We continue to read accounts of phishing attacks on companies for mostly the same reason Willy Sutton attributed his motivation to rob banks: “because that’s where the money is”. Phishing is a popular intrusion method because it works. We will continue to see it in InfoSec news until something changes that.
In a case last year, a media company told about an intrusion on their networks that started with a few employees falling for a phishing e-mail. The e-mail, once successful, allowed the attackers to dump the accounts of the worker’s machines. The attackers then began to use the employee’s accounts on the company’s e-mail servers to continue their phishing campaign and were able to compromise additional systems. The company IT department then detected the first phase of the e-mail attack and warned the employees about the dangers of phishing e-mails — with an e-mail to all employees. This of course warned the attackers who then shifted tactics to continue their intrusion into the company networks. The IT folks soon detected this and forced a disconnection from the Internet and a password change for all of their workers.
First, kudos to companies who are willing to disclose incidents like this so we can be warned and benefit from their experiences.
Second, almost certainly your company has made efforts to make employees aware of the dangers of e-mail attacks and has encouraged extra scrutiny be given to e-mail coming from outside of the company. However, how much of this diligence is given to internal e-mail? These clever attackers were banking on workers not being as cautious about messages sent within the company and thus claimed new victims (and their accounts).
Lastly, given the risks associated with e-mail, especially HTML e-mail on older and likely un-patched e-mail clients, why allow e-mail access on your SCADA PCs and Operator consoles? There are certainly benefits to outgoing SMTP messages (on updated and patched services, of course) that your work and support systems depend on — but that’s a far cry from allowing general purpose e-mail clients to run on your SCADA and ICS networks. Please re-evaluate your “need” to include this risky activity on your company’s process control assets!