Intruders Thrive on Complacency.
When it comes to the threat landscape, nothing makes information security teams shudder more than complacent users, whether they be employees, partners, vendors, or customers. Yearly security and awareness trainings have become all the rage (rightly so), helping to check off boxes on company compliance audits. However, all too often, new users or even seasoned veterans can be caught off-guard and open the door to evildoers.
Whether too focused on meeting deadlines, landing that next big business deal, or even simply browsing their personal email on a business machine, an unsuspecting or distracted end-user is the most highly targeted attack point leveraged by malicious entities in today’s internet-connected world.
The frightening reality is that it often only takes one, unsuspecting user to allow full, unfettered access to a company’s entire electronic data repository.
Companies often spend hundreds of thousands of dollars in order to remedy the effects of a breach, often focusing on intruder detection and prevention systems, anti-virus/anti-malware software, and third-party consulting and remediation services. This takes considerable time and displaces resources not only from the information security team, but also from multiple sub-organizations of the company in order to ensure business continuity is not disrupted.
91% of Breaches Start with Spear Phishing
Phishing is a term that refers to the act of impersonating a legitimate entity or website, in order to trick a user into providing information that is unique and typically only known to them. Similar to fishing, the idea is to cast enticing bait into open water and wait to reel in whatever prey takes the hook. Attackers often phish very broadly by broadcasting emails or hyperlinks to the masses, assuming that they’ll lure a number of random users into their snare.
According to research from Trend Micro, 91% of cyber attacks that result in a corporate data breach begin with a spear phishing attack. Spear phishing differs from typical phishing in that these attacks focus on select individuals or departments in an organization. Carefully crafted emails are sent to the targets, enticing them to enter a username or password, click on a malicious hyperlink, or visit a specific, legitimate-looking website, thus allowing the attacker to steal credentials or gain control of their workstations.
Because spear phishing requires more initial research by an attacker to determine proper targets, it is typically used when an attacker has their sights set on a specific company.
Anatomy of a Data Breach
Any seasoned security practitioner will tell you that, in the grand scheme of things, the anatomy of today’s corporate data breaches often resembles the following:
- A malicious entity performs research on a target company, motivated by money, competition, espionage, fame, or other factors.
- The attackers use the information they’ve gathered to launch a phishing campaign against the company.
- Having gained credentials or control of the employees’ workstations, the attackers gather information from those machines. They then use the credentials for new sessions or the compromised machines as pivot points, to direct further attacks at other systems and data inside the company.
- The access gained by the attackers may be temporary, but is more often permanent, as backdoors, rootkits, or other malware are typically left behind, to ensure future access to the environment is maintained.
The primary takeaway here is the inherent fallibility of the end-user. Phishing attacks often take a multi-faceted approach. While some simply attempt to drop malware on their targets, more often than not, an additional desired outcome is gaining access to identities (the usernames, passwords, credentials, etc), in order to ease subsequent traversal of the internal network and impersonate the activities of less-suspicious personnel.
Even the most security-conscious person in the world is prone to momentary lapses in judgement and will likely click on at least one malicious link in their lifetime. So, while annual awareness trainings play a huge role in educating and reminding users to be wary of phishing emails and malicious activity, companies will inevitably still be forced to spend money on various solutions to combat the problem.
Good anti-virus/anti-malware implementations can sometimes prevent malware. But, what if a company could continue to safeguard credentialed access to email and other systems, even if an attacker was able to trick a user into providing them with a username and password?
Consider a More Proactive Approach to Security
At Identity Automation, we firmly believe in making it easy for organizations to scale, embrace security, and limit risks. As that relates to our own organization, we take every step to ensure our email and data are well-protected against phishing and other types of attacks. We employ our full identity and access management (IAM) solution internally, in order to solidify our security posture with regard to authentication to our various enterprise systems. You might say that we “eat our own dogfood.”
Identity Automation’s email authentication is configured to use SAML, which provides a secure, password-less authentication to Gmail, provided the user has proven their identity through authentication to RapidIdentity.
This authentication to RapidIdentity is protected by strong, multi-factor authentication (MFA). Depending on the user’s department and needs, a user is required to use either a TOTP solution (Time-based One-time Password algorithm, such as Google Authenticator, that provides a single use code for authentication) or PingMe, which uses a push mechanism to send an authentication request to the user’s mobile device. Upon PingMe approval, which typically requires either a TouchID or PIN, RapidIdentity immediately authenticates the user via Federation.
Now, here’s why this approach is beneficial when it comes to the dangers of phishing attacks:
- First, the user should never be prompted by Gmail for an authentication password. The user should instead be forwarded to RapidIdentity at every authentication attempt. So, if a user is prompted for a password by Gmail, something is amiss.
- Next, even if a user provides his or her enterprise password to a phishing website, Gmail does not allow direct authentication to the user’s email using only a corporate password. The user is still required to authenticate to RapidIdentity.
- Finally, RapidIdentity is protected with strong, multi-factor authentication. This ensures that, even if the user has provided his or her password to the malicious website and an attacker entered it at the RapidIdentity authentication screen, the password alone won’t provide sufficient proof of identity to allow the intruder into the system.
Phishing Attacks Will Come, But...
Phishing is among the most common and easily accomplished methods that today’s attackers use to obtain initial identity information and infiltrate corporate networks. It’s safe to say that lapses will occur. It’s not a matter of if, but when.
However, by combining proper malware protections with the appropriate handling of secure authentication mechanisms, a company can lessen the potential damage from its users’ feeding frenzies, even if an avid ‘phisherman’ provides enticing bait. Provided an attacker isn’t specifically focused on one organization, with proactive IAM and MFA solutions in place to slow or stop them in their tracks, chances are that the attacker will move on to more easily-baited waters, and the organization will avoid becoming the next trophy.