Blogs
Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts |

April 16, 2008 - 9:08 A.M.

Awareness goes to the top

. What's this?

The SANS Diary pointed out some goings on a few days ago about reports they were receiving of CEO's getting targeted phishing emails (known as spear phishing). The emails appeared to be subpeonas coming from the US Federal Court.

An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

That is very pointed spear phishing, and that tends to make the scam more effective because no one else is receiving the email. If no one else is reporting the scam or talking about it at the water cooler (though that is probably not where the CEO hangs out), then it tends to look more credible.

However, the important point of the article is this:

So, first and foremost, don't click on such links.

Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.

So a CEO would never receive a subpeona from the federal courts (and presumably ANY court, but I don't know that for sure) via email. And like the quote states, a smart CEO would let his lawyer handle it anyway (though I could see the email making a CEO nervous and fidgety enough that their shaking hand accidentally clicked the link).

But more than that, this is just basic security awareness. And this case points to the fact that NO ONE in an organization should be exempt from that kind of training. If anything, today's scams make me think that people in those positions should possibly receive extra training.

So if you are in charge of security at an organization, don't let the "C" level people tell you they are too busy to take the training. If they say that, then they don't take your job and security in general seriously enough. If that is the case, you might start thinking about selling security a little better, or possibly even looking for another job.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?

Related Posts

Sifting through petabytes: PRODIGAL monitoring for lone wolf insider threats
Carrier IQ is BYOD kiss of death -- urgent action required
Socially engineered attacks on business bank accounts
IMF data leak: Chief suspect China; World Bank runs

Today's Top Stories

Essential browser tools for Web developers
Hands on: The new iPad
Microsoft cuts the prices of some Office 365 plans
Google works to overhaul its search
Mozilla will start Firefox silent updates in June
Preston Gralla: Big backlash is building against Windows 8. Will Microsoft listen?