Don’t Take the Bait: Phishing
- May 9, 2023
- Posted by: admin
- Category: Blog
Phishing is a common tactic used to trick people into disclosing important information or downloading malware, attackers will send emails, or other forms of messages that appear to be from a reputable source, with the intent to steal or use that person’s information.
Unfortunately, phishing attacks are the most common attacks by hackers. As technical security becomes more and more advanced, turning to human error has become the weapon of choice for many malicious actors over the past few years. According to Kaspersky, the final tally for Phishing attacks in 2022 was expected to reach over 500 million. Those are just the successful attacks as 3 billion phishing emails are sent out daily. Add to that the increase to 255 million Smishing (i.e. text-based phishing attacks), in only 6 months of 2021 alone, and Vishing (which involves a person getting on the phone with their attacker to give them personal and/or financial information or payments), in which 1 in 3 Americans have fallen victim to, and the average person must be very, very careful with sharing their information.
Using usernames, passwords, credit card numbers, or social security numbers as bait, phishing attacks attempt to convince their target to divulge sensitive information. Attackers can then use this information against your organization to steal sensitive data, money, or even commit identity theft, thus putting your whole company and its assets at risk.
A few examples of what a phishing email may look like are below.
Here is one with a few notes on what to look for:
Here is a another, see if you can spot the area you should be wary of:
Or the fake 2-factor code you didn’t request:
Generally, social engineering tactics are used to create panic or a sense of urgency to trick you into giving out valuable information. They will do this by providing an email or text that looks to be real, however, it is quite the opposite. Once you have provided that information to a malicious user it’s already too late. The best way to protect your organization against these attacks is to train employees about the dangers of phishing and educate them about what they should look out for.
Additionally, a targeted form of phishing, known as Spear Phishing, is a method that fixates on specific individuals or groups within an organization using emails, social media, instant messaging, and other platforms to get people to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. Typically, phishing relies on a mass email approach to random individuals, spear phishing focuses on specific targets by using individualized research.
Spear phishing attacks traditionally involve an email and attachment or a text with a request and/or a link to a malicious website. The email or text will include specific information aimed at the target, such as the target’s name, email address, place of employment, and title or job role at the organization (with Whaling attacks aimed at senior executives). This social engineering tactic boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment or the link.
How Can CyberSolve Help?
At CyberSolve we strive to ensure that not only your technology, but your employees themselves are safe from divulging information over to malicious attackers, and we have assessments to identify the risk and remediation methods to manage and/or eliminate the risk.
If you want to learn more about our Cyber Security solutions to help you mitigate your organization’s risk, see our Cybersecurity Services page or contact us here.
1. Integration with Target Applications
Integrating IGA solutions with existing infrastructure, applications, and systems can be challenging. Organizations must ensure that the IGA solution is compatible with their current environment and that it can support all necessary integrations.
There is absolutely no doubt that most of the cost of deploying and maintaining an IGA solution comes from building and maintaining the integrations between applications and the IGA platform. Modern applications that use cloud technology have programming interfaces for standards-based integration. However, legacy applications usually lack these interfaces, which makes integration more challenging. It is important to remember that regardless of how easy building the connection is, the data consumed by the IGA platform must be manipulated, and workflows must be created to automate the provisioning process.
Prioritizing applications in your environment is key to overcoming this challenge. This allows you to deliver value to the organization quickly. Is the JD Edwards app running your banking processes critical? Sure, but perhaps you can delay tackling that complex integration problem for a while. Consider using files to collect the information if you want to include the application. Manual processes should be logged and managed through service management platforms, such as ServiceNow or Jira.
2. Scalability
As organizations grow, their IGA solutions must be able to scale accordingly. This requires a flexible and adaptable solution that can handle increasing numbers of users, devices, and applications without compromising security or performance. Gartner killed the IGA Magic Quadrant because the leading solutions are all very mature and capable of handling the demands of even the largest of enterprises. Performance likely won’t be a challenge, but complexity already is.
