Monday, February 10, 2014

[rapid7] Security Lessons Learned in 2013 - The Year of Deception Based Attacks

Over the course of the year 2013, the security industry witnessed several high profile mega-breaches, targeting large organizations like Target and Neiman Marcus during the Christmas season, where both activity and spending is at its year-long peak.

The interesting trend from not only these attacks, but many of the other attacks last year? As businesses, corporations, and government agencies get better at using tools and software to protect their own data, hackers are pivoting to capture the data from the weakest links possible…your users.

Deception-based attacks are the primary attack vector used by all hackers. Why? It is the easiest way to steal information without having to break through the front door. These days, we are seeing a decline in people breaking through a firewall or exploiting vulnerabilities and seeing an increase in social engineering tactics like phishing. It’s less noisy, but it is also very effective, especially with new technology that makes it tough to detect "phishy" activity.

So what can you do to protect your personal information as well as your organization?

On the personal or consumer level it is important to use technology like 2-factor authentication to verify your identity. Also, in the most overused advice ever column: You should always use good password hygiene and not reuse passwords across multiple sites. The simple truth is that every high profile breach reveals that people use basic passwords that are easily cracked. If remembering passwords is tough for you, making you resort to using simple passwords, some people swear by LastPass or Keepass - but these also have their own risks, so you'll have to make your moves based on what's comfortable to you. The biggest thing you need to look out for are phishing attacks. Make sure emails, especially emails containing links, are being sent from a verified email address that you trust and make sure to check out links before you open them by hovering and inspecting the destination URL.

On an organizational level you need to start monitoring for deception-based attacks and you need to train your employees and coworkers on how to identify phishing attacks. We can help with deception-based attacks using one of our new products, UserInsight. UserInsight allows you to monitor user activity and alert you when something suspicious happens on your network, across the cloud services that your employees use, or even across mobile environments. Did one of your Boston-based employees just log into your network from China? Did you see him in the office this morning? That's a red flag that you're going to want to check up on, and we can give you this kind of information. Give our UserInsight Trial a test, to see how you can help reduce this threat in your own networks.

As for training, make sure your employees/coworkers can recognize phishing attacks. One way to test them is by actually sending them a simulated phishing email and see if they take the bait.  Those of you familiar with Metasploit know you can simulate phishing attacks, and see which employees need additional training, and how to ensure that the training is working. You can always monitor how secure your network is, but if an employee wants to click on a cat video, training is the only thing that's going to make them skeptical and more secure.

No comments:

Post a Comment