Information Security Blog

…Because they work.

One of the most popular forms of social engineering assessments that we do is Phishing. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Because the risk with Phishing is often so high, testing against it is a good idea – which explains it being the most common form of social engineering we do. I’m always a little surprised by how successful we are when we run a more sophisticated attack. A recent engagement where we conducted a phishing attack as part of a broader due diligence effort for a merger in the pharmaceutical industry really illustrates the value of this type of test.

Our phishing attack was intended to capitalize on the employees of the life sciences firm being acquired knowing that the merger was occurring. We created a replica of the life-sciences company’s website on a highly similar domain. Through Social Media we were able to identify email addresses for approximately 95 of the 120 employees. We spoofed an email from the HR Director to the employees directing them to the website to review some changes to the compensation plan necessitated by the merger. We intentionally did not send the email to 13 employees who we felt would be most likely to identify it as being fraudulent in nature.

Of the 82 emails sent, 27 employees used their domain credentials to log into our spoofed website (these same credentials provided VPN access). This is consistent with other tests over the last few years where we have noted that for organizations without a Security Awareness Training program, ~33% of the employees can be phished successfully.

This particular test also generated an interesting spinoff: It revealed how poor the passwords were.

• 5 of the passwords were the name of the company followed by a number (three were years, one was a birthdate or start date, and one was 1)
• 4 of the passwords were the name of a child coupled with the birthdate or birth year)
• 2 of the passwords were the name of the local baseball team followed by a single number
• 3 of the passwords were references to God followed by a single number

So the Social Engineering exercise pointed out another problem – poor password management. One of the challenges with Windows Active Directory is that it is not simple to enforce “non-easily guessed” passwords and most employees have a preference for “most easily remembered passwords”. If you suspect it’s a problem in your environment – you may want to consider running a password audit. You can pick up a password cracking application and do it yourself or you can hire a third-party to do it.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results