We already highlighted the integration challenge above, now consider that in the context of having to upgrade a legacy, on premise IGA solution. Consider the challenge of managing an entitlements library. This library should include a glossary for users, so they can understand what they are requesting within the application. Additionally, those reviewing and auditing access should understand what a particular entitlement allows a user to do within an application. Roles within the organization also increase in complexity as the solution is scaled across the environment. Converting business processes into automated workflows also is a challenge as the solution grows.
The good news is that solutions can address these complexities. The bad news is that to solve these challenges, organizations must invest a lot of time in understanding the processes, applications, and access required for team members to do their jobs. This understanding comes from diverse teams within an organization collaborating together to come up with answers that are specific to their business. No product vendor can help them with this, but they should have a capable integration partner helping them drive these discussions.
The key suggestion to overcome complexity as IGA solutions scale is to have buy-in from the highest levels of the organization to support the necessary collaboration. Identity Programs need formal oversite committees to constantly review aspects of the program (e.g. role definitions, process improvements, and entitlement definitions). If a program doesn’t have executive sponsorship, then it should keep things simple by targeting only the highest value target systems like IDPs such as Active Directory.
3. User Adoption
Encouraging users to adopt new IGA processes and technologies can be difficult. Organizations must provide adequate training and support to help users understand the benefits of the new system and how to use it effectively. User adoption is perhaps the most underrated challenge in the IGA space. How helpful is an IGA solution really, if users aren’t requesting access through it, reviewers don’t know what they are approving, and auditors don’t trust the data?
The answer to this problem is partly answered above. It is critical to make sure that processes are optimized before they are automated, that access information is made available to users in language they understand, and that the whole access request and review process makes life better for them, not worse.
Once an organization does the heavy lifting to make the IGA request and review process better, it must then plan for – and account for – end user training. This training must be specific to their implementation and should serve as a feedback loop to the identity team tasked with managing the solution as well as to the committees overseeing it.
4. Compliance with Regulatory Requirements
Helping organizations comply with industry-specific regulations and standards, such as GDPR, HIPAA, and PCI DSS is one of the most important value propositions for deploying an IGA solution; however, this is not something that is achieved easily.
Buzzwords don’t deliver compliance, and although a solution might have a compliance related feature, a high level of effort needs to be invested in order to leverage an IGA solution before it furthers compliance objectives. For instance, many buyers insist that IGA solutions have Segregation of Duty (SoD) capabilities. Most vendors can say, “Why, yes of course we do.” But what good is SoD functionality if one does not understand the application(s) and the deep functionality of how the application grants privileges?
This is another area where application prioritization is important. Compliance is a technological challenge, but it is an even bigger process challenge. There are point solutions out there that address compliance. If compliance is the main objective, the recommendation is to take an application-by-application approach when selecting an IGA solution, as well as potentially considering integration with application specific tools.
5. Data Security and Privacy
Protecting sensitive user data is a top priority for organizations implementing IGA solutions. Ensuring robust encryption, secure authentication methods, and strict access controls are essential to maintaining data security and privacy.
Cloud-based IGA solutions go a long way towards addressing this challenge. Vendors have invested millions of dollars and have staked their reputation on protecting customer data. Vendors are not infallible, but how do their efforts compare to ours in our environment?
Leaning on the vendors for encryption and for critical access controls is a mistake. An organization must have internal policies to address security challenges, and IGA solutions need to be prioritized by the cybersecurity team to ensure its integrity, just as they ensure the integrity of all systems that store highly sensitive data.
If you want to learn more about how CyberSolve can help your organization select, deploy, and manage your IGA solutions to help you mitigate your organization’s risk, see our Identity Governance & Administration services and Cloud IAM & IDaaS pages.
Leave a Reply
Contact us at the Consulting WP office nearest to you or submit a business inquiry online.
Todd is a recognized IAM and Cloud industry expert who brings over 20 years of experience in managing, advising, architecting, and deploying IGA, Authentication and Authorization, and Cloud solutions and services across IDaaS, SaaS, IaaS, and PaaS. Todd is a frequent speaker on effective risk and security practices at leading industry events. He is responsible for the oversight of CyberSolve’s business segments and for the development of strategic plans to sustain the company’s rapid growth while providing trusted advice to clients across the security and risk spectrum.
