But suppose the fake emails had been more expertly crafted. Would the states still have caught on? That would require an additional level of security, and at this point it’s not known whether there was another level of security to thwart this attack.
But the apparently unsuccessful hacking attempt is behind us, so the next step is to find lessons to learn from the attempt. The first lesson is how to deal with a phishing attack. After all, if your employees don’t act on a phishing email, then nothing will come of it.
This is one area that requires constant training. There’s currently no effectively way to filter out phishing emails, so your employees need to recognize a potential phishing attempt, and at the very least not act. Preferably, those employees should then notify your head of IT or head of security of the apparent attempt. That person can then take further action to prevent or render useless any further phishing attempts.
Second, your security software needs to recognize the payloads and actions of the malware that may be included in a phishing email. Because the malware providers are trying to find ways to evade such detection, you can’t just buy an anti-virus product and hope for the best. You also need anti-malware software that recognizes the threat hidden inside the payload.
It’s worth noting that the voter registration software company was fairly small, which may it was targeted by the Russian hackers. It’s a fact of life that many smaller companies have only a minimal IT staff, if they have any at all. They are even less likely to have an IT security staff, which makes them a very soft target and exactly what attackers are looking for.
That small under-protected company can then lead the attackers to their larger partners by providing an attack pathway and by providing a credible disguise for phishing emails. In addition, attackers depend on those smaller companies not believing that they’re a potential target, which in turn makes them more susceptible to attacks.
Just as in the case of constant training to handle phishing attacks, your employees also need to recognize other vulnerabilities where they’re the first line of defense. That means they need to be suspicious about releasing email addresses and phone numbers for executives and other senior employees for example. And remember, that release of information can come from phone calls as easily as from emails.
While it’s probably impossible to block every attempt to extract information from any company, the ultimate goal is to make it sufficiently inconvenient that the attacker targets someone else. If enough companies make it really hard to get info, then eventually the attackers will try another line of work.