If the latest news we’ve been reporting here on our TechGenix site is any indication, phishing attacks are on the rise everywhere. Phishing attacks are clearly getting more ingenious and harder to protect your business against, so anywhere one can get some good advice on how to deal with them is definitely welcome. And that’s exactly the kind of nugget I found in a new book I read recently titled “Protecting Information Assets and IT Infrastructure in the Cloud” (CRC Press, 2019). This useful book by Ravi Das and Preston de Guise focuses on cloud computing environments like Amazon Web
Services (AWS) that are increasingly popular with today’s businesses and how to protect these environments from all kinds of attacks. And the kinds of attacks faced nowadays by companies and organizations that use AWS or other cloud services are manifold and include ransomware, spear phishing, SQL injection, cross-site scripting, spyware, insider threats, and much, much more.
One type of threat frequently encountered by businesses is the phishing attack, an attempt by a malicious actor to gain access to sensitive business data like financial records and to personal information belonging to employees. And regardless of whether your company’s infrastructure is maintained locally or kept in the cloud, it can often be vulnerable to this kind of attack. Phishing usually employs email messages as an attack vector, though with other collaborating technologies like SMS messaging, shared workspaces, and social media now vying to replace email in business environments it probably won’t be long until phishing extends to these as well. And while in the past most phishing attacks have involved sending mass emails in the hope of having some careless user open a malicious attachment or divulge some bit of sensitive information, a rising trend in the last few years has been spear phishing, where specific individuals or groups are targeted in the organization.
The key strategic step your business needs to take to prepare for the inevitability of these kinds of attacks is to develop a proper incident response plan before such attacks happen. Incident response planning involves a combination of policies, practices and personnel that provide your business with a kind of playbook that can be walked through step by step in the event that an incident occurs at your company. A good incident response plan can also help prevent such attacks from actually occurring, though the primary purpose of such plans is to mitigate the damage that results when an attack has taken place.
Incident response planning for phishing attacks like this is one area where Ravi and Preston have provided some excellent guidance in their book. In chapter 3 (Risks to Cloud Infrastructure and Risk Mitigation Strategies), they outline the following five-step procedure for enabling your organization to respond effectively to an incident of a phishing attack.
This is where an employee has detected what possibly may be a phishing email or other attempt at harvesting data from your organization. Employees need to be instructed on how to identify what might be suspicious messages based on such things as the sender’s email address, the subject line, the topic and style of writing in the message body, the presence of an unusual or unsolicited attachment, the presence of suspicious links, and so on. One great tip the authors present is to make sure your support team has set up an isolated workstation dedicated to examining possible phishing messages where suspicious attachments and links can be safely opened to determine whether the emails are valid or malicious in intent.
The third stage of your incident response plan will involve the careful examination of the phishing message by your IT department along with an assessment of the level of impact that has already occurred, if any. The authors get into the technical details of this in their book so I won’t describe them here but simply recommend you read what they have to say on the subject.
Remediation is where the fun starts because it involves taking concrete steps to contain the damage for your company to minimize the impact it has had upon your business and ward off any future possible impact. Some possible steps you may take depending upon the results of your investigation can include changing the passwords and even the user names of employees who were affected by the attack; changing login credentials or even resource identifiers for corpnet resources that have been compromised; refreshing workstations and performing remote wipes of mobile devices involved in the incident; and so on.
There’s one final step that your incident response team should take once the effect of a phishing attack has been remediated, and that is to do whatever can be done to prevent the same kind of attack from succeeding again in the future. While user education is a key pillar here, sometimes it’s best to bring in outside help from cybersecurity consultants who can review the incident and your response plan and then provide you with actionable steps you can take to improve the security posture of your organization. Ravi and Preston go into some detail concerning this stage in their book and I highly recommend those involved in safeguarding your business or organization against cyberattacks of all kinds to get a copy of their book and go through it carefully to ensure your company is prepared for the inevitable attacks. And while the book is particularly oriented towards the security of businesses using the cloud — and Amazon’s cloud in particular — much of the book provides practical cybersecurity advice for all kinds of business and technical environments.
Featured image: Shutterstock