White Paper Combating Phishing Attacks How to Design an Effective Program to Protect Your Organization Against Social Engineering Most of today’s data breaches start with a phishing email, giving company-confidential data to malicious outsiders. This is a real problem that companies need to address. Phishing attacks are the most frequently used form of social engineering. They work because they take advantage of cognitive biases, or how people make decisions. These techniques prey on human emotion by appealing to greed, curiosity, anxiety or trust. Phishing means that attackers are fishing for your private information. Attackers attempt to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Many times this is done to steal a victim’s login credentials and other confidential information. Phishing continues to grow and become more widespread with attacks up 37% year over year, and 1 in every 300 emails on the web containing elements pointing to phishing.1 So, how can you combat phishing attacks and protect your company and its employees? This paper will discuss the problem of social engineering and phishing along with its consequences, and will outline approaches for solutions to safeguard your organization. Defining the Problem: Breaches Often Start With Phishing To demonstrate the seriousness of the problem, we will briefly present three examples of phishing and the damage they can cause within an organization. These examples range from politically-motivated to financially-motivated to healthcare data attacks. The New York Times, The Wall Street Journal, The Washington Post, Twitter and Apple were all attacked in early 2013 in what is seen as a wide-spread, potentially connected attack on high-value targets.2 In the case of The New York Times, the attackers stole the corporate passwords for every Times employee and used them to gain access to the personal computers of 53 employees. The attack is believed to be politically-motivated retaliation for a Times investigation on China’s prime minister, Wen Jiabao. Although China’s Ministry of National Defense denies the attacks, it appears to be part of a computer espionage campaign against American media that have reported on Chinese leaders and corporations. 3 Although these are all high-profile organizations with sophisticated defenses in place, it appears that attackers may have used a targeted spearphishing attack to breach the Times, exploiting human vulnerabilities to click on a link that led to a malicious website. Many times cyberattacks are financially motivated. Attackers try to get customers’ credit card information, and if they are successful, it results in a breach of trust with the company that was attacked, as well as substantial costs of dealing with a breach. Barnes & Noble, the world’s largest bookseller, had credit card information stolen at 63 stores across the U.S.; this information was then used to make unauthorized purchases. In this case, a malware (or malicious software) attack targeted the keypad devices in stores. Security experts believe a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed the malware, giving the perpetrators a foothold into Barnes & Noble’s point-of-sale systems.4 Healthcare data breaches have also been in the news recently. According to security expert Larry Ponemon, president of the Ponemon Institute, stolen healthcare records can be much more valuable that financial records because they can be used for financial ID theft crimes, medical ID theft or both, With medical records providing physical characteristic information, attackers can create false passports and visas.5 Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government. (As required by section 13402(e)(4) of the HITECH Act, breaches affecting 500 people or more need to be reported, if the data was not encrypted.) At present, physical theft – such as a stolen laptop from a car – made up 54% of the breaches, while hacking made up about 6% of the compromised data.6 And, although phishing attacks have not been the cause of the most significant data breaches to date, the healthcare industry is acutely aware of the threat and trying to protect against it. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Consequences of Phishing Phishing attacks can result in compromised client systems. Here are some different consequences of phishing that can impact your network: • Browser exploitation - Browsers and their plug-ins contain vulnerabilities that can be exploited simply by visiting a malicious website. An attacker can send an email with a link, which brings the user to a malicious website (which is often designed to look like a legitimate site.) Just by visiting that site the user’s browser and machine would be compromised and the attacker would have full access to the user’s computer. In addition, a completely legitimate website can be attacked to become malicious. So a user could be browsing a legitimate website that’s been attacked on the back end and injected with malicious code, which then exploits their browser. • File format exploitation – Opening a malicious email attachment is another way to trick users. Attachments are typically PDFs or Office files because those applications are widely distributed and widely used across platforms, and the chance that the recipient can read that kind of file is higher. Once the malicious attachment is opened it exploits vulnerabilities in a given application. • Executable exploitation – This exploit uses another form of email attachment, an executable file (ending in .exe) that runs when the user clicks on it. It is programmed to operate without needing a vulnerability in the program. Although .exe files are quite often blocked by email security