“This [White House Communications Agency] guy opened an email he wasn’t supposed to open,” the source said.
Ouch. This is from a news story talking about how Chinese hackers successfully attacked White House computers, “reportedly including systems used by the military for nuclear commands.” The article also says this is a pretty common occurrence (though it’s hard to tell whether they mean spearphishing attempts or common, or spearphishing successes are common).
Given what we know today, it seems like there would be a pretty rigorous anti-spearphishing regimen at the White House, but this goes to show you that humans are still an unpredictable part of our security world. Even a moment of inattention can foil your security and let nefarious people into places they shouldn’t be.
In this case, I’m just glad they detected the issue – and they claim it was dealt with before any data exfiltration occurred. This always gets me wondering whether there are other attacks that haven’t been detected – that’s the challenge with our job as security folks. We know what we know, but we may not know something crucial until after the damage is done.
In the article, Anup Ghosh is quoted as saying,
“We need to give this critical priority — it needs to be a discussion at every level of our government and we must rapidly adopt new technologies to protect our nation from this threat.”
Yes, we needy to make this a priority, but I think it’s a red herring to say the solution is just adopting new technologies. If we rely too much on automation for attacks that directly touch humans, we’re fooling ourselves – technology alone isn’t enough in real-world environments – we’ve got to help users become more savvy about what these attacks look like, and not just in some abstract way.
Prepare your users
If you want to prepare your users to be more effective in phishing attempts, why not let them practice in a safe environment? There are quite a few options offered by security training providers, but if you want to do something free, there is a very good phishing quiz from OpenDNS. I found out about this because I’m an OpenDNS customer at home, and they sent this quiz out to their customers to help us improve our “phish spotting” skills.
Granted, this quiz focuses on phishing web sites and not spearphishing emails, but it’s still a great resource. I’ve seen some good write-ups on how to spot phishing emails, as well – for example:
- Microsoft has a great guide in their Safety & Security Center
- Apple has some useful info in their support forums
Know of any other good resources to help prepare our users – especially ones to help them practice identifying phishing emails? Please share.