InfoSec Awareness: Spear-phishing

Spear-phishing is increasingly being used to penetrate systems as the preliminary stage of an Advanced Persistent Threat (APT) attack, to create a point of entry into the organisation. Employees are targeted with emails containing information personal to them. The unsuspecting employee opens an attachment within the email, or downloads a linked file, which executes and silently installs an APT on a network node within the enterprise.

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.

With recent findings that 91% of APT attacks begin with spear-phishing emails and cyber-criminals are targeting mobile devices using personal data gleaned from social networks.Trust has eroded in the face of increased spear-phishing and other legitimate-appearing messages based on sophisticated social engineering. Reliable email security requires real-time threat analysis methods that coordinate with web, mobile and other defenses.

Attacks such as Flame14, Zeus15, Stuxnet16 and Red October17 were often delivered as the result of highly targeted spear-phishing messages sent to select individuals or groups. Many of these attacks have a long shelf life. By constructing new emails, cybercriminals can use the same malware repeatedly for several years with only minor changes.
How CISOs can handle this?

Employee or user education and continuous programs on Infosec awareness would go a long way in building defences against social engineering, phishing, spoofing attacks. A formalised BYOD policy or guidelines, well circulated do’s and dont’s for all users on the net work would support the efforts.


Now China blames the US !!

Beijing says defence ministry and another site subjected to 1.7m attacks last year, two-thirds of which came from within America
Two Chinese military websites were subject to about 144,000 hacking attacks a month last year, almost two-thirds of which came from the US,China’s defence ministry has said.

Earlier this month the US security company, Mandiant, identified the Shanghai-based Unit 61398 of the Chinese army as the most likely culprits behind the hacking targeting the US, triggering a war of words between Washington and Beijing. China denied the allegations and said it was the victim.

Beijing has now provided some details for the first time of the alleged attacks from the US. “The defence ministry and China military online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years,” said a ministry spokesman, Geng Yansheng, on Thursday.

“According to the IP addresses, the websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the US accounted for 62.9%.”

“We hope that the US side can explain and clarify this,” he added.

Keeping the war of words between the mighty powers aside, whether the organizations prepared to secure their IT resources from hackers – cross border or employees – and manage the risk?

Hacked? Blame China and forget !!

Thanks to the global media and IT security forums for headlines and discussions in recent weeks,you might not have missed the news that digital forensic investigation firm Mandiant has accused People’s Liberation Army (PLA) Unit 61398, a Chinese military cyber operations group, for launching persistent threat attacks against many businesses and government organizations since 2006.

The panic button , pointing Chinese hackers, has been pressed. Well, what next?

“If you know that the People’s Liberation Army is spying on you, do you change your defenses? How? Do you look for Chinese language intrusion prevention tools?” said Alan Paller, director of research for SANS, in a recent newsletter.

Thanks to the Department of Revenue of South Carolina, which stored 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. When the infamous data breach was detected, the blame was on unnamed Russian hackers. The state has now urged anyone who has filed a tax return in South Carolina since 1998 to contact law enforcement officials. Why South Carolina authorities did not learn anything from the Utah and Texas breaches?

Very recently, we all were flooded with reports that tech giants Apple, Facebook, Twitter and Microsoft were all compromised by attackers who gained access to a third-party iOS development website, then used it to infect visitors’ Mac OS X systems using drive-by malware attacks thanks to a zero-day vulnerability in Java. These companies responding cautiously on the attacks and still claiming to be maintaining best standards of security.

Seriously speaking, does it matter who attacked them?

Across the globe, IT has become highly critical for survival of the businesses.  The important  issue is whether you have an effective & updated information security policy and practices document? Do you have and follow robust information security practices? Is your network can be owned by anyone – a hacker, an ex-employee, a corporate espionage inside agent, cross border agencies ? Is your data safe – with strong need to access practices and logs that are reviewed meaningfully?

In essence, the question is a simple and straight forward one – Do you able to protect your business in a cost-effective way? Or even simpler – do you have an IT Governance framework?