Phishing
continues to be a common attack to nearly all industries. From the attackers
view, this is a very economical manner to send attacks. In a very short amount
of time, a vast number of these emails can be sent. For this to generate
revenue and a net profit, this process only needs a few people or businesses to
click or follow the ill-fated email instructions and the endeavor attack
generates enough revenue to be profitable. This is especially the case with
ransomware. One recent and rather expensive example of this was FACC attack. Here
an email appeared to be from the CEO. The cost to the company was $54M.
Although
the users have received training and have read the news regarding phishing
attacks and have a general sense of what a phishing email should look like.
Employee training may be beneficial with this. This should take the form of a
series. With this mode, the staff member would see the training (e.g. email,
conference call, or other) several times and jog their memory from the earlier
sessions. Normally, the staff member sees this once a year and forgets it its
applicability within a few hours.
There
are several points to discuss. The training may address the user reviewing the
email or other communication more than once prior to clicking. The second or
third look may allow for the additional time for an error in the email or just
enough suspicion to perk up. The target also can contact the sender to verify
the person actually sent the email, think prior to sending confidential
information over the email unencrypted, minimize the amount of private
information shared on media, and disabling macros.
With
these being passed onto the users, the opportunity for an oversight would be
lowered.
Miel, LLC
Infosec Managed Services & Consulting
810-701-5511
charlesparkerii@gmail.com
It is not about winning or losing, but
reorienting yourself to the real problem-managing the risk across the
enterprise.
No comments:
Post a Comment