Page 14 - Cyber Warnings
P. 14
There are a lot of really obvious phishing attacks out there and I think that’s what most people
think of when they hear phishing. But then they fall victim to one of the more sophisticated
phish, those with more polish and compelling pretexts and oftentimes don’t even know it.
If your organization possesses high-value data and users who can get to that data, the
approach needs to be more along the lines of conditioning where they are being exposed to
simulations of modern phish on a regular basis and get to learn from that experience and stay
sharp without putting the organization at risk; kind of like developing muscle memory.
I also don’t think we realized the potential risk when we collectively decided to use email
addresses as usernames. In hindsight, it’s obvious this decision has made it easier for
cybercriminals. Sure it’s more user-friendly, but the costs were unanticipated. We’ve basically
created ideal conditions for the mass theft of account credentials, which has profound security
and privacy implications for individuals, businesses, and governments.
We are now in a sad reality where if you’re an online retailer you have to assume that the
credentials for a large portion of your customer base can’t be trusted because they have been
compromised through phishing attacks that didn’t even target you.
I don’t think that’s what we most organizations and individuals signed up for when they agreed
to use their email address as their username. We should seriously consider whether this is
something we should continue to allow. Transitioning users to unique usernames instead of
email addresses would be painful in the short term, but doing so would have a huge impact on
the success cyber criminals currently enjoy.
About The Author
Mr. Joseph Opacki is the Vice President of Threat Research at
PhishLabs in Charleston, South Carolina where he is responsible for
threat research, analysis and intelligence. Previous to joining PhishLabs,
Mr. Opacki was the Senior Director of Global Research at iSIGHT
Partners and was also an Adjunct Professor at George Mason University
where he taught malware reverse engineering in the Master of Computer
Forensics program.
Mr. Opacki has also participated in several industry advisory councils to include the
Cybersecurity Curriculum Advisory Council at the University of Maryland University College.
Previous to his career in the private sector, Mr. Opacki was the malware reverse engineering
Subject Matter Expert (SME) and a digital forensics specialist for the Federal Bureau of
Investigation.
Joseph can be reached online at [email protected] and @josephopacki and at our
company website http://www.phishlabs.com/
14 Cyber Warnings E-Magazine February 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide