No Phishing!

Security is always an issue with IT – ever more so these days with the explosion of connectivity, mobile devices and so on. Organisations often test their IT security by arranging with a specialist company to carry out an external “penetration test”. Effectively, that’s asking a friend to see if they can get past the organisation’s security controls by exploiting any weaknesses. If they can, then they let the organisation know and it can then plug the weaknesses.

In the past, these specialist companies have focussed on the technological defences. Increasingly, however, they are looking at the softer weak points – i.e. people. One company I spoke with carries out tests on datacentre security – they might be asked to see if they can gain physical access to an organisation’s datacentre. For obvious reasons I won’t tell you how they might try to do this, but it’s designed to test how good the access and security protocols in practice. On one occasion they did indeed manage to get into the datacentre – except it was the wrong one!

The other growing area is what they call a “social engineering” penetration test. To put it unkindly, this is to test how gullible the employees in an organisation are. You have probably all at some point seen an e-mail in your inbox offering you the chance to inherit somebody’s fortune if you can only help by supplying your bank account details. Or an e-mail from your bank telling you that there is a problem with your account and asking you to give them your password or PIN number so that they can check.

These e-mails are getting more and more sophisticated, and they steal branding and corporate images to make them look completely genuine at first glance. I have seen e-mails claiming to be from the RGU IT Help desk asking users to hand over their password so that their account can be reactivated, and these e-mails can look very convincing. Sometimes they ask for information, and sometimes they just try to coax you to click on a link for further information. That link, of course, will install some nasty software on your computer and from then on they can do anything – maybe steal confidential information (including any passwords you type in) or hijack your computer to get it to send out thousands of other e-mails to other people.

Have a look at the Wikipedia entry for more background.

I learned of one organisation recently where somebody thought one of these e-mails were genuine, clicked on the link, and before long their organisation had suffered a major security breach. These e-mails are therefore a real threat to security in any organisation, and not just a minor nuisance.

So remember:
– No legitimate organisation (internal or external) will EVER ask you to e-mail to them any confidential information, whether that’s a password, PIN number, date of birth or whatever.
– If you receive an e-mail that you were not expecting, and if it has a link to another web site, don’t click. Be very careful of unusual e-mails from people you know – especially if it’s little more than a link to some web site and a subject line saying “check this out”. It probably means their e-mail has been hacked and is being used to send out SPAM.

So, what’s a “social engineering” penetration test? That’s when we agree with an external company that they can send into the organisation lots of “phishing” style e-mails and then see how many people get tricked into responding. That’s not to catch people out, but to help educate and test the level of awareness across the organisation. I might just look at that . . .


Chopped Pork and Ham

. . otherwise of course known as SPAM. I was wondering today how SPAM came to be coined as a term for junk e-mail. As I suspected, it seems to go back to a Monty Python sketch from the 1970’s – have a look at this article.

I guess that’s lost on the younger elements of our staff and student population but I remember singing the SPAM song. . .

What’s certainly not lost is junk e-mail. We all get the unwelcome e-mails in our inbox – many are offering a whole range of services and products, the nastier ones pretend to be a bank or other authority and are trying to persuade you to part with your PIN number and/or password. All this SPAM is at best a huge nuisance, and at worst a real security threat. What are we doing about this?

Fighting SPAM successfully is a constant battle. People who send SPAM are constantly changing their approach, and as one route gets shut down they find another. A bit like the malaria parasite – as soon as your body defences recognise it and attack it, it simply changes its coat. The trick is to prevent all the undesirable e-mail getting through, but making sure you don’t actually prevent legitimate email.

We use an external company for this – all our incoming mail goes through their service. There’s a good reason for that – an external company managing this for lots of organisations is better placed to spot bulk e-mail messages going to lots of organisations and block it.

It may interest you to know that in a typical month we receive 3.3 million e-mails into our University every month. 2.6 million of these are identified as SPAM and you never see them – that’s nearly 80% of all our e-mail. There are some that get through, but rest assured – they are a tiny fraction of the ones that are blocked.

Finally – just a reminder. If you receive any e-mail, from anyone, asking you for your PIN number, or password, or any other security details, NEVER reply. Just bin it. If it looks like it came from IT Services, it didn’t. If they offer a link to some web site where you can allegedly check or change your security details, DON’T CLICK.