Phishing emerges as major corporate security threat
Computerworld - The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and EMC's RSA security division is a stark reminder of the serious threat posed by a type of attack that was previously dismissed as low-tech.
The Oak Ridge lab last month disclosed that sophisticated data-stealing malware had infiltrated its networks. The breach originated in a phishing email sent to about 570 employees. The email was disguised to look like a memo about benefits changes written by the lab's HR department. When a handful of employees clicked on the embedded link in the email, malware was downloaded to their computers.
Such emails now appear to be the preferred method for breaking into corporate networks, said Anup Ghosh, founder of security firm Invincea.
"You only need a very low click-through rate to establish several points of presence inside an organization," Ghosh said. "If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you'll still have someone doing it. This is not a problem you can train yourself out of."
Exacerbating the problem is the growing sophistication of phishing campaigns.
Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source.
Increasingly, information from social networking sites such as LinkedIn and Facebook is being used to make the targeted phishing attacks harder to detect, said John Pescatore, an analyst at Gartner. "With all the personal information and friends lists people expose on those sites," he added, "it is not that hard to craft a very personal-sounding email."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!