This is not a lost episode of Whale Wars, which I confess watching can be a bit of a guilty pleasure of mine. When I refer to a whale, I am referring to your boss or, in some cases, you! A whale in information security lingo is a person with significant assets or access and whaling (as outlined by Bob Violino on CIO) is but one of many types of cyber attacks that are evolving. From phishing and pharming to spear phishing, the list goes on.
A whaling attack targets people with significant personal assets or employees with access to critical data systems. The executives of your company would be considered whales and there are a bunch of Captain Ahabs out there in the troubled waters of the Internet just looking for an opportunity to harpoon a big one. (I have the privilege of being married to an English teacher, so every so often it is prudent for me to insert a literary reference.)
But, even as I write this, I realize that I just gave away a piece of information about my life for free. As our lives become more digital, the higher the chance that a whale within your organization is unintentionally providing information to the world that could be used to build a whaling attack against your company or their own financial assets.
One example is the Facebook “check in” feature. Just imagine if one of your executives using his iPad in an airport checks in on his Facebook page. The whaler with access to this information uses it to call his admin posing as the IT department. They claim that the executive is having difficulty getting access and, in order to solve the issue, the admin needs to provide some specific information to fix the problem…
So how do you save the whales from those big game Phishermen?
It all comes down to identity and being able to validate identity in an online world. For the whales in your organization, username and passwords are simply not sufficient – no matter how complex or how often they change. To protect these key members of your executive team or IT staff with access to critical business information you must move to strong authentication (also referred to as multifactor authentication or MFA – see my blog post on this topic). In other words an identity card or token would be something you have combined with a PIN or something you know for two factors of identity proof. For even more security, you can combine this with a third biometric factor or something you are.
This MFA technology is currently used by banks and governments around the world to verify the identity of users attempting to access bank accounts and network resources. Introducing another “factor” of identity verification – in this case a smart card – removes the harpoon from the hands of the whaler by making it impossible to breach the system no matter how much information they gather or how customized the attack. Without the smart card (something you have) it doesn’t matter how much you “know”, even if knowing is a compromised username and password.