My friend emailed me today and said that her company’s IT department was warning users about a phishing email that was circulating around supposedly from IKEA. (This by the way is an example of a great IT department: they don’t rely on just technology – people and process are also part of their security solution, kudos to them!)
Spam and phishing emails are so common these days that we tend not to be surprised anymore by it, let alone inspired by it. This time was different though. When I heard about this I mentally blurted out in my mind “how stupid, they (the bad guys) should have sent it a week ago when IKEA was having their year end sale. It would have been much more belieavable then!” This got me thinking.
It became clear to me that while ’good’ security requires a mixture of people, process and technology (i.e., defenders), ‘bad’ security (the stuff for effectively attacking systems/people) also requires a mix of people, process and technology (i.e, attackers). In other words, the success of an attacker or defender is dependent on their ability to exploit a weakness in the other’s strategy from the perspective of people, process and technology.
Let’s take the IKEA email as an example. The phisher’s strategy looked like this:
- People: None.
- Process: Traditional, click on this link to login scheme …
- Technology: Mass mailers, open mail relays
Now pit this strategy against my friend’s company IT department strategy:
- People: Education about email-based phishing attacks
- Process: Education on inspecting the provided login link to see if is legitimate
- Technology: Spam and phishing filters
Technology versus technology, the phishers won because in this instance they were able to bypass the automated mail filters. However, the phishers lost because of process versus process. My friend’s company’s education on how to inspect links for authenticity was able to uncover the phishing scheme. Even if the process side failed, then from a people versus people perspective my friend’s company would still win because it would be their education on email-based phishing versus essentially no strategy from the phisher.
Now consider what happens if the phisher’s strategy looked like this:
- People: Send the email right after IKEA advertises on television or some major promotion to establish context. Say “You may have seen our TV commercials’ya …”
- Process: Inform the user that they can print some coupons for IKEA at some third party website that is partnering with IKEA for the holiday season. At that site provide a fake coupon image (or even a copied real one) that can be printed, and indicate that they can take this coupon to a store, or click this link to login redeem it online right now.
- Technology: Mass mailers, open mail relays
We already know that the phishers can bypass the mail filters, so technology versus technology is out the door. Here’s where it becomes interesting. Process versus process, the phisher has a better chance now, because they are not asking the reader to click on a link to login, just to go to some website to print out some coupons (who doesn’t love coupons?). My friends’s company may have only educated their employees on phishing attacks that want you to login by clicking some link. (I highly doubt that this is the case, since they seem to be so proactive about security already, but let’s pretend for now.) Sure the site wants you to click a link to login, but this is secondary action, maybe even call it a ‘secondary phishing attack’. People to people, the phisher now stands an even greater chance. Because they can reference something that someone may have seen on TV, what that does is it establishes context. Context leads to trust, whereas a random email out of the blue raises eyebrows. It’s like an old girlfriend/boyfriend calling you out of the blue after 2-3 years of not talking. Your first reaction is “what do you want?”, versus someone who you’ve seen last week “oh yeah, I remember you from last week …”.
So again, the success of an attacker or defender is dependent on their ability to exploit a weakness in the other’s strategy from the perspective of people, process and technology. Now this might not be new to some of you, you might even be thinking “well duh” or “welcome to the 21st century Kevin”, but I think this kind of formalization and frame comparison (technology versus technology, person versus person, …) has significant benefits. It’s basically a more formal way of looking at multi-layered security strategies.
I for one am inspired. What do you think?
–Kevin
2 Comments
Kevin, I couldn’t agree more with your comments. You wonder if we’re saying “duh” but as obvious as it may seem to most of us, the obvious unfortunately gets overlooked in many organizations.
People are the weakest link in my book.
Hey Loras, thanks for taking the time to reach out and share your thoughts. I am really glad that you get what I am trying to express here (I was getting worried about the lack of comments coming in for this post compared to others on this blog :P). You’re definitely right about it does seem obvious to the security folks (most of them at least), but most organizations don’t get it, but then again that’s the fun in it (helping organizations “get it”). Thanks again Loras!
–Kevin
2 Trackbacks/Pingbacks
[...] article came to that conclusion is what I found a little misleading, and if we go back to our framework for thinking about security in terms of people, process and technology I think there’s a very simple and valuable lesson here on how to quickly make sense of the [...]
[...] at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email. [...]