Question

As the CIO/CISO, recognize that your biggest threat are you human users. Discuss how training plan (e.g. spearphishing exercise) that you would put in place to help prevent your users from being socially engineered?

Answer 1

Spear phishing attempts have been used to swindle individuals and companies out of millions of dollars. They can also do damage in other areas, such as stealing secret information from businesses or causing emotional stress to individuals.

Think before you click:

Attackers employ a sense of urgency to make you act first and think later in phishing attacks. When you get a highly urgent, high-pressure message, be sure to take a moment to check if the source is credible first. The best way is to utilize another method of communication different from where the message is from - like texting the person to see if they emailed you an urgent message or that was from an attacker. Better be safe than sorry!

Research the sources:

Always be careful of any unsolicited messages. Check the domain links to see if they are real, and the person sending you the email if they are actual members of the organization. Usually, a typo/spelling error is a dead giveaway. Utilize a search engine, go to the company’s website, check their phone directory. These are all simple, easy way to avoid getting spoofed. Hovering your cursor on a link before you actually click on it will reveal the link at the bottom, and is another way to make sure you are being redirected to the correct company’s website.

Don’t download files you don’t know:

If you don’t know the sender, don’t expect anything from the sender and don’t know if you should view the file they just send you with “URGENT” on the email headline, it’s safe not to open the message at all. You eliminate your risk to be an insider threat by doing so.

Offers and prizes are fake. If you receive an email from a Nigerian prince promising a large sum of money, chances are it’s a scam.

1. Delete any request for personal information or passwords. Nobody should be contacting you for your personal information via email unsolicitedly. If you get asked for it, it’s a scam.

2. Reject requests for help or offers of help. Social engineers can and will either request your help with information or offer to help you (i.e posing as tech support). If you did not request any assistance from the sender, consider any requests or offers a scam. Do your own research about the sender before committing to sending them anything.

3. Set your spam filters to high. Your email software has spam filters. Check your settings, and set them to high to avoid risky messages flooding into your inbox. Just remember to check them periodically as it is possible legitimate messages could be trapped there from time to time.

4. Secure your devices. Install, maintain and update regularly your anti-virus software, firewalls, and email filters. Set your automatic updates on if you can, and only access secured websites. Consider VPN.

5. Always be mindful of risks. Double check, triple check any request you get for the correct information. Look out for cybersecurity news to take swift actions if you are affected by a recent breach. I recommend subscribing to a couple of morning newsletter to keep you up to date with the latest in InfoSec like Cyware or BetterCloud Monitor. If you are a podcast person, Decrypted by Bloomberg, DIY Cyber Guy and Reply All offer easy to digest information and news that’s very user-friendly.