The Cyber Stars Initiative is an International Scheme aimed at increasing Cyber Security Awareness in business through the achievement of nationally recognised qualifications.
What is Whaling?
Whaling is the term given to the deliberate and malicious targeting of senior company employees and executives with a well crafted phishing email. Why go for the ‘little phish’, when you can target the ‘big phish’, hence the term Whaling.
What does a Whaling email look like?
More often than not these emails will look legitimate. Significant time and effort will be taken to ensure that the emails do not immediately appear suspicious. We all remember the Nigerian lottery scams, in which emails loaded with poor English and grammar were sent to multiple addresses identifiable on the same email. Such unsophisticated attacks are becoming a thing of the past.
Whale Phishing requires a greater level of thought and deliberate research into the target of the attack. The attacker, using Social Engineering techniques, will target freely available information online. This could be your very own company website with breaking news regarding a merger, partnership or acquisition. Ask yourself, does your company website also detail, in full, the email addresses of its employees, to include executive staff? If so, an attacker can derive all of the information that they require in an exceptionally easier manner. Information can also be drawn from a variety of Social Networking Sites (SNS), to include professional networking sites. All of this information, pieced together, will give an attacker a detailed character profile, ensuring that they are perfectly positioned to create the ‘whaling’ email.
There are subtle differences between a Whale and Spear Phishing email. A spear-phishing email will often request that a target individual either open an attached document, or click on a link to a compromised website. Both of these attack techniques make use of a “malicious software payload”. A Whaling email is subtly different, Whaling relies purely on Social Engineering principles; as such there will usually be no document to open or link to click. Sources identify that Domain Spoofing is a more popular technique and accounts for almost 70% of Whaling attacks. A spoofed domain (website/email address that closely resembles your company’s existing domain name(s)) is a powerful tool, as the email will appear to have come from a legitimate source. So when an urgent financial transfer request comes in from Accounts and is addressed to you personally, from an email address that looks genuine; why would you not action it? When you receive an email that appears to be from a legitimate employee working within Audit, requesting that you confirm your company credit card details, would you provide them?
You may now be thinking, of course not.
Yet, the reality is that many do, Whale Phishing is a growing threat due to the level of success. In an environment where an individual is under time pressure, they are less likely to scrutinise the detail of an email that appears to be legitimate. Whilst companies spend thousands on physical cyber security, cyber security awareness for company employees is often neglected. Threats may be highlighted, yet a culture exists in which cyber security is “not my problem”. Companies must invest in effective cyber security awareness at all levels and ensure return on that investment through measuring the increased levels of competence.
What is an attacker hoping for?
A spear-phish will target your company data and/or your systems and networks. A Whale-phish may sometimes target these but with most cases they are seeking direct financial gain via company assets. In short, they want to persuade you to share private financial information. In some cases, attackers have persuaded senior executives to authorise financial transfers directly to criminal owned bank accounts.
Is my organisation at risk? What are the potential consequences of a breach?
Every organisation that operates within the cyber domain should consider themselves at risk. UK Government research suggests that, in 2014, 74% of small and 90% of large businesses suffered a cyber security breach.
What are the consequences of experiencing a Whale-Phish breach? Firstly there are the financial considerations; many breach examples reach into the millions. How would the business cope with such a loss? What would be the reaction of company shareholders and customers? Secondly you may need to manage the loss of company data, intellectual property and trade secrets, a crippled company website and of course, stolen customer data. Notwithstanding potential repercussions from organisations such as the Information Commissioners Office (ICO), how would you handle the impact?
How does my organisation protect against Whaling attacks?
As with most cyber security risks, Whale-Phishing can be mitigated by displaying vigilance and enforcing an effective workforce awareness strategy. Through education comes ownership and vigilance. If all levels of a workforce are aware of the risk and confident in spotting the indicators then you are well placed to identify, report and mitigate future attacks. The human firewall, in any security chain, is almost exclusively the weakest link. By educating your people you are investing in your organisations long term cyber security.
How can Cyber Stars Help?
The Cyber Stars initiative is aimed at increasing cyber security awareness across all areas of your organisation to ensure a holistic and effectively implemented cyber security strategy. We seek to identify and qualify nominated ‘Cyber Stars’ from within every department within your organisation, who will then have the knowledge and confidence to fulfil a cyber security representative role. By opting for a nationally recognised qualification, rather than an attendance based programme, as employer can be sure that each and every attendee has achieved a nationally recognised standard. This gives confidence that a Cyber Star can implement the policy and act as a mentor for others. On completion of their qualification Cyber Stars will also have access to a Cyber Security Information Platform, providing an opportunity to identify the most recent and relevant risks to your organisation.
Intqual-Pro deliver the only all inclusive, one day, Cyber Security Awareness for Business training package that is attached to a nationally recognised vocational qualification. Delivered by our cyber security subject matter experts, experienced across cyber departments within UK Government and the MoD, this investment will ensure that sufficient cyber security knowledge exists within all areas of your business. With this knowledge your ‘Cyber Stars’ will be ideally placed to provide the effective application, encouragement and promotion of your cyber security strategy, ensuring that your organisation is best placed to meet both the current and emerging threats within cyberspace.
Should I consider Cyber Stars training for my organisation? What can a Cyber Star do?
By enrolling your employees on Cyber Stars training you not only offering them an excellent professional development opportunity; you are also encouraging them to take responsibility for cyber security implementation, awareness and vigilance within your organisation. Through the achievement of a nationally recognised qualification in Cyber Security Awarenes a Cyber Star can:
- Identify current cyber risks specific to your business (including Whale-Phishing and other Social Engineering attacks).
- Educate fellow colleagues on a range of cyber security issues to include access management, end point security and the safe use of social media.
- Identify security risks specific to WiFi zones and their usage.
- Assist in the implementation of effective incident response procedures (reporting).
- Ensure that colleagues are updated with latest cyber security legislation and best practice.
- Act as a point of contact for the implementation of safe mobile and home working policies.
- Provide a business wide network of cyber security knowledge to ensure both EU and ISO27001 compliance.
by Dean Chapman
Intqual-pro – Cyber Security Lead