features, there are other types of executables. For example, JAR (Java Archive) files end in .jar, rather than .exe, but they can still execute a malicious file when you double click on them. How do attackers gain your passwords or other credentials? Here is an overview of some of the methods used: • Phishing form - This attack starts with a phishing email that includes a link to a website. When the user clicks on that link, it doesn’t start to exploit your browser but it just pretends to be a familiar website, such as the LinkedIn log in page or Outlook Web Access. When the user types in their user name and password, it captures that information and records it, and then typically forwards you to the real site and logs you in. But, in the meantime, it’s taking your information and storing it to further access your system in the future. The next two are a little bit different. These require that the user’s computer is already compromised, for example by one of the methods described above, and then they are used to gain additional information. • Passwords and password hashes - In that case, the attacker can copy cached passwords from your machine. Passwords are usually stored in the form of password hashes for security reasons. However, once a password hash has been compromised, attackers can either use cracking to obtain the password in the clear or use the password hash itself in a so-called pass-the-hash attack to gain access to network resources. If an administrator ever logged onto the user’s machine, their credentials are cached on that machine. The attacker could reuse those administrator credentials to access and start exploiting other machines on the network. • Key logging – Once an attacker has access to a user’s machine they can also install what’s called a key logger, which records every key that they press on the keyboard. This would allow the attacker to capture a user name and password when a user types it, and would also capture the text of an email or a document being typed and send it back to the attacker. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com As a result of compromised credentials, the attacker can gain access to the local file system, file servers, email, the Customer Relationship Management (CRM) system to access customer information, the Enterprise Resource Planning (ERP) system to access corporate financial information, credit card data, healthcare information, and other Personally Identifiable Information (PII) such as Social Security Numbers. So, even if one person in an organization is a victim of a phishing attack, there are major implications for the entire organization and its data. The problems worsen with pivoting to other machines, where a compromised system is used to attack other systems on the same network in multi-layered attacks, bypassing the perimeter defenses. So, even if the user who was hacked does not have access to the ERP system, for example, the attacker now scan the entire internal network through the first user’s machine and see what other machines are out there and the vulnerabilities that exist. Limiting user privileges does not always protect companies from compromise either. Attackers often use privilege escalation, exploiting a bug in an operating system or software application, to gain administrator-level privileges. So, how do social engineering and phishing attacks happen? Email Phishing Techniques There are an estimated 8 million daily phishing attempts – close to 3 billion a year.7 The majority of phishing attacks come through email, where the user is either instructed to click on a link or open an attachment. This leads them to a malicious website or directly launches an attack on their computer. However, as email systems continue to get better and better at filtering out spam, attackers are getting more sophisticated with their types of attacks to avoid detection and gain a bigger payout. Within the realm of phishing emails, there are several different techniques, each with an increasing level of sophistication. Mass phishing is the most common phishing technique, sent out to an indiscriminate list of people, including both company employees and consumers. This technique uses a “hook” that is applicable to many people with the goal of getting anybody to click on it. An example would be emails concerning PayPal, since a huge amount of people have PayPal accounts. Emails disguised to look like they are coming from PayPal could warn you that your account has been closed or there was a problem with a payment. With such a broad audience, the attackers have a good chance of reaching somebody with a PayPal account who falls for the scam and clicks on the link. Statistics show that for 1 million targeted users in a mass phishing attack, anti-spam engines will correctly identify and block the vast majority of threat messages. But of the messages that make it past the spam filters, 3% will open the email and 5% will click through to the link, and then finally be converted, resulting in 8 victims. The average value of the attack per victim is about $2,000.8 Phishing attacks also tend to be more successful when a user checks email via a smart phone. Mobile users are often checking email quickly and are more likely to click on links and provide login info via their phone. In addition, links to phishing pages can also be sent via texts in SMS messages. Once the user lands on the phishing page, it may be hard to determine if the URL is genuine, and in the case of browser exploitation, it may already be too late. Spearphishing is a more specific, targeted attack that addresses several individuals in a specific company. For example, an email could look like it is coming from someone you know, perhaps from the personal account of your CEO or a manager at your company. If the email subject line says “Can you please review this spreadsheet by tomorrow?” and it looks like it is going to the executive team, many of those executives will click on the link because they want to be responsive and do the right thing, but it’s actually a phishing email. So, spearphishing emails can be very targeted to a specific company, or more generally targeted to an industry by offering an industry report or other relevant information. