I just read a fascinating interview with security maven Tim Rohrbaugh, VP for Information Security at Intersections Inc. Intersections is a provider of branded and customized identity management solutions and services based in Chantilly, VA, with a special focus on protecting sensitive online information and activity. The interview appears on the www.bankinfosecurity.com Website, and is entitled Phishing: E-mail Needs Authentication (Fight Against Phishing Requires More Consumer Vigilance). A transcript of the complete interview is available at the link provided in the preceding sentence, and digs quite nicely into the structure and nature of phishing attacks, and how they play on end-user/consumer ignorance or inattention.
Page 2 of the interview provides a nice discussion on how phishing attacks have evolved from what Rohrbaugh identifies as an original shotgun approach in which a single message gets blasted out to a whole, huge list of target recipients to a more evolved spear-phishing approach where they target individuals directly and more accurately, with correspondingly improved success rates. He also makes the very valid point that phishing is all about stealing information, so that you can count on attackers to use whatever techniques prove most successful in obtaining such information from victims, be it outright solicitation, drive-by malware installs, or anything else that works in prying identity and access data from unwitting or unwary e-mail recipients.
Rohrbaugh also makes some terrific observations about the insecure nature of e-mail:
All in all, this is an extremely informative and wide-ranging interview with somebody who obviously knows his subject matter very well, but who can also lay out issues, problems, and potential solutions in plain, everyday English. He also seems keenly aware that the banking and financial services industry needs to raise consumer awareness about information security topics and unsafe behaviors: I think really what we need to do as an industry is put together the correct tools, the visual indications, the notices, and let them react to it as they should [to signs of phishing, identity theft, and other attacks]. In what could be a preamble to any good ISAT (Internet Security Awareness Training) materials he concludes this interview as follows: More and more, were transacting in this disassociated, non face-to-face world, and people need to be very cautious and they need to be critical of communication. They need to limit what information goes out instead of just sharing everything.
Be sure to read this interview: you will definitely find it worth the time and effort involved. On the other hand, you could also listen to the podcast from which the transcript is made.
Stu Sjouwerman
Page 2 of the interview provides a nice discussion on how phishing attacks have evolved from what Rohrbaugh identifies as an original shotgun approach in which a single message gets blasted out to a whole, huge list of target recipients to a more evolved spear-phishing approach where they target individuals directly and more accurately, with correspondingly improved success rates. He also makes the very valid point that phishing is all about stealing information, so that you can count on attackers to use whatever techniques prove most successful in obtaining such information from victims, be it outright solicitation, drive-by malware installs, or anything else that works in prying identity and access data from unwitting or unwary e-mail recipients.
Rohrbaugh also makes some terrific observations about the insecure nature of e-mail:
No matter what we tell people, they still send sensitive information across e-mail. They believe, or at least many do, that this is a private communication between the people who are on that e-mail message. With e-mail, its not like they can lower their voices as if they were in person talking, or move away from other people who are within earshot. Theyre communicating, most of the time, in clear text between mail servers and there are a lot of people who have an opportunity to reach that message, including the person on the other end who might not be the intended recipient.
All in all, this is an extremely informative and wide-ranging interview with somebody who obviously knows his subject matter very well, but who can also lay out issues, problems, and potential solutions in plain, everyday English. He also seems keenly aware that the banking and financial services industry needs to raise consumer awareness about information security topics and unsafe behaviors: I think really what we need to do as an industry is put together the correct tools, the visual indications, the notices, and let them react to it as they should [to signs of phishing, identity theft, and other attacks]. In what could be a preamble to any good ISAT (Internet Security Awareness Training) materials he concludes this interview as follows: More and more, were transacting in this disassociated, non face-to-face world, and people need to be very cautious and they need to be critical of communication. They need to limit what information goes out instead of just sharing everything.
Be sure to read this interview: you will definitely find it worth the time and effort involved. On the other hand, you could also listen to the podcast from which the transcript is made.
Stu Sjouwerman
