Protection against spear phishing attacks should be top of organisations’ cyber security priority lists for 2017, according to Peter Wood, chief executive of security consultancy First Base Technologies.
Download this free guide
Don’t become a victim!
Find out what are the most appropriate threat intelligence systems and services for your organisation
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
This means a combination of security technologies and user awareness training to ensure employees are aware of the technique, know the tell-tale signs and can respond accordingly.
“Our investigations show that phishing, particularly spear phishing, is the most prevalent threat to organisations, and is a key component in just about every cyber attack,” he told Computer Weekly.
“Passwords are currently the single biggest vulnerability in most organisations’ IT networks, which is why credential theft is a common and popular attack technique.”
Phishing is typically used by attackers, and penetration testers like Wood to steal legitimate users’ credentials to access IT systems in the target organisation without detection or restriction.
“Once an attacker has legitimate user credentials, few security technologies are able to prevent those credentials from being used to explore targeted networks, to install malware and to steal data,” he said.
There are some technologies available that are designed to detect and stop anomalous behaviour, but without this capability, stolen credentials effectively give attackers free rein.
“Stolen credentials also grant attackers access to external services such as virtual private networks (VPNs) and web mail access, and gaining access to these services can provide an attacker with full remote access into a network,” said Wood.
For this reason, it is important for organisations to ensure that everyone in the organisation is on the lookout for phishing emails to reduce the likelihood of being tricked into giving up their credentials.
In a recent penetration exercise, Wood’s team sent 3,066 phishing emails, and 2,398 recipients clicked the link to the fake website and entered their usernames and passwords.
“In that case, we had a 78% hit rate, which is consistent with findings that 60% or more tend to fall for well-designed spear phishing emails,” he said.
Wood recommends a continual cycle of education and testing to keep awareness levels high and reduce the likelihood of employees being tricked into giving up their credentials. “We typically find there is little or no staff education around phishing attacks,” he said.
In addition to stealing passwords, attackers are often able to guess passwords or use a brute-force cracking attack to find a valid password due to poor password practices.
“We often find that domain admin accounts are protected with a password that is simply ‘password’, or something similar, such as ‘password1’,” said Wood.
“As a result, an attacker can exploit this issue to gain privileged access to the domain and servers, which can be used to launch further, more damaging attacks.”
To eliminate these vulnerabilities, Wood recommends the use of passphrases, the implementation of password safes, and education around the risks and benefits.
He also recommends regular password audits to ensure staff are following password polices and best practice guidelines.