In phishing terms, whaling means applying phishing attacks to "big fish"--namely, corporate executives, public figures, celebrities, and, of course, very wealthy persons. We've been writing about phishing for our upcoming book lately (it's called Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008, in case you don't already know), and have just finished up our chapter on whaling.
In related discussions with industry analyst Scott Crawford (Managing Research Director at the Enterprise Management Group) we've had our eyes opened to certain other aspects of whaling that bear profound consideration and possibly also security coaching and remediation:
Maybe there's room for a new TV show? Something like "Security Scenarios for the Rich and Famous?" Nah! They'd never go for it. Once those details are set up and running, only those with a need to know will ever hear any details. John Q. Public (and his cousin, James P. Television) definitely do not have a need to know, no matter how curious they might be about such things.
Stu Sjouwerman
In related discussions with industry analyst Scott Crawford (Managing Research Director at the Enterprise Management Group) we've had our eyes opened to certain other aspects of whaling that bear profound consideration and possibly also security coaching and remediation:
- Just as cybercrooks will spend more time and energy crafting a tightly-targeted attack when pursuing big fish on a whaling expedition, they will do likewise after hooking a whale. Whereas typical phishing attacks are usually followed by a quick harvest (snatch-and-grab) of whatever is available for the taking, high-value targets will usually be subjected to an extended period of reconaissance and surveillance after being hooked so that thieves can get an idea of what kinds of assets their victims can access, and to observe their normal access patterns and behaviors. Then, they can milk their fish for some time without getting caught, rather than seeking a single big score.
- Working with executives, celebrities, public figures, and very wealthy individuals means dealing with people who are used to making their own rules and having their own way. It takes patience, perseverance, and a strong will to communicate with such people that security measures really are in their own best interests. Ditto for the idea that security is there for good, necessary, and sufficient reasons. As these people learn about the frequency, scope, and potential cost of such attacks, they're often more willing to cooperate with the security process, so that's the best place to start when seeking to address or remedy security issues with them.
- Whaling is a technique often employed against highly visible targets, so it's reasonable to expect that any or all of them will be subjected to attack at one time or another, if not on a constant basis. This often means setting up "bastion accounts" for such figures, that will be manned by well-trained professional assistants who understand the security side of their jobs, as well as all of the other dimensions they must cover. Private accounts are also the norm for these individuals who will need coaching and counseling on how and when to use them, and training on how and with whom to share information about such accounts with close friends, family, and trusted business associates. All other traffic should go only through bastion accounts, and be highly filtered before showing up in any inbox for human review and possible action.
Maybe there's room for a new TV show? Something like "Security Scenarios for the Rich and Famous?" Nah! They'd never go for it. Once those details are set up and running, only those with a need to know will ever hear any details. John Q. Public (and his cousin, James P. Television) definitely do not have a need to know, no matter how curious they might be about such things.
Stu Sjouwerman