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com With a targeted spearphishing attack, the attacker may target 1,000 users, but of the emails that make it past the spam filter, the open rate will be about 70%, with a click through and conversion rate of about 50%. The result is 2 victimized users, but the payout is a lot bigger – with a value of about $80,000 per victim.9 In The New York Times case, investigators suspect a spearphishing attack. With one click attackers can install “remote access tools” — or RATs. Those tools can siphon off data such as passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras, and send the information back to the attackers’ Web servers. Instead of targeting firewalls, attackers are now targeting individuals. With one click on an email, that individual has inadvertently opened the network to attack.10 Clone phishing is another technique. With clone phishing, a legitimate and previously delivered email containing an attachment or link is used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and sent from an email address spoofed to look like it is coming from the original sender. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the trust associated with familiar looking email. Whaling is the most sophisticated and most targeted form of phishing, tailored to a single individual. It is usually directed at senior executives or other high profile targets. For example, if attackers wanted to compromise the laptop of a CEO, they could look up that person’s social media accounts and find information about his or her hobbies and interests. Suppose the targeted CEO likes classic cars and is really into old Jaguars. The attacker could send the CEO an email referencing a friend’s name (also found through social media), saying that he wants to sell a classic Jaguar because he’s moving back to Europe. The email sounds like it is from a friend of a friend, and is specific and personal, so the CEO may not think twice before clicking on a link that claims to have photos of the car. And, thus, the whale – the most highly valued target – is harpooned. Another interesting point is that you no longer need to be a sophisticated hacker to commit fraud on the Internet. Off-the-shelf phishing kits are now available and cybercriminals are even migrating to a new business model known as Malware-as-a-Service (MaaS), where authors of phishing kits offer extra services to customers in addition to the phishing kit itself.”11 Social Engineering Attacks Beyond Phishing Emails Social engineering can also be used to launch other types of attacks as well. Some are web-based, others are more low-tech, but they are still quite effective because they take advantage of human nature. Drive-by attacks exploit vulnerabilities in web browsers or plug-ins. Often they use a popular topic, such as celebrity gossip, and optimize a malicious website to rank highly in search engines for that news. When the user finds the site and clicks on it, their machine gets compromised. This is an untargeted attack, but when it compromises employees, it can still put company data at risk. USB drives can be used by attackers to gain access into a network. The same file format exploit or executable exploit that is put into an email by an attacker can also put on a USB thumb drive or a CD ROM. A tactic would be to give the file an enticing name, such as “management salaries” or “layoff list” and then perhaps attach the USB drive to a couple of keys and drop it in the parking lot outside the company that the attackers want to intrude. Then, if an employee walks by and sees it, they would naturally pick this up. People want to be good citizens, return the key and the USB drive. To find the owner’s identity, they may plug the USB drive into their computer. When they see the enticing content, they double click on it, infecting their machine and opening up the corporate network to attackers. Physical or in-person attacks rely on someone walking into a building, under a false pretense such as a package delivery, to get access to the building. They can also use a “tailgating” strategy to follow an authorized person into an off-limits area. Once they have physical access, they can plug a little device into the network to compromise it by phoning home to an attacker’s server. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Phone calls are another way that an attacker may trick users into handing over their credentials. They may use a ruse such as: “I’m Bob from the IT department; I’m seeing on our systems that your computer has been a little slow lately. Do you have time to sort that out right now?” They then walk you through a few steps, maybe they’ll send you to a malicious website, or maybe they will ask you to give them your credentials. Since the user believes it’s a helpful person from the IT department, many fall for this scam. QR codes, the square 2D barcodes, are being used in marketing campaigns and could also be used as an attack vector as well. When scanned with a smartphone, the QR code sends the user to a website which could be malicious. Social media including Facebook, LinkedIn, Twitter and other social media sites, can