Mitigating Messaging RisksTraining Helps Foil Spear Phishing, Other Schemes
The growth in messaging technologies has fraudsters targeting new channels to attack organizations. Craig Spiezle of the Online Trust Alliance offers tips on improving messaging security.
Messaging has grown from just e-mail to include IM, text messaging and social media, all areas that fraudsters are focusing on simultaneously as a means of infiltrating systems and data, says Spiezle, founder and CEO of the OTA.
For organizations, the first step to mitigate messaging risks is through proper scanning of e-mails, Spiezle says.
"As we're looking at tweets and such, we need to make sure that our desktops are increasingly hardened, and by doing that and making sure we're using more current browsers it enables us to detect malicious URLs," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Next, applications on devices used in the enterprise need their security protections to be up-to-date, including BYOD devices. "As we look at people bringing their own devices into the work force, it's very important that as administrators we're hardening those devices and making sure that they're up-to-date at all times," Spiezle explains.
In an interview about messaging trends, Spiezle discusses:
- Common attacks via messaging;
- Training techniques to reduce vulnerabilities;
- How organizations can begin to reduce their risks to threats via messaging technologies.
Spiezle is a thought leader on the convergence of interactive marketing, society and digital commerce. Leveraging his understanding of privacy, security and data stewardship, he is a champion of best practices to help build consumer trust and confidence and of the importance of promoting innovation on the Internet. Spiezle frequently briefs members of Congress representing the roles and shared responsibility of members of the ecosystem and the importance of meaningful self-regulation. Before joining OTA, he spent more than a decade at Microsoft in several management roles, including director of security and privacy product management.
Online Trust Alliance
TOM FIELD: Just to give us a bit of context, tell us a bit about yourself, your experience and your organization, please.
CRAIG SPIEZLE: The Online Trust Alliance is a non-profit organization with the goal to educate, enable and develop best practices to ultimately improve the trustworthiness and security of the Internet, and at the same time promoting innovation and other best practices and self-regulation.
Unified Messaging Challenges
FIELD: When we talk about messaging today, we're talking about far more than just e-mail. What do you see as the unified messaging challenges that need to be addressed?
SPIEZLE: Messaging has evolved a great deal. It has evolved in different forms, whether it's texting, whether it's IM or e-mail. At the same time, our dependency has increased significantly and as we become more reliant on it we sometimes are also more susceptible to some of the social engineering exploits, as we click on things quicker, as we scan things quicker. We're more dependent upon it, but the threats are increasing across multiple fronts.
FIELD: What are some of the types of attacks that we see through the various messaging vectors right now? You mentioned social engineering, for one.
SPIEZLE: I think social engineering has been compounded. If you look back at 2005-2006, you start to see the emergence of spear-phishing, certain employees of companies being targeted or groups of people. But what's really accelerating this is the ability for the cyber criminal to leverage social media content out there that's public, whether it's LinkedIn, Facebook or other sites and compounding that, having more precise and targeted exploits targeting groups of people, whether they're government employees or businesses with communications that appear very relevant, very personal and very trustworthy.
FIELD: Where do you see organizations most vulnerable to attacks right now?
SPIEZLE: I think the combination of the social media aspect of things, but the areas of vulnerabilities are some of the simple things today. Clearly, the spoof and forged e-mails continue to play government agencies and corporations, and what we're seeing is that the vulnerability is targeting those organizations which might be in the supply chain. We saw last year a lot of targeted efforts focusing on the e-mail industry, the idea of if you could compromise an e-mail marketer, you could then have the keys to the kingdom of sending mail out that would be accepted by ISPs. So what we're seeing is that level of sophistication. We saw the same things happening targeting certificate authorities through deceptive e-mail, but the goal was to issue trusted certificates that could be then used downstream to compromise consumers if they use the web.
FIELD: I know the Online Trust Alliance does some training in this area, particularly for government agencies. Tell us a little bit about the training that you provide?
SPIEZLE: The training is really a key part and so part of our mission for OTA as a non-profit is education and we do it in two ways. One is by white papers, best practices and resource guides, and what we've been able to do is take a 360-degree view from different stakeholders. So for example, we have a data breach readiness resource guide, what to plan for and also how to prevent that. We have other tools.
Specific to the government agencies, the area that we've been doing extensive training is e-mail authentication and DMARC training, and that's really to help protect the domains and web addresses of sites so they aren't spoofed and forged, which protects consumers; at the same time, how to detect that on the inbound side to protect government employees.
FIELD: Tell me a bit about how this training is delivered. I know you spend an entire day on some of these sessions with agencies.
SPIEZLE: Yes. Our training is very comprehensive and in many ways we get feedback that it should be split into two days because the amount of use cases and scenarios you go into. Our primary training is the classroom environment, which is very productive for the interchange of attendees, and those are scheduled throughout the year. We also, in the case of federal government employees, do have an on-demand by module web training that government employees can sign up for and take into some delivery mechanisms that are available that's headed up by the Department of Homeland Security.
FIELD: Tell me a little bit about the metrics. What results have agencies seen since you've started this training?
SPIEZLE: With the results, companies have seen two things. One, they have a better handle on their mail streams and who's sending mail on their behalf. It has been somewhat eye opening for both government agencies and corporations. The second thing is they have been able to help the receiving networks, whether it's corporate networks or ISPs, better block and disable forged e-mails. That has helped them in protecting their brand. And the other element is they're able to have increased forensics now, in the case of spoofing occurring, to be able to go after or use that with law enforcement to basically turn the tides against the cyber criminal.
FIELD: I know you focus a lot of your training on government entities, but what elements of this translates to the private sector as well? I would think much of it does.
SPIEZLE: Actually, the genesis of this started in the private sector. It was to our research and just seeing what many consumers were seeing - the forged e-mail from Social Security or the IRS or the FDIC - that led us to reach out and share that information with some of the agencies and it was upon seeing that data and observing that data that we were asked to get involved. We deliver as much, if not more, to leading commerce banks and sites to the Fortune 500 companies that are concerned about the same exact issues.
Reducing the Risks
FIELD: We've got organizations that are conducting messaging through e-mail, through mobile, through text messaging, social media. How can organizations really start to reduce their risks to threats via all these messaging technologies?
SPIEZLE: That's a great question and that answer is going to continue to evolve over time, and I think as in any area of our security we need to look at multiple lines of defense. Clearly the first one is better scanning of e-mail from an e-mail-hygiene perspective on the inbound side. As we're looking at Tweets and such, we need to make sure that our desktops are increasingly hardened, and by doing that and making sure we're using most current browsers it enables us to detect malicious URLs.
Obviously, we need to make sure that all the applications on our devices are up-to-date. For example, in the case of a malicious tweet, it may have a vulnerability that's targeting a certain application. We've seen the cyber criminal increase in targeting applications that may be running on a device. As we look at people bringing their own devices into the work force, it's very important that as administrators we're hardening those devices and making sure that they're up-to-date at all times.
FIELD: That's really helpful. Thanks so much for taking time to speak with me today.
SPIEZLE: Well thank you and I appreciate it. We do a training coming up in August and October and hopefully you and others can join us at our annual meeting in San Jose October 1-4.