Don’t Take the Bait: Phishing
- May 9, 2023
- Posted by: admin
- Category: Blog
Phishing is a common tactic used to trick people into disclosing important information or downloading malware, attackers will send emails, or other forms of messages that appear to be from a reputable source, with the intent to steal or use that person’s information.
Unfortunately, phishing attacks are the most common attacks by hackers. As technical security becomes more and more advanced, turning to human error has become the weapon of choice for many malicious actors over the past few years. According to Kaspersky, the final tally for Phishing attacks in 2022 was expected to reach over 500 million. Those are just the successful attacks as 3 billion phishing emails are sent out daily. Add to that the increase to 255 million Smishing (i.e. text-based phishing attacks), in only 6 months of 2021 alone, and Vishing (which involves a person getting on the phone with their attacker to give them personal and/or financial information or payments), in which 1 in 3 Americans have fallen victim to, and the average person must be very, very careful with sharing their information.
Using usernames, passwords, credit card numbers, or social security numbers as bait, phishing attacks attempt to convince their target to divulge sensitive information. Attackers can then use this information against your organization to steal sensitive data, money, or even commit identity theft, thus putting your whole company and its assets at risk.
A few examples of what a phishing email may look like are below.
Here is one with a few notes on what to look for:
Here is a another, see if you can spot the area you should be wary of:
Or the fake 2-factor code you didn’t request:
Generally, social engineering tactics are used to create panic or a sense of urgency to trick you into giving out valuable information. They will do this by providing an email or text that looks to be real, however, it is quite the opposite. Once you have provided that information to a malicious user it’s already too late. The best way to protect your organization against these attacks is to train employees about the dangers of phishing and educate them about what they should look out for.
Additionally, a targeted form of phishing, known as Spear Phishing, is a method that fixates on specific individuals or groups within an organization using emails, social media, instant messaging, and other platforms to get people to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. Typically, phishing relies on a mass email approach to random individuals, spear phishing focuses on specific targets by using individualized research.
Spear phishing attacks traditionally involve an email and attachment or a text with a request and/or a link to a malicious website. The email or text will include specific information aimed at the target, such as the target’s name, email address, place of employment, and title or job role at the organization (with Whaling attacks aimed at senior executives). This social engineering tactic boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment or the link.
How Can CyberSolve Help?
At CyberSolve we strive to ensure that not only your technology, but your employees themselves are safe from divulging information over to malicious attackers, and we have assessments to identify the risk and remediation methods to manage and/or eliminate the risk.
1. Integration with Target Applications
Integrating IGA solutions with existing infrastructure, applications, and systems can be challenging. Organizations must ensure that the IGA solution is compatible with their current environment and that it can support all necessary integrations.
There is absolutely no doubt that most of the cost of deploying and maintaining an IGA solution comes from building and maintaining the integrations between applications and the IGA platform. Modern applications that use cloud technology have programming interfaces for standards-based integration. However, legacy applications usually lack these interfaces, which makes integration more challenging. It is important to remember that regardless of how easy building the connection is, the data consumed by the IGA platform must be manipulated, and workflows must be created to automate the provisioning process.
Prioritizing applications in your environment is key to overcoming this challenge. This allows you to deliver value to the organization quickly. Is the JD Edwards app running your banking processes critical? Sure, but perhaps you can delay tackling that complex integration problem for a while. Consider using files to collect the information if you want to include the application. Manual processes should be logged and managed through service management platforms, such as ServiceNow or Jira.
As organizations grow, their IGA solutions must be able to scale accordingly. This requires a flexible and adaptable solution that can handle increasing numbers of users, devices, and applications without compromising security or performance. Gartner killed the IGA Magic Quadrant because the leading solutions are all very mature and capable of handling the demands of even the largest of enterprises. Performance likely won’t be a challenge, but complexity already is.
We already highlighted the integration challenge above, now consider that in the context of having to upgrade a legacy, on premise IGA solution. Consider the challenge of managing an entitlements library. This library should include a glossary for users, so they can understand what they are requesting within the application. Additionally, those reviewing and auditing access should understand what a particular entitlement allows a user to do within an application. Roles within the organization also increase in complexity as the solution is scaled across the environment. Converting business processes into automated workflows also is a challenge as the solution grows.
The good news is that solutions can address these complexities. The bad news is that to solve these challenges, organizations must invest a lot of time in understanding the processes, applications, and access required for team members to do their jobs. This understanding comes from diverse teams within an organization collaborating together to come up with answers that are specific to their business. No product vendor can help them with this, but they should have a capable integration partner helping them drive these discussions.
The key suggestion to overcome complexity as IGA solutions scale is to have buy-in from the highest levels of the organization to support the necessary collaboration. Identity Programs need formal oversite committees to constantly review aspects of the program (e.g. role definitions, process improvements, and entitlement definitions). If a program doesn’t have executive sponsorship, then it should keep things simple by targeting only the highest value target systems like IDPs such as Active Directory.
3. User Adoption
Encouraging users to adopt new IGA processes and technologies can be difficult. Organizations must provide adequate training and support to help users understand the benefits of the new system and how to use it effectively. User adoption is perhaps the most underrated challenge in the IGA space. How helpful is an IGA solution really, if users aren’t requesting access through it, reviewers don’t know what they are approving, and auditors don’t trust the data?
The answer to this problem is partly answered above. It is critical to make sure that processes are optimized before they are automated, that access information is made available to users in language they understand, and that the whole access request and review process makes life better for them, not worse.
Once an organization does the heavy lifting to make the IGA request and review process better, it must then plan for – and account for – end user training. This training must be specific to their implementation and should serve as a feedback loop to the identity team tasked with managing the solution as well as to the committees overseeing it.
4. Compliance with Regulatory Requirements
Helping organizations comply with industry-specific regulations and standards, such as GDPR, HIPAA, and PCI DSS is one of the most important value propositions for deploying an IGA solution; however, this is not something that is achieved easily.
Buzzwords don’t deliver compliance, and although a solution might have a compliance related feature, a high level of effort needs to be invested in order to leverage an IGA solution before it furthers compliance objectives. For instance, many buyers insist that IGA solutions have Segregation of Duty (SoD) capabilities. Most vendors can say, “Why, yes of course we do.” But what good is SoD functionality if one does not understand the application(s) and the deep functionality of how the application grants privileges?
This is another area where application prioritization is important. Compliance is a technological challenge, but it is an even bigger process challenge. There are point solutions out there that address compliance. If compliance is the main objective, the recommendation is to take an application-by-application approach when selecting an IGA solution, as well as potentially considering integration with application specific tools.
5. Data Security and Privacy
Protecting sensitive user data is a top priority for organizations implementing IGA solutions. Ensuring robust encryption, secure authentication methods, and strict access controls are essential to maintaining data security and privacy.
Cloud-based IGA solutions go a long way towards addressing this challenge. Vendors have invested millions of dollars and have staked their reputation on protecting customer data. Vendors are not infallible, but how do their efforts compare to ours in our environment?
Leaning on the vendors for encryption and for critical access controls is a mistake. An organization must have internal policies to address security challenges, and IGA solutions need to be prioritized by the cybersecurity team to ensure its integrity, just as they ensure the integrity of all systems that store highly sensitive data.
If you want to learn more about how CyberSolve can help your organization select, deploy, and manage your IGA solutions to help you mitigate your organization’s risk, see our Identity Governance & Administration services and Cloud IAM & IDaaS pages.