Back to PhishMe Home
PhishMe Blog

Archive for June, 2011

Taking the Guess Work Out of Spear Phishing Pentests

Tuesday, June 14th, 2011

RSA, Epsilon, ORNL, Sony, and countless others may have got you thinking – “Maybe we have a spear phishing problem.”  You might be thinking you need to apply the classic IT Security audit-assessment approach of test to quantify to understand the risk spear phishing presents to your organization.

To help companies better understand the importance of spear phishing penetration testing and the valuable education opportunities they provide an organization, PhishMe is hosting a webinar on July 7, 2011, Spear Phishing Pentests: A Wasted Opportunity. As PhishMe co-founder and CTO, I will be conducting the webinar and drawing on my years of experience to address the misconceptions of ethical-hacking focused penetration testing, while outlining the best practices for conducting and assessing mock spear phishing attacks.



At PhishMe we focus on educating users on the best ways to protect themselves from the latest scams – helping them understand that regardless of how good an anti-virus solution or firewall is, phishing attacks are designed to get around them. Online criminals understand that the best way into a network is to get invited in, not scanning thousands of ports hoping for a crack in the armor. With nearly 2 million users trained, we have proven that proper use of mock phishing and targeted education campaigns can reduce an employee’s susceptibility to an attack by over 80percent. This number increases even further with continued training.

If you are an organization who is thinking about performing a spear phishing penetration test, join me on July 7, 2011 to learn just how easily you can ensure your organization’s safety against the growing threat of spear phishing attacks. To register for the free webinar, please click here: Spear Phishing Pentests: A Wasted Opportunity.

Kindly,

Aaron Higbee, Co-Founder and CTO, PhishMe

 
4 Comments » | Posted in Uncategorized

Machines v/s Humans: Who Do You Think Is More Intelligent?

Thursday, June 9th, 2011

As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack.   One of the commentators brings up the topic of phishing   Hannigan, the CEO of Q1 labs, rightly points out that  “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.

Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)?  How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)

What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!
No Comments » | Posted in APT, Articles, Phishing, Spear Phishing