Phishing emerges as major corporate security threat
Computerworld - The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and EMC's RSA security division is a stark reminder of the serious threat posed by a type of attack that was previously dismissed as low-tech.
The Oak Ridge lab last month disclosed that sophisticated data-stealing malware had infiltrated its networks. The breach originated in a phishing email sent to about 570 employees. The email was disguised to look like a memo about benefits changes written by the lab's HR department. When a handful of employees clicked on the embedded link in the email, malware was downloaded to their computers.
Such emails now appear to be the preferred method for breaking into corporate networks, said Anup Ghosh, founder of security firm Invincea.
"You only need a very low click-through rate to establish several points of presence inside an organization," Ghosh said. "If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you'll still have someone doing it. This is not a problem you can train yourself out of."
Exacerbating the problem is the growing sophistication of phishing campaigns.
Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source.
Increasingly, information from social networking sites such as LinkedIn and Facebook is being used to make the targeted phishing attacks harder to detect, said John Pescatore, an analyst at Gartner. "With all the personal information and friends lists people expose on those sites," he added, "it is not that hard to craft a very personal-sounding email."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!