Audit and Accountability Case Case Study

Pages: 6 (1901 words)  ·  Bibliography Sources: 6  ·  File: .docx  ·  Level: Master's  ·  Topic: Education - Computers

Audit and Accountability Case Study

Researchers have discovered that spear phishing is the most common method used by sophisticated attackers to compromise highly value targets. Unlike classic phishing that uses a net casting approach, spear phishing employs social engineering mechanisms to create a targeted invitation to open an attachment or click on a link containing a message. Recipients who open click on the links might be invited to give a user password and name or some personal information, leading to the installation of a malware to the target's computer. This study focuses on spear phishing, how attackers use it successfully to lure victims, and how individuals can adopt some precautionary measures to evade such attacks. This study appreciates the growing trends of cybercrime, which appear to be catapulted by the growing use of social media like Face book and Twitter.

Buy full Download Microsoft Word File paper
for $19.77
Spear phishing are often facilitated by email correspondence. The cooperation of the end-user determines whether the attack will proceed or not. The protection approaches used in repelling untargeted attacks will repel the majority of spear phishing attacks. Effective defenses involve user training and education, which assist end users to avoid behaviors that foster successful phishing attacks. Technologies such as endpoint protection (EPP) and antivirus platforms have generated mixed results in safeguarding against exploits. Therefore, it is obvious that dependence on purely technological approaches will be ineffective at some point. This paper analyzes the events surrounding spear phishing and offers valuable recommendations to prevent such situations from happening.


Spear phishing dates back as far as 2006 (Davidson, 2009). Spear phishing attacks can be described as the targeted persistent attacks: attacks identified as serious threats to current enterprises. Likewise, spear phishing is heavily implicated in the less unpopular but widely misidentified and hyped advanced persistent threat (ATP) attack. Only last year, a series of spear phishing attacks hit the headlines:

Case Study on Audit and Accountability Case Assignment

An employee of Enron succumbed to a spear phishing attack, which exploited an Adobe flash vulnerability costing the company over seventy million dollars in restoring its security systems. In this attack, data stolen was subsequently used to initiate other attacks on major corporations like Lockheed Martin. In addition, Epsilon, a mass email marketing company was a victim to an ATP attack, which lasted for several months. This attack was breached following a spear phishing attack that involved a link to a malicious website, which installed malware on the company's internal systems. Epsilon sends emails on behalf of various Fortune 500 corporations (Rao, Gupta & Upadhyaya, 2007). Therefore, this breach compromised millions of email addresses that belong to clients of those companies. Later on, the emails addressed were used for commercial benefit in phishing, spam runs, and spear phishing attacks.

Phishing and spear phishing

Phishing attacks do not target the identity of the target. They attempt to obtain as much information as they can from many users. The goal of the attacker is to obtain credential data, which can be used to install a malware or turn a profit that can capture credentials and other vital information. For instance, credentials allow an attacker to sell real products for actual money. While accessing social networking and email accounts, attackers can engage in various profitable activities ranging from blackmail, impersonation attacks, and spamming. On the contrary, spear phishing attacks often target high profile organizations, high value individuals, and specific companies. Therefore, they tend to be more damaging and devastating (Kelly, 2012).

The attackers prepare by gathering, aggregating and correlating information regarding the target enterprise and individuals associated with it. Information, which is publicly available on Twitter, Facebook, and LinkedIn profiles not only enable attackers to identify the contact information of individuals. It also provides a significant amount of data about the individuals' roles and responsibilities (Goodin, 2012). The attackers are able to build extensive professional and personal profiles, encompassing the target's social and professional contacts, likes and dislikes, daily routines and prefer hangouts.

Methods of spear phishing

Spear phishing attacks have two basic methodologies:

The standard method involves deceiving the target to provide credentials like databases, social networking password or network login information. Companies can defend against these attacks by educating end users and deploying standard security products (Goodin, 2012).

The second method lures one to open web pages, applications and documents, which exploit vulnerabilities to plant malware on the endpoint of users. From here, the attackers expect the threat to spread throughout the targeted network. This is the most dangerous method of spear phishing. It is difficult to protect such attacks. Contrary to emails used in standard phishing attacks, the emails provide more than just the title of an application or a document, suggesting that something is wrong. An attachment that contains malware might arrive from a legitimate source, which has been supported. The attacker could compromise a legitimate website and its normal contents replaced with content intended to deliver a Trojan (Rao, Gupta & Upadhyaya, 2007).

