So, the company's security perimeter is tight, right? Its corporate e-mail has advanced threat protection. It has deployed an anti-virus system. That means all is good and it is time to hang up the sign: gone fishing, with not a care in the world.
This might be an effective approach in a world where the people using the devices never leave the office, and only have access to information when seated safely behind the firewall. It would be great if they never searched for anything online and also never saw a Web-based advert or used any personal e-mail service such as Outlook.com or Gmail. If all of the foregoing is the case - rest easy and happy fishing.
But, it never is the case.
The reality of the modern business is quite far removed from this scenario. When looking at computer usage in SA and the rest of the continent, the vast majority of computer users have access only to the machine provided by their employer. A very small percentage have the luxury of personal home devices and, because of this, virtually every corporate security policy allows for personal use of company equipment. Whether it is for Internet banking, school projects or entertainment, the fact is most corporate devices are used for many different purposes.
Beyond the click
Because people are using these machines outside of the controlled environment, it is no longer good enough to only provide corporate coverage. Today, staff make use of file-sharing services and free-to-use e-mail services to do their personal business. All employees receive invoices, handle tax returns and send personal information to banks or government departments. So, when a user falls prey to a fake invoice or SARS refund e-mail and clicks on that link in his/her Gmail account, s/he doesn't know that what has happened will hurt the business. The prevalence of the digital world means people now have no choice but to know what happens beyond the click.
Recently, there has been an increase in invoice or refund-related attacks. Cyber criminals never keep office hours and are innovating all the time. Whether it comes around tax season or other events, they work hard to get people to fall into their traps. When a user gets the refund confirmation or tax invoice that just won't open, s/he hits the link to follow instructions. This innocent looking document can be laden with threats. The innocent user has been sucked in and is sent to malicious sites, to enter personal information or install a seemingly innocent Web application.
The attacker will monitor the user before moving in for the kill.
Malicious Web sites can contain malware or applications that can be loaded with key-loggers and software designed to spy. The prevalence of password re-use on every site and platform also means there is a massive probability that users have the same password for Facebook, Internet banking and corporate logins.
Now that they are hooked, it is simply a case of the phishermen reeling in their catch.
The modus operandi has changed; modern phishermen now practice a great deal of patience. The infection no longer means immediate action - there are now prolonged periods of reconnaissance. The attacker will monitor the user before moving in for the kill.
This time is used to gather information, learn about the user, see what sites they are accessing and use this information to leapfrog to a more powerful position before delivering the real attack. It may takes days, weeks or even months. Cyber thieves have infinite patience.
So, while companies have deployed enhanced protection on their corporate e-mail system where these clicks will be blocked, the user does not have that protection when tricked via Gmail.
What can be done?
The truth is, without visibility of the end point, with the user working at the device, there is a heightened risk. The phish may not immediately encrypt files because, rather like bellbottom trousers, this is so last season. The new attackers are there to learn and siphon. When they learn, they have more power, and with more power, they have a bigger payday. This could be the entire network or highly sensitive IP.
Layered security measures must go beyond the perimeter and anti-virus. Anomaly detection and immediately identifying changes are a crucial part of a comprehensive security strategy. Anomalies can only be picked up once it becomes known what activity is actually taking place, no matter where they are. More attention has to be given to understanding behaviour in order to better understand and identify inconsistencies.
Layered defence, while vital, is also not always going to save the company if the various layers are not bound together. Don't be fooled, because it will not help when an alarm is triggered by a tripwire and everybody is focused only on the electric fence. A consolidated view with built-in intelligence and up-to-date global feeds will ensure the alarm systems are always armed and the response team is always prepped.
With visibility, behavioural monitoring and immediate response, powered by automation, companies can rest easy knowing that even when they are caught fishing, they are not the trophy.
Share