Recently Unity Point Healthcare reported the compromise of internal email systems. The compromise was the result of a successful phishing attack. As discussed in the beginner blog, phishing is an older technique but still is very effective. In the case of this compromise, the phishing email appeared to come from an organization’s executive, according to Unity Point Healthcare (2018). Further, the attackers maintained access to the internal email system for 2 weeks. (Unity Point Healthcare, 2018).
Phishing emails continue to become increasingly sophisticated, and as a result there is an increased need for addressing the issue with effective security training for the organization. Specifically, as shown in the Unity Point incident, attackers are using what is known as pretexting. Bisson (2018) explained that unlike a typical phishing email designed to capitalize on fear and urgency, pretexting is a more complex scheme that presents a scenario that appears to be legitimate and helps remove doubts from the victim. An email appearing to be coming from a high-level executive is a prime example of a pretexting email.
There are several options that an organization should exercise to protect against potential phishing attacks. Ensuring that a quality firewall and email filter are in place can help prevent many of the phishing emails from reaching employees because it will catch the deviations pointed out in the beginner blog. Combined with the use of effective technical tools, the security professionals of an organization must stay current with the phishing trends in their industry and learn to identify them early as well as educate the users on what to look for in such emails.
Another option is to employ regular phishing exercises to test the vulnerabilities within the organization. For instance, using automated phishing exercises can help identify negative trends and areas that require extra attention. To make such an exercise as effective as possible it is important to know what tactics are currently used by attackers, so the same tactics are used in the training exercise. The regular use of these types of exercises can also help determine if employees are 1) applying the security awareness training, and 2) adhering to the policies and procedures of the organization regarding technology and incident reporting. To learn more about executing phishing exercises continue to the King Phish post.
Bisson, D. (2018, July 02). 5 Social Engineering Attacks to Watch Out For. Retrieved from https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
Unity Point Healthcare. (2018). Security Substitute Notification [PDF].