Monthly Archives: May 2010

Addressing Phishing Risk

May 31, 2010 5:46 am Leave a Comment


Phishing and Social Engineering have been a growing concern. The latest Phishing Activity Trends Report of Q4 2009 from Anti- Phishing Working Group (APWG) shows alarming figures of increasing sophisticated phishing attacks. As per the report, the financial services industry has again topped in all targeted sectors in Q4.

Anti-Phishing Working Group (APWG) Chairman Dave Jevans said, “Spear‐phishing and whalephishing, where targeted individuals inside of corporations, or of high net worth, appeared to be increasing. Phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.”

Consider this scenario: An organization has perimeter security configured. Multiple detective controls like IDS, IPS, firewall etc. are deployed. Still the employee gets an email with embedded link which points to a malicious website. Once dragged to this website; unwitting employee is exposed to an array of risk.

One such risk could be like crimeware (which is designed with the intent of collecting information of the enduser to steal credentials) or malware is downloaded and installed on the local system without user’s consent. Once installed, it may allow scammers to compromise other network systems, steal sensitive information, create backdoors inside the corporate networks etc. Another significant risk is where the website attempts to sway the recipient to reveal personal information or credentials of online corporate applications. This kind of mails is often pictured as coming from trusted source like HR or IT department, outsourcing partners etc. and makes usage of legitimate layout, graphics, links and content etc. to look like original website.

Most times, it is very difficult to determine the source  of the phishing attacks because a well orchestrated phishing attack understands the weak links in People, Process and Technology inside an organization in order to carry out successful attack. Most worrying, there are no quick, witching tools which can help you mitigate phishing risks overnight. Then how would you address the Phishing Risk?

Organizations can adapt the Deming Cycle [Plan-Do-Check-Act] to best counter phishing attacks and it would improvise over period of a time. Steps to follow -

  1. Understand the current level of preparedness of employees and define a strategy to address this gap [Plan]

  2. Implement policies, procedures and incident response plan to guide employees  on “How to identify phish websites“ and “What to do” when Phishing attacks actually occur [Do]

  3. Conduct drills periodically to check readiness of the employees on phishing attacks and determine who are vulnerable [Check]

  4. Provide  awareness training to vulnerable users and also regularly update employees on new threats and techniques used by Phishers by possible means of communication  [Act]


In summary the message is very clear; the key to protect oneself is continuous education and awareness. Organizations should start working towards employee education for its better cure.

Is your organization ready to fight against Phishing Risks?

Filed Under: Risk management

Social Networking & Security

May 5, 2010 4:59 pm Leave a Comment

The impact and adoption of Social Networking as a media of communication, information sharing, interaction etc. is a given in today’s world. Facebook now talks about having 400 million users, 50% of which access the service every day! LinkedIn the so to say “professional social networking service” has 60 million users. Since inception in 2003, LinkedIn took 1.4 years to reach the first million and the last million was reached in only 12 days. India has over 3 million users on LinkedIn and yes India is the fastest growing user base across the world.

There have been several discussions around the security of the social networking sites, user risks, should the services be allowed by organizations etc. To me the benefits and adaptation of these services is so high that it would eventually be classified as a must have service on the internet, very much like email. Hence it would not be possible for organizations to block or curtail users from using social networking services.

Most if not all social networking service providers are taking active measures to protect their services and users, e.g. is the Safety Center of Facebook, which provides secure usage tips to several types of user profiles. Most of us follow the basic secure usage guidelines like:

  • Don’t disclose private information
  • Changing passwords
  • Not accepting invites from unknown people
  • Antivirus protection
  • Checking privacy policies of the service providers
  • Checking default configuration and settings etc.

However I think we need to focus a lot more on what I term as the “legitimate mistakes” which we commit. I call these legitimate as there seems to be nothing apparently wrong with what we have done, but it still leads to a security risk. I would provide few examples to illustrate the point.

During a specific project one our security specialist was testing a customer’s core application website.  The website was configured well with proper security on the deployment environment. Hence the specialist was not able to find the usual vulnerabilities which he could exploit. His interim report said that site is secure and he doesn’t think that there are any vulnerabilities. However the next day he reverted that he was able to crack the admin password and hence the complete web service were exposed. The method he used as the first step to the credentials was very simple but effective. He used another low profile website of the customer and tried to login with the administrators name. He used the “forgot password” option, the security question for which was “Where did you go for your honeymoon”. He then searched for the administrators account on Facebook, got to know his wife’s name, who in turn had posted their honeymoon pictures on Flickr. It was easy for him to guess that they had gone to Kumarakom for their honeymoon.

From the administrators point of view, he doesn’t seem to have done anything wrong from a secure usage standpoint and nor his wife. Maybe her Flickr album should not have been public. This is an example of a “legitimate mistake”.

Lets take my own example, the only social networking service I use is LinkedIn. I use it not only for connecting with my professional contacts but also for “serious” services such as hiring, initiating contacts with business prospects or partners, using the TripIT add-on to plan my travel and to know who are in the vicinity etc. I have derived several benefits from LinkedIn e.g. lower higher costs, initiation professional contacts leading to business or partnerships, better utilization of time during travel etc. But time and again I tend to use LinkedIn to exploit “legitimate mistakes”.

E.g. when I see someone joining a job group, I can guess that he/she might be looking for a change. When I see one of my contacts connect with someone from competition, I know it’s time to act. I can review the profile of potential contacts to know their background, or I can go to the part where it tells me who has seen my profile and come to know who has been checking on me. I am sure others are exploiting my “legitimate mistakes” as well.

In summary the message is clear, none of us can stay away from social networking services, it’s important to use a service which seems secure and credible. It’s also important to follow the basic secure usage guidelines. However we still need to look at the “legitimate mistakes” we might make and be more careful and aware. All good services need users to consider “responsible usage” seriously, it’s always easier to watch out for the big mistakes, the smaller ones slip through and sometimes cause major damage.

Filed Under: Uncategorized