Cyber Security Articles & News

BOOK REVIEW: Phishing in your own Backyard

This week I’ve been reading Kevin Mitnick’s classic book “Ghost in the Wires” on the recommendation of our Senior Director of IT. The book itself is an awesome read, though it’s fair to say the memoirs of Kevin’s social engineering attacks are chilling for anyone tasked with safeguarding patient data.

What’s truly amazing about Kevin’s exploits is that many of them still work today. All that is needed is a well-prepared con-man who has taken the time to research your company so that they can present themselves correctly with the right story, and “hey presto” some percentage of your staff will give out their usernames and passwords without a second thought.

It really is that easy.

How do you protect against this kind of exploit? The simple answers are education and practice.

The education component should be carried out by your Chief Privacy Officer with all staff attending regular training sessions, as well as receiving reminders via email and placards on the walls. In essence, this is a hand washing campaign where you are trying to encourage highly intelligent people to pay attention to one often overlooked aspect of their behavior.

The practice component is best performed using an automated phishing tool that allows you to “set and forget” regular realistic attacks and collects information on staff who fall for the scam so that they can be retrained.

One great tool for setting up practice runs is KnowBe4. This tool allows you to create a fully automated phishing campaign in a matter of moments, then displays detailed statistics showing which users opened the email, who clicked on any links, replied to the email, downloaded an attachment, ran the attachment, and so on. The magic of this tool is its simplicity – it takes moments to setup and it produces realistic results that really make people think twice before they click.

The third layer of defense is to engage a security company for at least an annual vulnerability assessment. I’m preferential to a company called NopSec because their pentest team takes their mission very seriously and leaves no stone unturned.

There’s a lot more that can be said about phishing, but I want to leave you with one important message. Phishing in health care is analogous to infectious disease. Proper sanitary practices are the answer. When people start to think about their habits seriously and are appropriately trained and drilled in how to deal with this problem the threat surface is greatly diminished.

Source: Healthcare Interoperability

Topics: Social Engineering, usernames, vulnerability assessment, penetration testing, computer security expert, email, keynote speaker, Passwords, pentest team, safeguarding data, security awareness training, IT, automated phishing tool, Ghost in the Wires, Kevin Mitnick, NopSec

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

4 Signs Your Organization Needs Red Team Penetration Testing

According to a recent poll conducted by PwC, executives believe that mandated disclosures, tests of resilience, and pressure to get data security and ..

Read more ›

2023 Cybersecurity Budget Considerations for Your Organization

With the use of multiple work platforms and applications, organizations must choose between spending on cybersecurity or being vulnerable to devastati..

Read more ›

Why Choose Mitnick Security for Your Penetration Testing Services?

Incorporating cybersecurity services as part of your organization’s security plan can help stop threat actors in their tracks. From cyber security awa..

Read more ›