The White House was the victim of a cyber attack last month, but the perpetrators apparently failed to extract any information. A conservative news web site, the Washington Free Beacon, broke the story, reporting that hackers linked to the Chinese government infiltrated the network of the White House Military Office, the group charged with securing military communications for the president, including the safeguarding of the “nuclear suitcase” needed to launch nuclear weapons.
That would obviously be highly alarming, were it true. But it appears the attack was not that serious. After the initial report, the White House revealed that there was indeed an attack, but that no information seems to have been stolen and the hackers never got into classified networks. The White House declined to discuss the source of the attacks.
According to The Hill, the hackers used a tactic known as “spear phishing”, which is a more sophisticated cousin of the commonplace hacking method of “phishing”, in their break in efforts.
If these terms are new to you, keep reading, because knowing what they are and how they work could help you prevent a breach of your own network.
In a phishing attack, an official-looking email pretending to be from a bank or some other reputable company that your firm does business with is sent to one of your employees. The email usually gives a reason why the employee needs to click a link to log into the account with said company.
For example, a phishing email supposedly originating from a financial institution might tell the reader that contact information needs to be updated, and clicking the link in the email will take the user to the correct web page. The employee is fooled into believing the email, clicks the link, and is directed to a bogus web site that appears to be totally legitimate – the logos and style of the web site are nearly identical to the real thing. So, the user logs in, and immediately the bad guys have your firm’s username and password for the bank.
Spear phishing is even more difficult to combat, because this technique makes the email recipient think the message’s sender is a trusted business colleague, who is asking for specific information that makes sense in the given context, or who is asking the recipient to open what seems to be a legitimate attachment.
Thus, the spear phishing hacker has to do research to figure out who works in what department, what nature of work is done, what kinds of conversations workers would typically have with one another, etc.
Because the spear phishing target is a specific individual and the attack is tailor made to that individual, as was the case at the White House, the victim stands a good chance of being fooled.
While your company is likely not housing national security secrets, your network nevertheless contains valuable data that cyber criminals want access to. Hackers could easily monetize information you have on clients in a number of ways, including, as crazy as this might sound, selling the data in black market auctions to other cyber criminals.
While there is no way to completely defend your business network again a cyber breach, you should engage in a due-diligence effort to protect it. That includes educating employees on tactics such as phishing, but also other measures like encrypting sensitive data and controlling the use of portable storage devices.
Even with the most stringent security measures in place, however, you can still be hacked. So you also need to purchase cyber liability insurance to protect in the event of a breach. This kind of insurance, which is still relatively unknown but absolutely essential in protecting your firm’s bottom line, provides compensation for a variety of losses stemming from a cyber attack.