A client of mine who’s a security administrator for a business in the financial industry contacted me recently about some odd behavior he was seeing on his network. Apparently numerous spidering/mirroring requests were being sent to his company’s marketing website from a foreign country – many of which were triggering “illegal characters in host header” IPS alerts. He suspected that someone was mirroring the site to gather information for a future phishing attack wanted my thoughts on it. Without knowing any more details or having access to trending information, etc. I told him that it’s not necessarily malicious in intent however I thought he was onto something with the phishing angle.
Even though the suspected malicious activity had likely been completed for some time, blocking the originating IPs at the firewall would be a good first step. However, if the attacker knows what he’s doing, he’s probably making these requests through someone else’s network, through a proxy, or a via a legitimate service such as Anonymizer. So it didn’t make sense to spend too much time on that. Going beyond monitoring the IPS for future anomalies, a further-reaching measure would be to notify other key folks inside the organization such as customer service, operations, marketing, etc. so they can also be on the lookout for – and notify people of – suspicious behavior on their website. I also recommended that they add a pre-emptive phishing alert on their site’s home page and possibly even send out a generic message to their customers about social engineering and what types of communications to expect – or ignore – from the business.
My client admitted he had only tackled the technical side of the issue and left it at that without considering the other business issues involved beyond his role in IT. Whether you work in the financial industry or not, let this be a good example of why it’s so critical to think beyond the bits and bytes of Web Security. The technical side – albeit extremely important – is only part of the equation. Prevention of phishing, social engineering, and similar attacks requires getting the “soft” side of the business involved. If we simply stop at the technical level we’re setting the business, ourselves, and the information security function as a whole up for failure long term. Don’t be afraid to get others involved and spread the responsibility around. It’ll help build trust and credibility with others and may end up being the best thing you do to help minimize business risks.