About the Author:

With phishing attacks on the rise, and stories of New Zealand organisations loosing hundreds of thousands of dollars due to cyber security breaches becoming increasingly common, never has it been more important to ensure that your security is sufficiently effective to prevent you becoming a victim. 

Organisations stand to lose far more than their intellectual property and money in the aftermath of a phishing attack. Damage to reputation and brand can be just as devastating as theft of money and secrets. The increasing number of headlines we see should serve as a loud wake-up call to organisations as just how difficult it is to prevent cyber-attacks, especially those with social-engineering aspects. A single employee can inadvertently cause a serious breach that could have a cascading effect throughout an organisation, as well as its customers and clients.

Phishing, Spear Phishing and Whaling

Phishing– A deceptive process by which a cyber- criminal attempts to make you divulge sensitive or confidential information (such as passwords or credit card information), or attempts to make you undertake specific actions (such as downloading malware or making a payment to them). 

Typically carried out via email, phishing attacks may also come via other technologies such as instant messaging, text messages or phone calls. The phishing correspondence commonly appears to come from a legitimate party you may a relationship with. 

Spear Phishing – A targeted and more sophisticated form of phishing. Unlike standard phishing schemes that use mass communication, spear phishing targets individuals that fit a certain profile. For example, they may only target senior staff of a specific organisation, or users of a specific website.

Whaling – Phishing for the bigger fish. Phishing attacks targeted at senior members of staff. This can include, for example, a phishing email to the Chief Financial Officer appearing to come from the Chief Executive, in an attempt to get fraudulent payments made.

Combating Phishing Attacks

Fortunately, there are several proactive steps an organisation can take to minimise the likelihood and impact of a successful phishing attack. Organisations must understand that to combat phishing attacks requires a three tier focus, as no one element is sufficient.

Prevent phishing attacks

1. Educate and train all staff

It is critical to provide ongoing training and education for everyone, in order to increase security awareness and minimise your risk. Remember it only takes one staff member opening an attachment in a targeted email to open the door for cyber criminals to gain unauthorised access to your systems. 

2. Filter inbound emails and outbound connections to websites

An effective email filter can deal with the majority of phishing emails before they even get to users. Outbound filtering  of web traffic can also help prevent someone being tricked to visit a malicious website designed to capture passwords or deliver malware.

Limit the impact of being phished

3.   Implement multi factor authentication

Organisations should implement multi factor authentication for remote access. Multi factor authentication typically requires both something you know (such as a password) and something you have (such as a cell phone to which a text message may be sent) to gain remote access. If someone inadvertently discloses their password as part of a phishing attack, unauthorised access will not be able to be gained as the attacker will not have the second factor. In implementing multi factor authentication, don’t just consider the VPN (Virtual Private Network) used for remote access. Apply it for all forms of remote access, including webmail, remote Citrix or RDP/terminal services, and for access to Office 365.

4. Use application whitelisting

 Application whitelisting is an approach that only allows approved software to run on your workstation. If someone is manipulated to download malware, the malware won’t execute, as it hasn’t been approved to run.

5. Limit who has administrative access of their workstation

Most people do not have a need to have administrative access of their laptop or desktop computer. By limiting administrative access to those staff that absolutely need it (on a temporary basis) to undertake their jobs, limits the ability for any malware delivered by a phishing attack to run.

6. Apply patches on a timely basis

Effective patch management and up-to-date applications, including web browser add-ons such as Java and Adobe Flash, are critical components of an effective defence. You should confirm that patches (security updates) are being regularly applied on a timely basis to combat the security vulnerabilities they are designed to address.

7. Control which macros can be run in Microsoft Office documents

 Roughly half of the malware seen in New Zealand is delivered via weaponised (1)  Microsoft Office files, such as Word documents and Excel Spreadsheets. The cyber criminals weaponise the documents using the built-in macro features. While we often think of macros as being a benign feature to help us execute tasks quicker, macros are in fact an entire programming language called Visual Basic. 

Microsoft Office can be configured to block macros altogether, or alternatively configured to run only specific macros. These can be macros located in a specific location on a server or workstation, or macros which have been given the stamp of approval (through a process called signing).

8. Strengthen the security of Windows and Microsoft Office

Windows and Microsoft Office  provide a high degree of configurability. In order to bolster the defence provided, it’s necessary to ‘harden’ both Windows and Office. Hardening is the process by which all unnecessary aspects are removed or disabled, and the strength of all remaining aspects is increased through the setting of tighter permissions.

9. Ensure backup processes are effective

Backups provide the last line of defence for when it all goes wrong. It is therefore critical you are backing up important data on a regular basis – usually daily. You also need to test that you can restore from backups when needed.

If you are backing up to a portable hard drive plugged into a computer, don’t leave the hard drive plugged in when you’ve finished backing up. Otherwise in the event of a ransomware attack, you’re likely to find that all of your backups are encrypted and unable to be restored.

Detect and respond to phishing attacks

10. Implement detective controls within your internal network

 You can’t deal with what you don’t know about. Detective controls (such as the KPMG ThreatInspect solution) gives you early warning of a security incident, allowing you to deal with it before it escalates and becomes significant. Detective controls need not be expensive, and can reduce the detection time for an intrusion down from an average of over a year in New Zealand, to a handful of minutes.

11. Establish and test a security incident response process

 By developing a security incident response process that defines the key steps to contain and recover from a security breach, the impact is likely to be much less than if you had not prepared. In addition, the organisation should test its plan periodically to help ensure that staff are prepared to respond to an incident and that the planned steps are effective.

Philip Whitmore

Partner, Cyber Security Services

KPMG

09 367 5931

www.kpmg.com/nz/cyber

Related Articles