Page 638 - StudyBook.pdf
P. 638
622 Chapter 11 • Operational and Organizational Security: Incident Response
Phishing
A variation of social engineering is phishing, or phising, in which a hacker uses e-mail
to acquire information from the recipient. Because the hacker is fishing for informa-
tion using the e-mail as bait, and hackers replaced “f” with “ph,” the term phishing
was born.A hacker will send e-mail to groups of people, posing as some authorita-
tive source, and request the recipient to provide specific information.This may be a
single department, the entire company, or (most often) sent as spam across the
Internet. For example, common e-mails on the Internet pose as banks or companies
like eBay, and request that people fill out an Hypertext Markup Language (HTML)
form or visit a Web site to confirm their account information.The form asks for
personal and credit card information, which can then be used to steal the person’s
identity.The same technique can be used to pose as network administrators, human
resources, or other departments of a company, and request the recipient to confirm
information stored in various systems. For example, it could ask them to provide
their employment information (i.e., name, position, department, Social Security
number, and so forth), business information (i.e., business accounts, credit card num-
bers, and so forth), or network information like usernames and passwords.While
many people are educated in this technique, it succeeds, because out of the sheer
number of people that are contacted, someone will eventually fall for the trick.
Phishing is particularly effective in business environments, because unlike banks
or companies who don’t use e-mail to collect information over the Internet, busi-
nesses may actually contact departments through internal e-mail to acquire infor-
mation. For example, Finance departments have requested other departments
provide information about their purchase accounts, credit cards, and other informa-
tion, while Human Resource departments have requested updated information on
employees. Because it takes knowledge to read the Multipurpose Internet Mail
Extensions (MIME) information and identify whether e-mail was sent internally or
externally, a member of a department may be easily duped by phishing.To prevent
such problems, it is important to educate users and implement policies to specify
how such information is to be collected.This may include stages, such as sending
out internal e-mails stating that on a specific date, a request for such information
will be sent out. It is equally important that measures be taken to inform users
what information is never requested, such as passwords.
Environment
Even with educated users and all critical systems locked behind closed doors,
equipment and data are still at risk if the environment beyond those locked doors is
www.syngress.com
