Educating users about “spear phishing” by testing them via mock phishing drills can help protect organizations against the new trend in online crime, experts said Wednesday.
In a press briefing organized by the SANS Institute, Alan Paller, SANS research director, defined spear phishing as a phishing attack that targets a small set of employees in an organzation. The email used in such attacks usually is spoofed so it appears to come from a senior official in the organization.
“Spear phishing is a firewall killer… It opens a window through the firewall that is almost impossible, right now, to technologically stop,” Paller said.
To that end, user education and awareness becomes key, experts said. Two government security officials described how they have tried to thwart such attacks by staging fake spear phishing exercises on users within their organizations in an effort to educate them.
Aaron J. Ferguson, assistant professor and National Security Agency visiting fellow at the United State Military Academy at West Point, said a proof-of-concept email security exercise tested 400 cadets with an email that appeared to come from an Army Colonel. Eighty percent clicked on the embedded link.
However, that click rate went down some with subsequent tests of larger groups of cadets and more cadets reported receiving suspicious emails, Ferguson said.
“These guys doing the spear phishing are becoming more sophisticated,” he said. “Technology is not the issue in a sense that these spear phishing deployments are very high-tech programs. It’s really the other end… they’re doing a lot of reconnaissance to exploit the culture of an environment [to get people to respond].”
William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure, said the state conducted two phishing exercises with employees from five agencies. The first involved a fake security bulletin, the second appeared to come from an agency help desk.
“This whole exercise was predicated on being a learning exercise. It was not about ‘I got you’,” Pelgrin said. “It was something that would educate and make people aware.”
Dave Jevans, chairman of the Anti-Phishing Working Group, said such exercises appear to be a worthwhile activity for organizations.
“We think that education is a cornerstone of preventing fraud and identity theft online,” he said.
In the future, email authentication will be a critical technology to fight phishing, but its deployment will take years, Jevans added.