See Yourself In Cyber: Phish On
See Yourself In Cyber: Phish On
Written By : Abhi Kumar
October is Cybersecurity Awareness Month. Since 2004 Cybersecurity and Infrastructure Security Agency (CISA), National Cybersecurity Alliance (NCA), and the industry has come together to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.
This year’s Cybersecurity Awareness theme is See Yourself in Cyber, and we’ll be sharing some specific information on the general topics that are part of this year’s Cybersecurity Awareness Month beginning with Phishing. Phishing is a basic social engineering tactic that hackers utilize to steal sensitive information like passwords, bank account numbers, credit card numbers, and proprietary data, etc. Phishing has been around since AOL days and is rampant. Roughly 15 billion spam emails make their way across the internet every day, which means that spam filters are “working overtime” and are liable to permit malicious phishing attack emails to slip through. In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur.1 Hackers are always trying to assume the identity of an employee or contractor. Phishing campaigns are successful as they play on human psychology- fear, greed to name a few2. A typical phishing attack looks like any ordinary electronic communication like an email from bank or company or that will create a sense of urgency to click on a link or download a file. In recent years, numerous high-profile breaches, like those against SolarWinds and Colonial Pipeline and the most recent attempts on Twilio and Uber, have had a similar thread: steal credentials to gain access. It is not too hard to see why this strategy works. Say a company has 1000 people and each with 5 identities, you have 5000 credentials that you need to manage. If each of those have only 15 permissions and typically those identities have a lot more than that associated with them, you’re at 75,000 entitlements. If hackers manage to take control of an account that has been granted elevated privileges, they will have unrestricted access to essential systems and resources.
While recommendations may depend on the current state, following are few leading suggestions to prevent and mitigate3:
User Awareness & Education: Phishing exploits human psychology. User awareness is foundational building block where team members are continuously made aware of latest techniques and trends. Everyone including C-Level and board members should undertake security training. Simple steps such as exercising caution with hyperlinks can go a long way. As a best practice, all users should avoid clicking on them and instead linger over the links to ensure they are from a genuine party.
Guard Personal Information: As a general rule, you should never share personal or sensitive information over the Internet. When in doubt, go visit the main website of the company in question, get their number, and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. In addition to this, check that all URLs begin with “HTTPS.” The letter “s” indicates that encryption is enabled to safeguard the information of users.
Update Browsers: If you typically ignore messages to update browsers, stop. The minute an update is available, download and install it. Firefox and Chrome automatic receive updates. If you are using the latest Safari or Microsoft browsers, those are updated along with the OS, so it’s important to turn on automatic updates for the entire system or at least make sure they are updated immediately.
Enable Multi-Factor Authentication: As a rule of thumb, always use MFA for services that need you to log in, such as email, banking, corporate, etc. Unfortunately, recently, attackers used a sophisticated phishing technique to bypass MFA4. The fact that attackers could bypass MFA highlights the importance of using multiple methods.
No matter what technology companies use, humans will continue to play a pivotal role in the cyber chain. As human’s are the weakest link in the cyber chain, phishing will continue to be the toughest cyberthreat to protect against. Honestly, phishing scams may never go away anytime soon. This is where SecurEnds allows companies to add an extra layer of protection. Using SecurEnds CEM, a cloud identity management product, CISO and their security organization have a single plane of glass to view employee and contractor credentials and entitlements across connected and disconnected systems making maintenance of these accounts with least privileges possible. No user should have any additional access than needed to do their job. Owing to the identity sprawl across the hybrid IT companies continue to be plagued by not only overprovisioned accounts but also orphaned accounts. Monitoring user accounts won’t halt the hacker, but it will ensure that every account is maintained with the privileges, minimizing the severe harm that comes from having overprivileged accounts.
Schedule a demo to see how SecurEnds helps you fortify identity management to mitigate effects of successful phishing campaign.