About two years ago I got asked what the biggest threats against individuals are, security-wise. It’s somewhat satisfying that my answers (cell phones and spear phishing) are still holding up.
91% of targeted attacks between February and September of this year involved spear-phishing one or more people as an entry point to attacking their organizations. Notably, activist groups are a perhaps unexpected main target of this sort of thing.
At the end of the article there’s a neat link to a SANS post on doing ‘phishing assessments’ to see how well your co-workers (co-freedom fighters?) can spot and fend off a spear-phishing attack.
Lifehacking: I mentioned this earlier: matresses suck, at least in my experience. What about stuff like sleeping pads? Turns out hard floors are still where it’s at.
As an experiment I cut the foam traveling pad (must-have for frequent traveling, seriously) and switched to sleeping on a hard rug. All of a sudden the uncomfortable-back-syndrome endemic to long hours in front of the computer… vanished.
A few days of intensive computer work later and my back is still happier about being in front of a laptop all day than it’s been in ages… happier still then when I was working out of an Aeron chair with a proper desk.
“Spear phishing as a craft has improved tenfold over what it was a half-decade ago when messages were shady even to the untrained eye. The grammar in the messages was bad, the spelling even worse. Sometimes company logos were out of date, and messages just wouldn’t pass the smell test. Now it’s nigh impossible to sniff out phony messages from the real deal. Humans trust email as a platform, and that’s their first downfall, experts say.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and inventor of the honeypot. “As such, they continue to be highly vulnerable to spear phishing attacks.”
Spitzner is a big proponent of awareness training inside organizations, training them not only what phishing attacks look like, but what to do if they’re phished.
“Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win,” Spitzner said. “If you teach people even the basics that email is an attack platform, and simple steps to detect common attacks, you can still have a dramatic impact.””