April 2008 — News
Print this articleClick here to receive your FREE subscription to T.H.E. Journal
Hoax Subpoena E-Mails Shine Light on 'Spearphishing'
The main challenge, security experts say, is that these narrow attacks can fall well below the radar of Internet security systems, circumvent networks and blend into Web-based applications, unlike the more obvious spam-blast e-mail.
Storms contends that the difference between 1990 and 2008 is that phishing is now a full-time business with a real economic potential.
"When we think of phishing as a business, the attackers are putting dollars into their business just like any other well-run entity," Storms said. "They deal with supply and demand and they spend money on research and development. As such, their tactics are becoming much more refined. However, because the root of the problem is a human trust relationship, it's difficult to develop technical products to mitigate the threat."
Responding to the Threat
In an e-mail to Redmondmag.com, Microsoft Senior Product Manager Mike Chan said
that as customers face external threats, they also face growing complexity,
security and privacy concerns within their own IT environment.
"As a result, IT managers don't have a complete view into the health of their networks, which can actually breed vulnerability and security breaches. Some employees may visit phishing sites out of curiosity, and they need to be told in no uncertain terms: 'Don't,'" Chan wrote. "Just visiting a phishing site can lead to malware being downloaded on to a company workstation without the employee even realizing it, infecting the entire network."
Chan added that Microsoft thinks about this with a "defense in-depth approach, and we offer an array of products designed to help in this regard."
Chan and others suggest that from an application-security standpoint, adopting an "allow only the known good" or whitelisting approach is the only way to completely stop malware or remote code execution bugs that have eluded anti-virus detection. Moreover, shoring up firewalls and using whole hard disk encryption can guard sensitive documents from such attacks.
Still, what's been leaving IT pros scratching their heads is something that has nothing to do with computers: social engineering and the habits of users in the workplace. Rank-and-file workers--and even IT administrators--aren't beyond checking personal e-mails and opening attachments at their workstations on a whim, without thinking about the implications.
This is why Leatham and others say that having an undetected botnet that gathers keystrokes and data from multiple executives' computers in a specific company is considered one of the IT risks that organizations might face in the near future.
As he has been known to do, Leatham emphasizes that if he were a security administrator at a company, he would cut the situation down to brass tacks and lay out the danger in plain English: "User education must go beyond telling people, 'Don't open attachments' or 'Don't click on any links in an e-mail.' E-mails are for reading. Period. No downloading. No clicking."
Get daily news from THE Journal's RSS News Feed
About the author:Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at dnagel@1105media.com.
Cite this Site
copy text (above) for proper citation
