Southern Water not such a phisherman's phriend, hauls itself offline to tackle email lure British utility biz Southern Water was the victim of a phishing attack on Wednesday, resulting in a hurried shutdown of some of the company's systems. An industry insider told The Register that Southern Water's networks, including the system responsible for Supervision, Control, and Data Acquisition (SCADA) were hit. The …
Hope the new glass 4th floor windows are secure at Southern Water's HQ. Better move that Volvo as well ...
Unfortunately, phishing to be successful requires only 1 or 2 people to err. The problem often isn't awareness or incompetence but that people make mistakes and these mistakes sometimes have serious consequences. For example if you know who I routinely receive emails from (home or work) a carefully crafted email might fool me. Plus at work I will receive a 'random' email from a colleague I have not had any contact with before, another fruitful area for successful phishing, again a carefully crafted email might fool me.
For the past few years, we've had anti phishing campaigns at work that have taught the staff so well, they now question genuine emails (which actually results in better crafted emails from genuine addresses)
I have to applaud Southern Water for having the right tools and processes in place to stop this dead in its tracks, although having a targetted attack does make things more tricky
"Unfortunately, phishing to be successful requires only 1 or 2 people to err."
Actually this kind of attack requires HTML email with unverified external links in to reach the desktop, wide open browser config and poor network segregation. The unfortunate "1 or 2" who supposedly "err" are the least well equipped to prevent it, and the people who supposedly can are not adequately securing the infrastructure.
It's both unreasonable and hazardous to impose the entire responsibility for desktop security on office staff - that's what an organisation should have a security team for. It's not rocket science to block phishing or any other kind of attack triggered from the desktop, but the proper person to be responsible for it is not the user.
In my org, our latest fail rate for phishing tests was 15%. That's 1 person in 6 opening a dodgy email, even though these tests are bleedingly obvious fakes, with all the signs of a scam (lousy grammar, external address pretending to be a company service, urgent tone...) in one email. Of course we have other defences in place in case someone opens the wrong attachment, but it's quite worrying that in spite of all the awareness and regular campaings, so many people still get so easily fooled. As always, your defence is only as good as your weakest link.
Aside from scanning attachments, the most effective single countermeasure would be to turn on DMARC message authentication and work with major suppliers so they do too. It allows email servers to reject emails that claim to be from a domain when in fact they were sent from another. And also to verify a signature in the message header against a public key.
It requires a bit of fiddling with DNS to make it happen but it would block most impersonation attempts.
This post has been deleted by its author
I'm surprised El Reg hasn't picked up on Redcar & Cleveland councils ransomeware attack. It's been all over the mainstream news for over a week now with much of their systems down. I thought we might have had an in depth report by now since it's a far more serious and impacting incident than this Southern Water one even if less pun inspiring.
As always it gets harder.
Genuine emails generated from Office 365 look more like phishing emails than many phishing emails.
Then you have partner organisation who get compromised then you get phishin emails from people you know, on subjects you are expecting, mixed in with the general obfuscation caused by 365s spammy looking links.
I'm sure thre is an app for that in E5
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
