Perhaps you saw the news last week. Three members of a Syrian hacker collective were charged in federal court. The criminal complaints cite multiple computer related conspiracies committed by Amad Umar Agha, Firas Dardar, and Peter Romar. They are charged with targeting Internet sites on behalf of the Syrian Electronic Army (SEA).
SEA collected usernames and passwords in supporting Syrian President Bashar al-Assad’s regime. The information was used to deface websites, redirect domains, steal e-mail, and hijack accounts. The SEA used "spear-phishing" to trick privileged users into compromising their systems.
The three were added to the FBI Cyber Most Wanted list. The Bureau is also offering $100,000 for information leading to an arrest. The announcement should put every enterprise and government agency on alert. Spear-phishing attacks are largely preventable. It requires training and developing security awareness. It also calls for strong passwords and a strong corporate password policy.
Spear Phishing Targets
Spear phishing hooks victims by improving the quality and relevancy of spoofs. It tricks targets with email they believe comes from a trusted source. The technique relies on identifying pools of people to target. Cyber criminals then go about collecting intelligence on their prospects. They seek information on where targets’ work, bank, web surf, and shop.
Users often suspect anonymous email from banks requesting, “account verification.” Yet, they may trust email appearing to come from their employers, doctors, and social networks. Spear phishing attempts to remove suspicion by mimicking ordinary communication.
The more innocent an email appears the more likely phishing will succeed.
Strong Password Policies and Controls
Enterprise protection begins with a strong corporate password policy. Basic questions to consider can make a difference. Questions like, how long are your passwords? How frequently should users change their passwords? Is multifactor authentication required for privileged users? The best security practices are futile if organizations lack password management controls.
Clearly, employees represent continuous points of vulnerability. Intentionally, your most sophisticated and trusted users are the targets. With state sponsored cyber attacks escalating, password policies must be agile too. They must enforce strong passwords, require regular updates, and leverage two-factor authentication.
Without enterprise password management controls, human error is inevitable. Just as alarming, security breaches often go undetected indefinitely.
Strong Password Policies Limit State Sponsored Attacks
The Cyberthreat Defense Report estimates half of security attacks leverage-stolen credentials. Most often, compromised user credentials were collected from sophisticated spear phishing. Enterprise password management establishes a frontline against government-sponsored phishing attacks.
Organizations must account for the human vulnerabilities exploited by state sponsored attacks. Administrators and users with privileged access must recognize they are targets. IT must counter human lapses that compromise security with tools and training.
When credentials are compromised, password management requiring multifactor authentication prevents unauthorized access. It adds additional security making breaches more difficult to pull off. After a breach occurs, password managers limit exposure by enforcing password updates. This scheduling limits the period of time for breaches to take place.
Companies must recognize they are targeted for a reason. Deterring state attacks starts with strong passwords and strong password policies.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.