In the early days of Internet fraud, most cyber crooks used emails as their main medium to scam people into disclosing personal information. These emails were littered with spelling and grammatical mistakes, which alerted some cautious users. These days, however, online criminals have honed their spelling and grammar skills, and they manage to fool even the savviest web users with sophisticated methods of deception.
With the evolution of phishing and spear-phishing, companies are scrambling to find ways to combat and cut targeted social-engineering attacks. Panos Anastassiadis, COO and president of Cyveillance, said there are two things that could dramatically lessen the effectiveness of spear-phishing attacks: education and IP blocking.
“One I would say is education because social engineering is the way the spear-phishing attacks work and people are the weakest link,” he said. “The second would be IP blocking. We can provide to organizations a list of IP addresses that should be blocked, and these are the freshest IP addresses out there that have just come out.”
While phishing is a pressing concern for many corporations, it is not the only security issue they need to worry about: According to a 2009 McAfee Threats Report, distributed denial-of-service attacks have increased all over the world.
“What I'm asking myself is, what is more dangerous? A DDoS attack where there are actually solutions to avoid it, or a silent infiltration by an adversary who is also engineering a malicious program?” Anastassiadis said. “I personally think a silent infiltration will be way more dangerous because No. 1, you don't know it happens; No. 2, the adversary is in your system and selectively exfiltrating information, or even worse, starting a data manipulation program that will go on for months, in which case you will absolutely not have any confidence in your own data.”
Anastassiadis said this kind of infiltration is launched for the sole purpose of creating financial or competitive gain, or to get a strategic advantage. The attacks can last months before they are detected, he added.
Considering the research and intelligence gathering Cyveillance has conducted recently, Anastassiadis said he believes there is no one sector that is under a greater threat of a cyber attack. While some groups are for monetary gain, others are for strategic information or for policy, he said.
“I believe there is nobody that is immune to this,” Anastassiadis said. “As long as somebody wants something you have they will try to take it. Sometimes, it is way easier than it looks . . . so basically, if you do own information that other people want to know about, your sector is at great risk.”
As people are the weakest link, it is important to educate everyone concerned with cybersecurity with some sort of sensitivity training, Anastassiadis said.
“I believe we should train every single employee on the risks of cyber,” he said. “I think since everybody is going to use more and more social media, they should get the sensitivity training to understand that also this social media can be a perfect vector for social-engineering schemes.”
While openness of the U.S. government has been touted as the preferred method of operating, transparency can sometimes harm more than help, Anastassiadis noted.
“I see from time to time some social-engineering schemes and I say, how did these guys from Eastern Europe know how the Social Security system works here?” he said. “Do you know how the Social Security works, if it exists, in Belarus or in Armenia, or something like that? I don't. I'm always impressed on how well they know our system and how well they can gain it.”