Spear Phishing - BYOD at Risk
By Alpesh Chauhan, CRM Lead Consultant, Oracle Practice, Manufacturing Unit, Infosys
I received an email on my official id from a colleague's id, asking me to check details in the attachment to find useful information related to the solution that I have been working recently. I was bit surprised as my colleague was no longer working on that solution. Email appeared to be from company's official id but something was wrong. I called him and was surprised to find that he didn't send that email. I have been target of Spear Phishing attack!!!
Phishing emails are typically sent to hundreds of users, appeared to be coming from trusted source, to trick them to get their passwords or financial information. But spear phishing attacks are more personal. Cyber criminals research about their intended targets by mining data, which is easily available from social media. Spear phishing attacks are done with specific objectives like accessing confidential information from the competitor organization. In above scenario, cyber criminals found out that I have been working on particular solution along with colleague based on details on social media. Fortunately colleague had been moved out of that project recently, which created a doubt in my mind. I was lucky to avoid phishing attack but will you be lucky next time?
With consumerization of IT and BYOD becoming reality in daily office life, spear phishing attack poses a formidable challenge in successful BYOD implementation. It is easier to track & filter emails on office devices within company network. But BYOD allow personal devices to be used for both official and personal purposes. It will be challenging to control/filter personal messages from such frauds. Higher cost of security has always been biggest challenge in BYOD implementation and with recent trend of increase in spear phishing attacks; cost of securing data will increase further.
To safeguard from phishing attacks, following basic measures should be taken to improve employee awareness:
1. Organization should have defined guidelines for their employees clearly restricting them from sharing sensitive data on the social media which can be used by phishing attackers.
2. Individuals should be advised to share minimal personal & professional information on social media. These details can help phishing attackers to create detailed profile of target.
3. Employees should be advised to not open attachments or URL from unknown sources. They should be advised to check attachment file types closely before opening files.
4. Employees should be advised to inform company's network security group immediately any suspicious email is received.
5. Organization network should be kept up to date with all security patches and employees should be enforced to update security patches on their devices on regular basis.
Apart from these measures, organizations can also invest in following areas to find out security lapses within their network.
1. Associate with Anti Phishing Working Group (APWG): It is a consortium of companies, law enforcement and government for unifying the global response to electronic crime. It provides information on phishing and other electronically mediated fraud, along with pointers to technical solutions for immediate protection against such frauds. Organization can become member and get latest information on such frauds with possible solutions. Your network team can utilize this information and take essential steps to avoid similar attacks in your organization.
2. Involve Red Team: Red team is a set of proficient individuals that incessantly challenge the plans, defensive measures and security by emulating an opponent. Red team uses extreme techniques to expose and exploit vulnerabilities of your organization, which helps in understanding current security lapses and taking counter measures against them. Red team can help to keep your organization one step ahead of your adversaries.
3. Implementation of right Mobile Device Management (MDM) solution: Data control & protection and mobile device configuration for all types of mobile devices is a nightmare for IT department. Selection of right MDM software can help organization to secure data at lower cost with minimal support team. Over the Air (OTA) programming capabilities allows MDM solution to implement updated security policies on all devices remotely, making mobile devices safer against electronic frauds.
BYOD implementation shouldn't be abandoned due to data security risk. Data security will always be a concern and it should be handled through two prong approach: Increase employee awareness & Enhance network security. Do you agree? Let me know your views.