BOOK REVIEW: Phishing in your own Backyard

This week I’ve been reading Kevin Mitnick’s classic book “Ghost in the Wires” on the recommendation of our Senior Director of IT. The book itself is an awesome read, though it’s fair to say the memoirs of Kevin’s social engineering attacks are chilling for anyone tasked with safeguarding patient data.

What’s truly amazing about Kevin’s exploits is that many of them still work today. All that is needed is a well-prepared con-man who has taken the time to research your company so that they can present themselves correctly with the right story, and “hey presto” some percentage of your staff will give out their usernames and passwords without a second thought.

It really is that easy.

How do you protect against this kind of exploit? The simple answers are education and practice.

The education component should be carried out by your Chief Privacy Officer with all staff attending regular training sessions, as well as receiving reminders via email and placards on the walls. In essence, this is a hand washing campaign where you are trying to encourage highly intelligent people to pay attention to one often overlooked aspect of their behavior.

The practice component is best performed using an automated phishing tool that allows you to “set and forget” regular realistic attacks and collects information on staff who fall for the scam so that they can be retrained.

One great tool for setting up practice runs is KnowBe4. This tool allows you to create a fully automated phishing campaign in a matter of moments, then displays detailed statistics showing which users opened the email, who clicked on any links, replied to the email, downloaded an attachment, ran the attachment, and so on. The magic of this tool is its simplicity – it takes moments to setup and it produces realistic results that really make people think twice before they click.

The third layer of defense is to engage a security company for at least an annual vulnerability assessment. I’m preferential to a company called NopSec because their pentest team takes their mission very seriously and leaves no stone unturned.

There’s a lot more that can be said about phishing, but I want to leave you with one important message. Phishing in health care is analogous to infectious disease. Proper sanitary practices are the answer. When people start to think about their habits seriously and are appropriately trained and drilled in how to deal with this problem the threat surface is greatly diminished.

Source: Healthcare Interoperability

Topics: Social Engineering, usernames, vulnerability assessment, penetration testing, computer security expert, email, keynote speaker, Passwords, pentest team, safeguarding data, security awareness training, IT, automated phishing tool, Ghost in the Wires, Kevin Mitnick, NopSec

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

How Long Will It Take To Recoup From a Data Breach?

While many think of the steps needed to avoid a data breach, it’s equally important to think about the steps your business would need to take in the w..

Read more ›

Ransomware Attacks: Trends and Most Targeted Industries

With the rise of worldwide ransomware attacks, 2024 is the perfect time to understand why these current cyber threats are happening and how to safegua..

Read more ›

New SEC Regulations Regarding Data Breaches

On December 18, 2023, the Securities and Exchange Commission (SEC) introduced new regulations for organizations regarding response procedures in the e..

Read more ›