Atul has over 20 years of experience in managing, designing and implementing Customer Relationship Management (CRM) and Salesforce integrations. He has acted as a cloud-focused solutions expert in both domestic and international markets. Prior to founding CyberSolve, Atul was a Technical Consulting Director at Salesforce where he demonstrated his strong experience architecting financial services industry solutions. Atul holds a Bachelor of Engineering from Madan Mohan Malaviya University of Technology.
Shub possesses over 15 years of experience in the Identity and Access Management (IAM) industry in pre-Sales and technology architecture roles. Shubham has held various positions with SailPoint, RSA, Saviynt, and Okta. He has extensive Identity and Access Management industry technology and sales experience in both domestic and international markets as well strong knowledge of how Identity and Access Management satisfies Audit and IT compliance issues. Shub holds a 
Rajesh has served Multi-National Corporations and large organizations as a full time Vice President of Finance, Chief Financial Officer and in equivalent roles. In order to fulfill his duties as a CFO he is a Chartered Accountant, holds a Diploma in Information System Audit (DISA certified by the Institute of Chartered Accountants of India), is a Certified SAP Consultant, Certified QuickBooks Professional Advisor, and Zoho Partner with 30+ years of experience in managing Finance, Accounting and ERP Systems for Medium to Large organizations in diverse sectors.
John is an experienced IT executive with extensive business leadership, operations management, project management, technology delivery and consulting skills who spent over two decades with General Electric where he was responsible for all aspects of their Global PIM program, he was also a key member of the security assurance team for the organizations Capital business. John leads the delivery of client services across the business landscape, to include Privileged Access Management, Managed Services, Identity Governance & Administration, Cybersecurity and Cloud Services.
Luis has been facilitating IAM programs for 20+ years. He was the CRO at Clear Skye, which builds identity governance capabilities on the ServiceNow Platform. His prior experience with services companies that deliver real world identity solutions has made him a trusted resource for information security executives that he has the privilege of advising. Luis assists in the management of our global sales organization, driving revenue growth via direct sales, ensuring our customers have the best plan and solution to ensure their IAM investment achieves the lowest TCO while providing the highest ROI.
Amit brings over 15 years of Identity and Access Management (IAM) experience to the organization. He has a proven track record in providing customers with the best of breed Identity and Access Management solutions. He ensures success within all engagements by staying integrated with the customer throughout the engagement whether it is a program, project or managed services and support. Amit acts as a customer champion at all times to ensure the right solution and resources are in place to achieve the right requirements.
James leads the delivery of client services across the Identity, Access, and Authorization landscape. He has delivered projects across a wide range of products including Okta, Ping, ForgeRock, Oracle, Microsoft, Citrix, Imprivata, Radiant Logic, Axiomatics and many others. With the advent of modern cloud services, James has served as the internal cloud architect and administrator for almost 10 years and uses that experience to help users make the best use of it.
As a veteran of the Identity Governance and Administration (IGA) landscape, Tony’s career has spanned from being a hands-on Architect\Engineer on numerous industry-leading IGA solutions to building and managing industry-leading Professional Services delivery teams. Tony brings that vast knowledge to CyberSolve and the teams under his management. In recent years Tony has been instrumental in the migration away from the legacy on-prem Identity Governance & Administration solutions to modern cost-effective cloud products.
Clark is a Channels, Sales and Marketing executive with 40+ years of experience as a direct seller, Executive and Founder. His experience includes services, software and hardware sales to Commercial, Federal, and State/Local/Education entities across US Domestic and International markets. Within the IAM spectrum, Clark spent over 5 years as SailPoint’s Channel Manager, Federal & Healthcare markets. He has developed and managed Partner relationships and strategies globally, and is known for significantly growing the revenue of his partners by building trusted, profitable relationships and business strategies.