WASHINGTON–In a presentation at the Intelligence & National Security Summit, the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches.
Called Know the Risk, Raise Your Shield, the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people not to click on those links.
"There have been just over 500 breaches so far this year, some of which made the news," said NCSC Director Bill Evanina. "And 47 percent of adult Americans have been the victim of a breach in the last three years. That data is an opportunity for criminals, but it's also allowed foreign intelligence to collect information about government employees, contractors, and their families."
The Office of Personnel Management breach alone, he said, had exposed at last measure the data of over 22 million people, including some who had merely applied for government employment or contract work in the last 10 years. "That puts them in a vulnerability bracket they've never been in before," Evanina said.
As part of a response to the breach, in addition to the credit protection and other measures being offered to victims by the OPM, the NCSC is trying to prevent even further breaches that use information gleaned from OPM background investigation records and other data.
"We need to be upfront about what we can do to help the victims of this breach and future victims,"Evanina explained. And spearphishing attacks are one of the most likely way those victims would be targeted, both by criminals, and foreign adversaries seeking to get more intelligence data—as happened in the recent attack on the Joint Chiefs of Staff administrative e-mail network, which used faked e-mails from a bank used by many service members.
"91 percent of the breaches we've seen in the last few years have emanated from spearphishing," Evanina noted. "Our adversaries do not need to use sophisticated attacks—it all starts with e-mails."
The public awareness campaign is intended to help government employees, contractors, and just about anyone else "clean up their cyber regimen at home," Evanina explained before the crowd of intelligence professionals, defense and intelligence industry vendors, and contractors. "It's something we all need to do, [because spear phishing is] not going away. If just a few people don't click the link, it could prevent another huge breach in the future. If someone hadn't clicked on a link before, it could have kept a whole lot of [personal identifying information] from being stolen."
Evanina presented two videos from the program. The first, entitled "Don't be This Guy," shows a hapless man in a coffee shop clicking on a link in an e-mail purporting to be from a shopping site. A hacker springs into action and empties the man's bank accounts. These videos are a good idea to send to your users as part of your ongoing campaign to keep them on their toes with security top of mind:
VIDEO 1: https://youtu.be/imN09BdqYvY
The second video gives more of a call to action, explaining how just getting credit protection and changing passwords doesn't mean that victims of a breach can relax. "Anyone with an e-mail is a potential victim for an attack," the video's presenter warns, before giving some of the tell-tale signs of a phishing attack (a strange e-mail address, misspelled words, and English syntax problems.
VIDEO 2: https://youtu.be/X5P-VYxPNrk
The Office of the Director of National Intelligence, which the NCSC is part of, is pushing out materials for the campaign through its website and social media channels, in addition to providing pamphlets and the videos to every government agency. The OSDI and other agencies are already conducting spear phishing tests on internal mail systems, in which fake attacks are sent to employees; those who click on the links aren't punished, Evanina said, other than being exposed to "public embarrassment."
"Awareness is the first part, but deterrence is important as well," he said.
The spear phishing awareness effort is the first part of a four-phase campaign. In October, NCSC will release materials on social media threats. In November, the awareness campaign will shift to "human targeting," the use of data to attempt to identify individuals for foreign intelligence to approach directly. (A poster for that phase warns, "Sometimes shared interests or chance meetings are more than a coincidence. New 'friends' may not be friends at all.") And in December, the Raise Your Shield program will turn its attention to travel risks for government employees.
It is loud and clear that new school end-user education is a must. This type of training combines on-demand browser-based training with frequent simulated phishing attacks to keep users on their toes with security top of mind. Find out the cost of Kevin Mitnick Security Awareness Training for your organization and be pleasantly surprised:
This was cross-posted from arstechnica with grateful acknowledgement
Related Pages: Spear Phishing