be used to send posts, updates, tweets or direct messages with URLs. When the link is clicked on, again victims are sent to malicious sites and their computers are compromised. With Facebook, user’s accounts can be attacked and then configured to send messages to their friends, which may entice people to click on something they normally wouldn’t. Typical Steps of a Phishing Attack In most phishing attacks, the user opens an email, and then clicks on a link in that email. This results in the user’s browser getting exploited. Maybe there is also a form on the web page that captures the users credentials as they are typed in. Alternately, the user could open an email attachment and their machine gets compromised that way. Links as bait in a phishing attack Email attachments as bait in a phishing attack Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Solution Approaches There are essentially two major ways to defend against social engineering scams, in order to protect your company and its employees. One is training your users, and the other is technical security controls. At Rapid7, we believe you have to implement a combination of both user training and technical controls to be successful. Relying on just one approach or the other will probably not decrease your risk to an acceptable level. Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop many of these messages as they pass through the system. Often, the technical controls are working, but spearphishers continue to change their tactics to cope with the ever-improving technologies. Therefore, the user can be both the weakest point and the strongest resource in the defense of corporate networks.12 With the proper user training, you can turn the weak link into a protector of your organization. Security Awareness Training Security awareness training helps you educate your employees to stop risky activities such as clicking on a link in a questionable email, opening an attachment they are not expecting, or submitting something on a bogus forum. Here are 15 good defenses to teach your company’s employees13: 1. Don’t trust links in an email 2. Never give out personal information upon email request 3. Look carefully at the web address; it could be a close approximation of the real URL 4. Type the real website address into a web browser 5. Don’t call company phone numbers listed in emails or instant messages; check a reliable source such as a phone book or credit card statement 6. Don’t open unexpected attachments or instant message download links 7. Be suspicious if emails says “do X or something bad will happen” 8. Be suspicious of any email with urgent requests for personal financial information 9. If the email sounds too good to be true, it probably is 10.Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your web browser; look for the https:// and/or the security lock icon 11.Regularly log into your online accounts and check your bank, credit and debit card statements to ensure that all transactions are legitimate 12.Use a reputable anti-virus program 13.Enable two-factor authentication whenever possible. This combines something the user knows (such as a password or PIN) with something the user has (such as a smart card or token) or even something the user is (such as a biometric characteristic like a fingerprint). Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 14.Keep your operating system updated, ensure that your browser is up to date and security patches are applied 15.Always report “phishing” or “spoofed” e-mails to your IT department Once you’ve decided to implement security awareness training in your workplace, you can decide to conduct your training in live classroom sessions at your workplace, or via an online program. There are some good free online training programs available, including: • University of California, Santa Cruz Information Security Awareness training (1 hour or less online) • The Department of Defense Phishing Awareness • OnGuardOnline.gov, Phishing (see Phishing Scams game on the right side of the web page) It’s important to emphasize this information when it is most needed. Use “teachable moments” to really make a point. For example, Rapid7 lets you safely simulate attacks on your network to uncover pressing security issues. If you send somebody a simulated phishing email and they click through, that’s the perfect time to teach them about phishing, because they’ve just done something that could put both their company and their own personal information at risk. What they’ve learned not only protects your organization, but it also protects that individual against identity theft and financial loss when they are using their own personal devices. Through this kind of security awareness training, you turn each one of your employees into security sensors in your organization. So, there are actually people who can now spot a phishing campaign and can alert security so that they can react. This type of threat might have otherwise have flown under the radar of security. Technical Security Controls Of course, training needs to be coupled with technical security controls. These technical controls will prevent or block many of the threats so that they never reach your users. We’ll take a look at some of the different types of controls and how they work. Vulnerability management is your number one defense against attackers. It identifies existing vulnerabilities in software programs, browsers and plug-ins and helps shield your organization from potential damage, as well as mitigate vulnerabilities through patching, changing configurations or making application updates to remove vulnerable code. Programs like Microsoft Office and Adobe Reader are the typical