In business, the spam email problem is not just an inconvenience, it could be business threatening, particularly for businesses such as on-line retail outlets that need a 24/7/365 online presence. Online Business Security is a continuing thorn in the side of IT managers, and businesses are increasingly reluctant to fund the escalating costs of counter-measures.
However, Online Business Security is not just hardware appliances and anti-malware software. Studies by the FBI have demonstrated that the greatest threat to business lies between the keyboard and back of the chair. In short, the bulk of malware attacks come from users clicking on links in emails or social media taking them to malware sites or downloading embedded malware in an email attachment. This type of threat is usually called a phishing attack.
How does phishing work? A hacker generates an email that seemingly comes from a trusted source, a financial institution, a colleague, or simply one with an invitation to click on a link to visit the trusted site, or to see more pictures of cuddly puppies or kittens. The hacker then sends the emails to the members of a mailing list, usually numbering in the hundreds of thousands, hoping that someone somewhere will activate the link. It’s a bit of a shotgun approach, hoping that at least one email gets a response.
What do they hope to gain? Basically information. The malware that is installed on the user computer collects information that is sent back to the hacker. It hopefully is financial information, or in the business context, a user id/password combination that will allow the hacker to penetrate the organisation’s systems and steal data .
A more directed version of phishing is spear-phishing. In this case, the hacker researches a target organisation and creates personalised emails to specific individuals in the organisation that according to the research will provide financial or ID information. That information can then be used to mount an exploit against the organisation’s systems and data with the intention of stealing information.
Who are the hackers? The first and most common are the journeyman or amateur hackers who create phishing exploits just for fun and to cause trouble for the organisation. The second are the career criminals who use phishing to gather information, usually financial information such as credit card information that they can either sell on or use themselves to generate cash.
The third type and becoming more common are hackers who are contracted to carry out private or state-sponsored espionage. The intention here is to find commercially or politically sensitive information, for example, research status.
As stated above, successful phishing exploits rely on unsuspecting users clicking on a dodgy Internet link. It might look like a link to the bank site, but in reality it isn’t.
Spear-phishing attacks often look like they come from an internal source. A common one seemingly comes from IT Support asking the user to click on a link “to update their desktop software”. Sure enough, it will be updated, but not as the user expects.
What strategies can businesses employ to reduce these risks?
The first place to start is with employee awareness.
An essential component of the employee take-on process is to educate them on the dangers of malware and its potential threat to the business. Teach them how to recognise unsolicited emails with dodgy links. In particular, how to hover over the link and if it looks dodgy, don’t click. Basically, they mustn’t trust any emails they receive, even if it seemingly comes from a trusted source.
Induction training isn’t a one-off. Have regular update and reinforcement sessions. Even a weekly update email about the latest threats, and if available, statistics about the number of threats detected.
Part of the user education process is to make them aware that company policy is that they will never be asked for their user credentials by IT. In short, they must treat their credentials with the same care as they teat their ATM pin or online banking information.
A more technical approach is to use software to block user access to known dodgy websites. Some browsers already do this as a matter of course, and some anti-malware suppliers allow blacklists purchased from external suppliers to be loaded into their systems.
An increasingly common distribution vector for malware is via social media, particularly downloads of music and video material. While not strictly speaking phishing, an invitation to download the latest movie via a social media link is potentially as dangerous as one received via e-mail.
Unfortunately, spam and malware will continue to be with us, and in all likelihood will continue to increase in volume and the type of attack vectors.
Start with the users, they are your first line of defence.