The importance of education in combating phishing attacks [Q&A]
It's usually the case that the weakest link in any security system is the human element. That's particularly true when it comes to phishing attacks. Hackers have become more creative in the social engineering methods they use to gain access to sensitive information.
A new service called LUCY, aims to educate people and identify vulnerable endpoints by allowing businesses or individuals to simulate phishing attacks. We spoke to LUCY founder Oliver Muenchow to find out more about this approach.
BN: How big a problem is phishing?
OM: There have always been phishing attacks, but the amount of attacks we see right now is at an all-time high. Hackers know that people make the easiest and most valuable targets. Criminals have learned the most efficient way to get information is sometimes simply just to ask. Many companies who felt their data was 'safe' are now feeling the financial impact of a security breach.
BN: What kind of attacks can LUCY simulate?
OM: Other than a typical phishing attack which would generate a mail that redirects the user to a webpage, we can simulate more sophisticated customized attacks including also malware simulations. Some recent examples like the Sony hack or a group of modern day bank robbers called the Carbanak gang used essentially the same type of combination attack.
BN: Can the product also check for vulnerabilities that may already be on a network?
OM: Yes, LUCY can check for vulnerabilities on the network, system & application layer. This feature allows users to perform security checks without involving employees outside their own IT department. The portable security scanner we also include in LUCY basically acts as an advanced persistent threat (APT), replicating typical malware attack patterns -- reverse tunneling techniques, privilege escalation techniques etc -- but without harming your infrastructure. You will get the inside view of your security defence layers -- but from the point of a piece of potential malware.
BN: Is education a better approach than prevention where phishing is concerned?
OM: I think both are important. A company should aim to prevent malicious mails from getting delivered to the end-users inbox, but as this is not always possible, we turn to our people as they are the last line of defence. The awareness is only one part. Keeping your employees up to date about phishing threats while presenting the information in an educational manner is the key.
BN: Why did you choose to make LUCY free for smaller businesses?
OM: The idea behind a community version is that larger companies are able to perform some sample testing with LUCY. But that 100 user test model can of course fit the needs of smaller businesses as it stands.