Allergic to Shell-Phish

Phishing campaigns are still going strong as a method to gain access to systems and networks.  Specially crafted emails can be sent to unsuspecting users rendering defenses useless at the click of a mouse.  While there are many different controls to help combat the diverse attacks brought on by phishing, end user education is a necessary piece of this puzzle.

Anti-Phishing campaigns are primed with materials before and after the education of the end user.  Berkeley offers some free tools that help with the process found at the links below.  End user education is often followed by testing through targeted attacks by the cybersecurity department from external emails.  Those not passing the tests are then required to go through the training again.

The reason phishing is effective is typically because of Social Engineering according to a SANS paper from 2004.  The reason phishing is still effective today is probably because of Social Engineering.  While technology has changed in the last 15 years, people are still susceptable to the confidence building hoaxes that perpetrate these hacks.

The training process is just one part of an entire campaign.  It should be done in conjunction with adding headers to external emails, filtering file types from inbound emails, and eliminating HTML from the email altogether.  There are also services and hardware that can be purchased, among other controls that can be found to be effective.     

Dealing with this type of an attack can be devastating to small and medium sized businesses.  Further controls to mitigate losses include changes in how the business operates when dealing with wire transfers.  Finding the equilibrium to balance the way you do business can take time and guidance. 


Costly Configurations

This year we have seen numerous issues resulting from human error. The configurations for applications and services has led to numerous data breaches. As with most emerging technologies, Docker Containers and Amazon S3 Buckets have proven a challenge for which a learning curve should be applied. In the move to embrace cloud based services organizations have jumped at the opportunity to be part of the leading edge. Recent disclosure for the exposure of 93,000,000 patient files in California is an indicator of how things can take a turn for the worse rather abruptly (Barth, 2019).

While the HIPAA Security Rule (NIST SP 800-66 Revision 1) is labeled as “Introductory,” NIST SP 800-144 (Guidelines on Security and Privacy in Public Cloud Computing) spells it out in a direct fashion. “Reducing cost and increasing efficiency are primary motivations for moving towards a public cloud, but relinquishing responsibility for security should not be.”

The burden for securing these new technologies lies with those in charge of securing the data. Configuration of applications and services is being brought to the light this year, and the management of security services will truly benefit in following years. This demonstrated need to understand security risks is a direct result of the likelihood of misconfigurations and the severity of the breaches they led to.