Be Alert, Be
Watchful, Be Vigilant
by Marc Washington
As a Cyber Security Operations Chief, I see
that organizations are targeted daily by internal and external national and
foreign entities who want to steal proprietary information. These attackers are
not looking for your banking information; they are trying to get sensitive
information about your organization. No matter what safeguards and defenses are
in place, there is one source they can count on getting what they want—and
that’s you, the employee.
One method adversaries use to access your organizations’
sensitive data is through a method called spear-phishing. Spear-phishing is an
e-mail spoofing fraud attempt that targets people and organizations, seeking
unauthorized access to confidential data. Since spear-phishing targets the
individual your organization needs your help to mitigate this threat that
technology is having a challenge protecting against.
Cyber attackers are extremely persistent. Even
when facing substantial defenses, attackers can always use spear-phishing to attempt
to get around them. Spear-phishers gather information about your job, social
networks, often publicly available information, and even stolen data from other
infected computers. Armed with this information, attackers can create
remarkably authentic-looking e-mails to trick you into clicking on a link or
opening an attachment that can instantly get them around our defenses and grant
access to all of your organization’s data. On the subject of social networking,
one piece of advice – please don’t post anything that you wouldn’t want
everyone in the world to see. Just because they don’t, doesn’t mean they can’t.
So why should you care? Obviously, you don’t
want anyone going through your personal data and, of course, you want to
protect your company’s data. But we must look at the bigger picture. Nation
state sponsored attackers don’t just try to steal information from you and your
company. They steal data from hundreds and thousands of other people, and
dozens of companies, defense contractors and government agencies. These cyber-enemies
can then aggregate all this Sensitive But Unclassified (SBU) and For Official
Use Only (FOUO) data, reconstruct entire projects (for example, sensitive
military research and development data), and then plot to neutralize or thwart
our strategies and technologies.
Armed with the information they have
harvested through you and others, these enemies can now accelerate or replicate
U.S. projects in weeks rather than spending years of arduous and expensive research
to create their own technologies. They are not only doing damage to your
organization, but with your unintentional help, they can use this data to pose
a threat to national security.
By learning to recognize spear-phishing
e-mails, you can help fight this threat even when they appear to be from
someone you trust and relate to a subject that applies directly to you.
Here is an example of what a spear-phishing e-mail
might look like:
Here are clues you can look for:
·
Misspellings
and bad grammar
·
Beware
of links in e-mail – DO NOT OPEN THEM!
·
E-mail
with a sense of urgency
·
E-mail
attachment was not expected – DO NOT OPEN IT!
·
Work
related e-mail from a Yahoo or Gmail account
·
Time
the e-mail sent (e.g. people working during non-work hours)
If you receive an e-mail that you suspect to
be bogus, do not click on any links or open any attachments. Although an icon
may look innocent, it may be disguised and by clicking it, you could execute a
program in your computer’s background that sends information from your computer
to an undisclosed recipient without your knowledge. A good technique to determine where a link
will take you is to first hover over the link itself before you click it – it
will show true destination for that link. If it looks suspicious and you are on
your home computer, delete the e-mail immediately. If you are at work, contact
your organization’s IT department for assistance.
It is good practice to visually scan every
e-mail before you read it, looking for clues that will help you determine
whether it is a valid e-mail deserving your attention or not. We all need to be
vigilant when it comes to our e-mail inboxes: remotely (i.e, laptops, iPhones,
smartphones, any mobile device), at home, and at the office.