A Phish So Insidious You Can’t Help But Be Jealous

Wait, that’s a phish even I’d fall for.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Crouse (@mattcrouse), CISO, Taco Bell.

Huge thanks to our sponsor, CloudKnox

CloudKnox Security is the market leader within Gartner’s newly defined Cloud Infrastructure Entitlement Management (CIEM) segment. CloudKnox transforms how organizations implement the principle of least privilege in the cloud and empowers security teams to proactively address accidental and malicious credential misuse by continuously detecting and mitigating insider risks.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

Here’s some surprising research

Here’s a depressing statistic. Ninety four percent of security and business leaders say they’ve suffered “one or more business-impacting cyberattacks in the last year — that is, an attack resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.” This according to a Forrester Consulting study sponsored by Tenable. Do we accept the sobering fact that a business-impacting cyberattack is an annual inevitability? And if so, what percentage of a CISO’s job is putting systems in place to minimize damage, and what are ways you do that?

If you’re not paranoid yet here’s your chance

Get ready for a really nasty phishing attack. Craig Hays, bug bounty hunter particularly interested in phishing, tells a story of a wormable phish that after taking over one user’s email account began to reply to legitimate email threads from that account. The phisher would actually read the thread and create a relevant response, but with a phishing link which would then compromise another user’s email account in the same way. And the phisher would repeat the process from yet another account, causing this wormable phish to spread not just through the initially targeted company, but through their partners, suppliers, and their partners and suppliers.

At the time Craig’s company didn’t have multi-factor authentication (MFA) implemented to which Craig realizes that would stop such an attack. Yet, in the end he was very impressed with this type of attack because it has so many indicators of legitimacy. Have we experienced a similar attack and/or do we have a “favorite” phishing attack in terms of its effectiveness?

What’s Worse?!

Audit season is about to begin.

What would you advise?

On the Cybersecurity subreddit, GenoSecurity asks, “What types of projects would look good on a resume since I have no work experience. I am also open to projects that might not look as good but are good for beginners since I’m currently working on my Net+ cert.”

Close your eyes and visualize the perfect engagement

Last Friday we had an online after party using a new tool called Toucan which simulates a real party in a virtual setting. We’ve also used a platform called Icebreaker that allows for one-on-one random meetups. And last week I participated in a table top cyberthreat exercise with Bruce Potter of Expel and Shmoocon that ran like a Dungeons and Dragons role playing game. All were fun and had their value. Since the launch of the pandemic, how have we been able to socialize and stay connected in fun and unique ways?

CISO Series Podcast

CISO Series Video Chat