Blog
Continuing the Conversation: Spearphishing
If you’ve attended any of our (ISC)² ThinkTank Webinars (and we hope you have!) you know that moderator Brandon Dunlap shares your questions with panelists to answer during the session. While we can’t get to all questions, we’d like to address a few more here on our blog.
Last week’s webinar was “The Human Target – The Tip of the Spear is Aimed at You ”, with panelists Ira Winkler, president of Secret Mentem, Sylvester Gray, security product specialist at Sophos and Johnny Deutsch, senior manager, advanced security center at Ernst & Young, LLP.
Thank you to our panelists for sharing their expertise – let’s continue the conversation, shall we?
To what extent are the “phishermen” sharing information about potential targets and techniques they’ve used against those targets?
– Stephen B., Maryland
While the Phishing community does share the techniques along with best practices, there is a great amount of competition for the available targets who will fall for the attack. We do see certain syndicate gangs sharing victim information with a small circle of cyber associates. For the most part the sharing of successful techniques is used as a advertising tool to prove the success of the phishing-as-a-service platform to get more would be cybercriminals to buy their service.
What are some of the more effective incentives as part of a good security awareness program?
– Michael M., Tennessee
It is impossible to answer the question as it varies from one organization to the next. However, in the ideal world, you would have a constant reward structure in place that recognizes ongoing good behaviors as they are experienced, such as reporting a phishing email or other potential incident, or rewarding people for securing their desks properly. What incentives you provide depend upon what is considered valuable to your employees. But again, it is best to reward ongoing behaviors.
How should cybersecurity professionals go about educating upper management on these schemes and keep them from leaking details on social platforms criminals can use to bait these well-designed traps?
– Jeremy M., Pennsylvania
Johnny Deutsch, Ernst & Young LLP:
The education of executives is a challenge that many organizations face. The main difference with executives is the fact that they act as outliers, meaning that they are always the exception to the rule. Due to that, they tend to trust more things that get to their inbox as many of them have executive assistants that vet the content.
The problem there is with trusting someone else to verify matters that might pass the first filtration, but are actually not real and don’t check out. The most effective form of education that I have seen is by having a semiannual face to face workshop where the executives get a personal intelligence overview of what’s out there regarding them, in particular from the POV of an attacker. What that means is not just showing them the facts, but weaving the story line of how these faces might interact into sample scenarios.
The face to face sessions would be broken into one session which is a personal 30 minutes with every executive sharing the personal data that has been gathered on him/her, and another session with all of the group together where they get a practical exercise of how attackers compose scenarios from sample data. The bottom line is to get them thinking about this from a personal angle.
(ISC)² ThinkTank Webinars are a great way to stay up to date on hot topics in the industry – and a convenient way to earn CPEs. Topics and registration links are posted to our Twitter account weekly, so sign up and join the conversation!
Looking for more on spearphishing? Catch Johnny Deutsch at (ISC)² Security Congress in Austin, Texas where he will be speaking on the topic. Ira Winkler will have two presentations at the event on security awareness.