BOOK REVIEW: Phishing in your own Backyard

This week I’ve been reading Kevin Mitnick’s classic book “Ghost in the Wires” on the recommendation of our Senior Director of IT. The book itself is an awesome read, though it’s fair to say the memoirs of Kevin’s social engineering attacks are chilling for anyone tasked with safeguarding patient data.

What’s truly amazing about Kevin’s exploits is that many of them still work today. All that is needed is a well-prepared con-man who has taken the time to research your company so that they can present themselves correctly with the right story, and “hey presto” some percentage of your staff will give out their usernames and passwords without a second thought.

It really is that easy.

How do you protect against this kind of exploit? The simple answers are education and practice.

The education component should be carried out by your Chief Privacy Officer with all staff attending regular training sessions, as well as receiving reminders via email and placards on the walls. In essence, this is a hand washing campaign where you are trying to encourage highly intelligent people to pay attention to one often overlooked aspect of their behavior.

The practice component is best performed using an automated phishing tool that allows you to “set and forget” regular realistic attacks and collects information on staff who fall for the scam so that they can be retrained.

One great tool for setting up practice runs is KnowBe4. This tool allows you to create a fully automated phishing campaign in a matter of moments, then displays detailed statistics showing which users opened the email, who clicked on any links, replied to the email, downloaded an attachment, ran the attachment, and so on. The magic of this tool is its simplicity – it takes moments to setup and it produces realistic results that really make people think twice before they click.

The third layer of defense is to engage a security company for at least an annual vulnerability assessment. I’m preferential to a company called NopSec because their pentest team takes their mission very seriously and leaves no stone unturned.

There’s a lot more that can be said about phishing, but I want to leave you with one important message. Phishing in health care is analogous to infectious disease. Proper sanitary practices are the answer. When people start to think about their habits seriously and are appropriately trained and drilled in how to deal with this problem the threat surface is greatly diminished.

Source: Healthcare Interoperability

Topics: Social Engineering, Speaking Engagements, usernames, vulnerability assessment, Global Ghost Team, penetration testing, email, Password Management, safeguarding data, security awareness training, IT, automated phishing tool, Ghost in the Wires, Kevin Mitnick, NopSec

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg