How I Will Phish You

Limit your organization’s blast radius to protect against phishing, ransomware, and carelessness.



October is National Cybersecurity Awareness Month (NCSAM), as designated by the U.S. Department of Homeland Security. This year, as the U.S. Department of Homeland Security website details, the focus is on "Do Your Part. #BeCyberSmart."

Rob Chapman, Director of Security Architecture, Cybera offered the following thoughts on cybersecurity.

"I asked a colleague once if he would be willing to speak to our IT department at a lunch and learn event. He was a security professional that was hired to hack companies. He readily agreed and promptly showed up with one of the most memorable presentations I've seen. The presentation was simply titled, ‘How I Will Phish You.’ It wasn't a question of if he would be successful. It was simply understood he would be. He wouldn't get everyone, but he would get some -- and that was all that mattered.

What was remarkable about his presentation was that it wasn't a story of how he used super-computer hacking skills to tackle exotic computer programming issues. Rather, it was a story of how people over the last 15 years have become so desensitized to putting personal information online for free that it was simply the easiest way to attack companies. His job gets easier each and every year simply because the hardest part of securing our personal and work lives depends on the weakest security facet we face: people. We've been playing to lose.

Since the mainstreaming of computers in the workplace I can't think of a single time when someone's online behavior impacted a company's security posture as much as it does today. It's a tough landscape to navigate. You can warn your colleagues, but at the end of the day there's only so much reasonable reach you can have with company policy.

It's easy to think this is just a matter of personal responsibility, but I think people give themselves too much credit for independent thinking and action in the face of aggressive marketing efforts to solicit personal/confidential information from them. There's no barometer for what to share. No intuition. Billions are spent each year building algorithms designed to attract this exact kind of oversharing. Each social media platform for work and life wants to know where I am, where I've been, my relationship status, my work status, where I've eaten, what I like, who I vote for, and on and on. We're rewarded with faster connections online and platforms that cater ever more carefully to what we desire. The most insidious part is that it's become so automatic that we don't even stop to ask, 'Is this really a good idea?'"

Rob offers the following advice:

"The best advice I can offer is this. Limit your organization's blast radius. Limiting blast radius is something we don't talk as much about, but it's probably one of the most important architectural efforts you can make. It starts simply with the question, 'If the worst happens, how can I minimize the impact?'

Here are a few things that can be done to limit the blast radius of the potential damage your employees can cause, whether it's phishing, ransomware, or simple carelessness:

  1. Enable multi-factor authentication on everything.

  2. Remove unnecessary admin rights.

  3. Design your networks to limit access to only what's needed.

  4. Plan for the worst and practice your plan. Tabletop exercises can reveal gaps that are easy to fix before the real thing gets you."


Drop Me a Line, Let Me Know What You Think

© 2020 by Tom Smith | ctsmithiii@gmail.com | @ctsmithiii