build out your enterprise information security awareness/training program, make sure you are addressing email phishing from all the right perspectives. Odds are good that you're leaving some opportunities – and risks – on the table.

    It's also important to keep in mind that email phishing is not just a people problem. It's simply an attack vector. However, once the attack is launched, the threat often has several layers of vulnerabilities to exploit, such as poor email filtering, weak malware protection, little-to-no outbound web filtering and a bevy of sensitive information that's accessible for the taking on any given endpoint.

    So, email phishing is about your users but, then again, it's also not. Instead, it's about your philosophy as it relates to the perception and ongoing support of your security program, as well as your technical controls across the board.

    In the end, make sure you're doing email phishing testing on a periodic and consistent basis. The majority of organizations that I see and read about are doing nothing in this area, even today. It's arguably the greatest enterprise risk, and many organizations are simply ignoring it. Not good for business!

    But don't just go through the motions with your standard email phishing templates. Think outside the box – think about how the bad guys can and are attacking you – and use their level of sophistication. As I am discovering in my own work, it's absolutely amazing how presumably educated and well-trained users are gullible to more advanced attacks. Remember, all it takes is one click and your entire network can be compromised. Everyone is vulnerable, regardless of your level of security maturity.



    Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).

Sign up for Updates

We’ll send you short and sweet notifications about our content and events.