Defense strategies

Prevention is the most effective defense strategy against all manner of phishing attacks. Typically, technical solutions are limited in terms of effectiveness when addressing social problems. Education is the most effective defense against social engineering attacks; most people tend to learn best by doing. The simulated phishing attacks make one of the most effective methods of education. When end users fall victim to phishing, the attacks cease to be hypothetical concerns and become teachable moments. In addition, simulated attacks measure the effectiveness of an enterprise's efforts in security education and establish end users needing additional instruction. Although simulation attacks are useful in measuring prevention system and the extent of victim awareness, their success depends on essential guidelines:

Companies shall not collect confidential data: Personal identifiable information such as passwords and social security number, which the end users might have given in simulated attacks are not necessarily a confirmation that the end users have engaged in risky behaviors. Furthermore, the information gathered becomes a liability because the company is obliged to ensure the safety of the information and personal data collected in this manner (Ismail & Cieh, 2013).

Users who fall victim to simulated attacks should not be embarrassed: This exercise does not seek to shame end users but to instill confidence and a feeling of achievement. Evidently, the end users learn that they can enhance their security practices both in their personal lives and on the job. Instead of shaming users who fall victim to the simulated attacks, a better approach is to applause those who do not and patiently explain the missed clues or mistakes that contribute to failure (Goodin, 2012).

Behavioral issues in managing spear phishing

User education requires that end users must be taught how to identify phishing attacks. This includes identifying improper requests for information, bad URLs, typographical and grammatical errors. For example, in a spear phishing attack, something like a typical signature might be the only identifiable irregularity. A more important educational approach, even though rarely used, is teaching the correct behavior. The response of users to a phishing will determine the failure of success of the phishing attack (Goodin, 2012). Experts have provided two simple rules that will make any credential-oriented phishing attack to fail:

End users must not accept a request for a password through electronic communication. No legitimate request for passwords through telephone or email can be initiated by the end users. Therefore, it is critical that internal IT staff do not unwittingly encourage the exact conduct they are trying to prevent. IT departments must always try to solve issues without necessarily requiring end users to give their passwords. It is necessary for IT support professionals to acquire a password, according to the best practice principles: it is crucial for the end users to change passwords before giving them and then change them as soon as the technical support team is done with them (Lewis, 2012). Sometimes, IT departments might need to request for a password, via telephone in response to a support request from a user. In case of such a scenario, the support staff ought to explain tot the user that he should not divulge the password to anyone unless the user initiates the call. In any case, the end user must remember to change the password after the support team completes its work.

End users should not log on websites through an email link. Many social networking services work all the time to encourage their users to practice behaviors, which sometimes results in successful phishing attacks. For this reason, appropriately constructed spear phishing attacks tend to be extremely difficult for all professionals including the highly skilled experts to detect. Therefore, opening links directly from test messages and emails must be discouraged (Ismail & Cieh, 2013). For instance, a user may receive a notice from Twitter site and logs in. If the email is legal, all the information including the request will be in the Twitter email or notification system. When employees learn to follow these principles, virtually all attacks based on credentials will be foiled.

Technological issues in managing spear phishing

Although behavioral… [END OF PREVIEW] . . . READ MORE

Two Ordering Options:

Which Option Should I Choose?
1.  Buy full paper (6 pages)Download Microsoft Word File

Download the perfectly formatted MS Word file!

- or -

2.  Write a NEW paper for me!✍🏻

We'll follow your exact instructions!
Chat with the writer 24/7.

Auditing in the Public Sector Term Paper

Auditing Standard Research Paper

Audit Feedback From the Rocks Hotel Case Study

Audit Reports Involve Increased Communication. The System Research Paper

Implementation of Electronic Medical Records in Healthcare Case Study

View 200+ other related papers  >>

How to Cite "Audit and Accountability Case" Case Study in a Bibliography:

APA Style

Audit and Accountability Case.  (2013, November 30).  Retrieved September 23, 2020, from

MLA Format

"Audit and Accountability Case."  30 November 2013.  Web.  23 September 2020. <>.

Chicago Style

"Audit and Accountability Case."  November 30, 2013.  Accessed September 23, 2020.