Phishing emerges as major corporate security threat
Computerworld - The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and EMC's RSA security division is a stark reminder of the serious threat posed by a type of attack that was previously dismissed as low-tech.
The Oak Ridge lab last month disclosed that sophisticated data-stealing malware had infiltrated its networks. The breach originated in a phishing email sent to about 570 employees. The email was disguised to look like a memo about benefits changes written by the lab's HR department. When a handful of employees clicked on the embedded link in the email, malware was downloaded to their computers.
Such emails now appear to be the preferred method for breaking into corporate networks, said Anup Ghosh, founder of security firm Invincea.
"You only need a very low click-through rate to establish several points of presence inside an organization," Ghosh said. "If you have 1,000 employees in your organization and you train them all on not opening untrusted attachments, you'll still have someone doing it. This is not a problem you can train yourself out of."
Exacerbating the problem is the growing sophistication of phishing campaigns.
Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source.
Increasingly, information from social networking sites such as LinkedIn and Facebook is being used to make the targeted phishing attacks harder to detect, said John Pescatore, an analyst at Gartner. "With all the personal information and friends lists people expose on those sites," he added, "it is not that hard to craft a very personal-sounding email."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts