With the recent reports of email hacking of the DNC and Clinton campaign, it's understandable that phishing has its moment in the cyber security spotlight.
According to a recent Fortune article, Homeland Security Secretary Jeh Johnson, noted, "The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing."
Phishing, when used as a tactic, is the first of multiple steps in a cyber attack, and by itself, inflicts no harm. It allows an attacker to penetrate perimeter defences and set up a base of operation inside the network, but at the end of the phishing stage of an attack, no damage has been done. Nothing has been stolen. No IT systems have sustained any damage. It's simply a point of entry.
Of course it is always better to keep an attacker outside of your network if you can. But, recognising the difficulty of that, many companies today operate as if a breach has already (or will) occurred. Just because an attacker got inside doesn't mean they have done any damage. To do that, the attacker needs credentials and the ability to move laterally, which requires additional steps.
To access all of a user's emails, attackers still need to steal the user's email credentials. To execute a ransomware attack, the bad guys need to install and execute a malicious application. To access a server with tens of thousands of credit card accounts, they need to get beyond their initial base of operation, move laterally across the network, and capture administrative credentials that provide the necessary access to the credit card data.
The same Fortune article noted above quotes Manhattan District Attorney Cyrus Vance: "Phishing--mundane as it is--is the biggest threat we face and need to tackle."
Mundane? Yes, because organisations should practice basic standards of cyber hygiene and there are proven ways to stop an attacker from advancing after a user has been phished. In fact, this is where real security strategies need to kick in. Least privilege controls on endpoints can be very effective at preventing the installation of ransomware and other malicious applications. Privileged account security can prevent attackers from accessing the credentials necessary to gain access to servers, domain controllers or industrial control systems.
With security controls readily available to stop an attack from advancing, it's hard for me to agree that phishing is the biggest threat we need to tackle. For the record, my vote goes to protecting our energy grid and water supply.
But, if phishing has the C-Suite and others engaged in a dialogue about cyber security, then consider it a teachable moment. Explain what controls your organisation has in place to contain a breach and break the attack chain. If your organisation hasn't reached table stakes, identify the resources and support needed to raise the bar on your security controls. Ultimately, privileged accounts need to be managed and protected. Make it your priority.