Go beyond the fancy hack attacks you see on television shows and the highly unlikely (and overhyped) exploits to...
find the real security threat -- email phishing. Aside from compliance burdens and the lack of financial support for security, phishing is likely an organization's greatest security threat. Any given network is merely a click away from compromise. And it's happening all too often.
Many of the recent breaches, as well as some of the largest ones of all time, stem from phishing attacks using good old-fashioned email. No matter what you think of your Exchange system's security, there are three reasons why a phishing attack will ultimately create problems in your messaging environment. Watch out for these three common slip-ups and come up with a game plan on how to prevent an email phishing attack.
1. You're not aware of the warning signs. Seventy-three percent of organizations have a breach plan in place, according to a recent Ponemon Institute/Experian study on data breach preparedness. But I'm not convinced that most organizations would know when they've been hit by an email phishing attack. A lack of security controls and improper oversight go a long way toward facilitating successful phishing attacks.
It's even more basic than that. Many people don't know what normal is supposed to look like on the network. If you don't understand that fundamental aspect of your network, how are you going to know what something "bad" looks like? Furthermore, for every phishing email that's blocked or ignored, odds are high that several others got through the system. With all of the noise on the network, the variables involved in phishing attacks and the subsequent malware that may be downloaded, it can be virtually impossible to find and block or stop the attack once it's on your soil.
Tracking data breaches
Data breaches are a common occurrence, so it's important to know the extent of these breaches to learn how they could affect your Exchange setup. This website tracks breaches dating back to 2005 and includes details about the types of breaches that have occurred as well as the organizations that have been affected.
2. You don't have the proper technologies to detect or prevent an attack. Most organizations have a solid Exchange infrastructure. From system redundancy to messaging encryption and everything in between, the resiliency is often there. But resiliency is likely not the criminals' target in an email phishing attack. Instead, they're going after the lack of security controls in and around your endpoints, your Web access and your end users.
How can you better control this threat? Technologies such as identity and access management, data loss prevention and security information event management are great to start. Even if you just stay current with the latest Windows OS, Web browsers and third-party software updates, you can be well ahead of the phishing curve. However, if you're like many organizations that rely on traditional firewalls, content filtering, antivirus tools, and weak event logging and monitoring, you're a sitting duck for an attack.
3. Your user security awareness program stinks. I've yet to see a security awareness program that really stood out to help people learn. In fact, most programs aren't actual programs at all; they're likely annual email blasts sent to employees and a poster or two in the break rooms. The lack of management support for security has created a dangerous checkbox mentality. Going through the motions to satisfy an audit requirement won't cut it.
On the other hand, your end users are just going through the motions so they can get their work done. They're not thinking about what they're doing because they've successfully done X, Y and Z tasks a thousand times. Yet this lack of situational awareness is exactly what gets people, large corporations and government agencies into trouble. You have to set end users up for success.
Stop cramming policies down your end users' throats that involve telling them what not to do; chances are that they're going to violate those policies anyway. Instead, take some time to help them improve their situational awareness. Show them how to properly do things with their email. You can do this using everyday examples (e.g., driving in cars and walking down the street) without having to bore them with techie stuff they don't get.
There's no secret element for solving the email phishing attack challenges you face, but you need to answer one question: Are you taking the proper steps to reduce your risk and minimize the impact if a phishing breach occurs? If you can't answer this in the positive, the integrity of your Exchange environment and the security of your network hang in the balance.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This is part two in a series about how admins can learn from recent data breaches to protect
their Exchange environments.
Part one covered some of the common causes of data breaches and how to recognize them.
Stay tuned for part three, which looks at layered security approaches for your organization.