applications that get exploited through phishing, so it is important to stay on top of any vulnerabilities associated with these programs. You also need to make sure your vulnerability management program is maintained and monitored over time. The keys to vulnerability management are to get visibility on client-side vulnerabilities, focus on solutions that highlight vulnerabilities exploited by malware kits, as well as validate and prioritize vulnerabilities to identify high-risk issues that must be fixed immediately. Patch management is used to fix vulnerabilities based on input from vulnerability management. Some fixes are implemented through patching and some are through changing configurations. Software updates and security updates need to be done in a timely manner to keep up with patching vulnerabilities. Malicious URL and attachment blocking can be done with web filters and SPAM filters. Microsoft Outlook has incorporated a good filter that will put emails into the junk folder if they contain a suspicious link – for example, a link that doesn’t have a domain name but only an IP address. Outlook will automatically put that email into the junk folder or it won’t let you click on the link until you confirm that it’s okay. (Of course, you need to train employees that these emails have been placed in the junk folder for a reason!) There are also web filters that you install at the Internet gateway of your company that will block malicious URLs. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Intrusion Prevention System (IPS) is another form of defense. If, for some reason, a user does click on a suspicious link, and a website is serving up a browser exploit, an IPS can detect that and block web-based exploitation. Data Loss Prevention (DLP) / Egress filtering is a system designed to detect a potential data breach and prevent it by monitoring, detecting and blocking sensitive data while in use, traveling over the network or in storage. Let’s assume that your network has been compromised and that somebody’s inside the organization to actually complete the action. They haven’t reached their goal until they’ve actually downloaded the sensitive information, so, DLP and egress filtering is all about stopping that sensitive data from getting out of the network. Disabling Java may be a drastic approach to security but Java has been a huge attack vector for compromising systems via malicious links in phishing emails. If you are using critical applications running on browser-based Java, or if your users need Java to get their jobs done, you may want to configure the browser to prompt and ask for permission before launching Java and educate your users to only allow Java on websites they trust. Measuring Exposure and Improvements In order to combat social engineering attacks, you need to know where to start, and then measure the progress you make. Here are some guidelines to do so. Get visibility into the problem as the first step in thwarting attacks against your network. If you’re running a program to reduce your phishing risk, then first of all, you need to know the size of that risk. How do you quantify that? Is your company currently doing well, or not so well? Where do you stand? Gaining visibility it is like putting a stake in the ground. By implementing a penetration testing solution you can answer questions such as: • How are you vulnerable? • Where you are the most vulnerable? • Do you know if the security investments you are making are worth it? • Are you making progress over time? Social engineering campaigns can be implemented inside your company as a test to measure how many people click on a phishing email and how many submit fake log in forms. You can also host your own malicious website to see if your browser is vulnerable and if your security controls are working. Your social engineering campaign will expose user susceptibility to scams and will also test browser security, web filtering and other security controls. Conduct a full penetration test from compromised machines to determine how far an attacker would get. You can even go full scale and hire a penetration testing expert to replicate a real scenario. You can tell this person to try to phish your employees and see how far they can get. Can you get to the credit card database or not? This is a typical goal that an attacker would try to attain, because it gives them access to valuable, financial information. How Rapid7 Can Help At Rapid7, our simple and innovative software solutions give you visibility into the risk associated with your information technology, your users and the real threats you face. Our software helps you quickly prioritize threats, manage risk, and take the right steps to improve your organization’s security. Specifically, Rapid7 solutions Metasploit and Nexpose are ideal complements to combat social engineering threats. Metasploit can be used to simulate phishing attacks and to conduct internal penetration tests, and Nexpose can help you scan the network for client-side vulnerabilities. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Metasploit, our penetration testing solution, lets you to gauge the risk of a data breach. True to the mantra ‘an experiment is worth a thousand theories’, you can test your defense to see where they fall short – both on the technical and the human side. Our penetration testing software gives you a clear view as to what vulnerabilities can easily be exploited, which passwords are too weak, and how many employees fall prey to phishing emails. With Metasploit, you can: • Manage phishing exposure by simulating phishing attacks. • Safely simulate attacks on your network to uncover pressing security issues. • Audit password security. • Use with Nexpose to assess and validate security risks in your environment. • Verify your defenses, security controls and mitigation efforts. Metasploit Pro lets security professionals can gain visibility into their organization’s exposure to phishing attacks through userbased and technical threat vectors, and introduce the necessary controls to manage the risk. Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are – or even if you’re focusing on the right things. Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk. In addition, Metasploit Pro’s social engineering reports go above and beyond alternative penetration testing solutions by providing conversion rates, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. It enables organizations to track and trend the effectiveness of their security programs and provides advice on how to address risk at each step in the social engineering funnel. Nexpose, our vulnerability management software, proactively scans your environment for misconfigurations, vulnerabilities, and malware and provides guidance for mitigating risks. With Nexpose vulnerability management solutions, you can: • Know the security risk of your entire IT environment including networks, operating systems, web applications and databases. • Expose security threats including vulnerabilities, misconfigurations and malware. • Prioritize threats and getting specific remediation guidance for each issue. • Integrate with Metasploit to validate security risk in your environment. Rapid7 also offers professional services to help with implementation, training for Rapid7 product solutions or outsourced security risk assessment services such as penetration testing. Our expert pen testers try to find weaknesses in your environment by performing network, application, wireless or other types of penetration testing. Simulating a real-world attack provides valuable insight into real-world risks to your organization And finally, to address the proliferation of mobile devices, Rapid7 offers mobile risk management through Mobilisafe. This manages your vulnerabilities on mobile devices because a lot of people are now reading emails on mobile devices, and as a result these mobile devices now have access to your corporate email. Therefore, mobile devices are a new attack vector that you should take into consideration. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Conclusion Since 2005, when The Privacy Rights Clearinghouse started tracking its Chronology of Data Breaches, over 607 million records have been breached in over 3,600 publicly reported breaches. Malicious attacks or malware accounted for more than half of the records breached.14 How can you make sure that your company is not an easy target? By implementing both security awareness and technical controls, you can safeguard your company and its employees from the threat of social engineering and phishing attacks and their consequences. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT infrastructure, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,250 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Sources and Endnotes 1. RSA, “The Year in Phishing” January 2012 http://www.rsa.com/solutions/consumer_authentication/intelreport/11635_Online_ Fraud_report_0112.pdf 2. All things D, “Twitter Got Hacked. Expect More Companies to Follow.” By Mike Isaac, February 2, 2013, http://allthingsd. com/20130202/twitter-got-hacked-expect-more-companies-to-follow/ 3. New York Times, “Hackers in China Attacked the Times for the Last 4 Months,” by Nicole Perlroth, January 30, 2013, http://www. nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all 4. New York Times, “Credit Card Data Breach at Barnes & Noble Stores,” by Michael S Scmitdt and Nicole Perlroth, October 23, 2012, http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html?_r=0 5. Healthcare IT News, “Infographic: Biggest healthcare data breaches of 2012,” by Erin McCann, December 12, 2012, http://www. healthcareitnews.com/news/infographic-biggest-healthcare-data-breaches-2012 6. Computerworld, “Wall of Shame exposes 21M medical record breaches,” by Lucas Mearian, August 7, 2012, http://www. computerworld.com/s/article/9230028/_Wall_of_Shame_exposes_21M_medical_record_breaches 7. Scambusters.org, “Phishing Update: Key Trends and Warning Signs,” February 6, 2013, http://www.scambusters.org/phishing2013. html 8. Cisco, “Email Attacks: This Time It’s Personal,” June 2011, http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ ps10339/ps10354/targeted_attacks.pdf 9. Cisco, “Email Attacks: This Time It’s Personal,” June 2011, http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ ps10339/ps10354/targeted_attacks.pdf 10. New York Times, “Hackers in China Attacked the Times for the Last 4 Months,” by Nicole Perlroth, January 30, 2013, http://www. nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all 11. Scambusters.org, “Phishing Update: Key Trends and Warning Signs,” February 6, 2013 http://www.scambusters.org/phishing2013. html 12. InfoSecurity, “Sixty percent will fall to a phishing attack that might herald an APT,” January 15, 2013, http://www.infosecuritymagazine.com/view/30220/sixty-percent-will-fall-to-a-phishing-attack-that-might-herald-an-apt/ 13. APWG, www.antiphishing.org and http://phish-education.apwg.org/r/en/index.htm 14. The Privacy Rights Clearinghouse, Chronology of Data Breaches, http://www.privacyrights.org/data-breach Wikipedia was also used as a resource throughout this paper. Further Reading • Chris Hadnagy, Social Engineering: The Art of Human Hacking • Kevin D. Mitnick et al, The Art of Deception: Controlling the Human Element of Security Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com