Intrepidus Group Introduces PhishMe to Help Organizations Deal With Growing Pandemic...

Intrepidus Group Introduces PhishMe to Help Organizations Deal With Growing
Pandemic of Spear Phishing
Web-based User Awareness Training Solution Helps Companies Protect Vital
Information From Cyber Criminals

NEW YORK, July 22 /PRNewswire/ --  Intrepidus Group, a leading provider of
information security services, today announced the release of PhishMe, a
software solution that enables user awareness training to  proactively thwart
spear phishing attacks. The next-generation technology is an important weapon
in the fight against the fast-growing and ominous threat of spear phishing and
whaling attacks, a form of cyber crime that uses email-based "social
engineering" to gain unauthorized access to corporate systems and confidential
data.
    Unlike mass-phishing perpetrators, who use spoofed emails to cast a wide
net to fraudulently gather data from unsuspecting victims, spear phishing
attackers target specific organizations and individuals. Unfortunately, this
targeted and sophisticated technique has proven extremely successful in
providing "hackers" access to financial data, corporate and military
information, and trade secrets -- with the final goal, of course, financial or
political gain.
    "Emerging security threats to the corporate landscape put both the
information and company as a whole at risk. Spear Phishing is a considerable
danger as it is typically a non-random attack seeking specific confidential
information," said Kenneth Tyminski, former CISO for Prudential Insurance
Company of America. "The training-based approach of PhishMe helps to
significantly reduce these targeted attacks through employee education,
helping to safeguard sensitive networks from unauthorized access."
    According to a recent report by iDefense Labs, a noted security and
vulnerability research organization, there have been 66 distinct spear
phishing attacks between February 2007 and June 2008, with the rate of attacks
continuing to accelerate. The report goes on to say that spear phishing groups
have claimed more than 15,000 corporate victims in 15 months, with victim
losses exceeding $100,000 in some cases. Victims include Fortune 500
companies, financial institutions, government agencies, and legal firms.
    "E-mail is critical to our business, but also a risk to the security of
our network and information. Technical controls like firewalls and spam
filters help, but only by making our employees part of our defenses can we be
successful," said John Soltys, Information Security Manager at the Seattle
Times Company. "By targeting our users in the same way attackers do and
delivering an education message when the attack is successful we raise their
awareness level and mitigate the risk. PhishMe's service simplified the
administration of tests and provided more value than the in-house tests we've
run in the past."
    "Spear phishing groups are now incredibly sophisticated and,
unfortunately, extremely effective," commented Robert Hansen (aka "RSnake"), a
former member of the Anti-Phishing team at EBay and well-respected security
blogger. "We're talking about experienced cyber criminals who have the skill
and tools to pull off these schemes."
    User Behavior Key to Defense
    Several high-profile experiments have proven that user behavior provides
the foundation for defense against spear phishing schemes. Mass-phishing
campaigns are often caught by anti-spam or phishing filters. But spear
phishing attacks, which are low-volume and closely resemble legitimate emails,
often go undetected. That's why organizations have to rely on humans for
detection and resistance.
    "I often perform investigations for my clients where the initial point of
entry into the victim's computer network comes from a phishing email," said
Keith Jones, senior partner, Jones, Dykstra & Associates.  "Phishme.com is a
breakthrough service that provides corporate security teams with the ability
to spread user awareness about this email plague by testing their own user
base. Phishme.com provides the auditor with an extremely easy to use interface
to conduct a phishing scenario and excellent reporting capabilities complete
with summary graphics.  I was able to complete a phishing scenario for our
employees at Jones, Dykstra & Associates in less than 10 minutes of use.  I
will be highly recommending Phishme.com to my clients to help them continue
their fight against phishing attacks."
    In one experiment, New York's chief information security officer, William
Pelgrin, and his team sent mock phishing emails to nearly 10,000 New York
state employees. The messages appeared to be official notices asking them to
click on Web links and provide passwords and other confidential information
about themselves.
    With the first run of the email 75 percent of employees opened the email,
17 percent followed the link, and 15 percent entered data. Pelgrin and his
team let users who had proven vulnerable know they'd been scammed and then
sent another mock spear phishing email. With the second run only 8 percent
even opened the email. In an interview with the Wall Street Journal, Mr.
Pelgrin said, "This is not a one-shot deal. I've got to reinforce that
behavioral change to make it permanent."
    And, in a study at Carnegie Mellon University, volunteers who had proven
susceptible to mock phishing emails were presented embedded training
materials, then sent another email. In the second run, the volunteers
identified 64 percent of the phishing emails. This compares to a mere 7
percent identified by volunteers who had received teaching materials through
other mechanisms.
    Creating a Human Firewall
    "Thinking like the attacker isn't natural for most people." says Aaron
Higbee, CTO of Intrepidus Group, "Our job is to provide a do-it-yourself
phishing framework with features real phishers can only dream about. Any
phishing trend we see in the wild can be incorporated into PhishMe, only
better." PhishMe is a software platform that lets organizations create a human
firewall against spear phishing attacks by providing an easy-to-use system for
facilitating the execution of mock phishing exercises and the delivery of user
awareness training. Using PhishMe's built-in templates and WYSIWYG, (What-you-
see-is-what-you-get) functionality, users can easily build real phishing
attacks against employees within minutes, collect metrics on user behavior,
and immediately present training material to employees that fall prey.
    "Spear Phishing exploits human vulnerability. Thus our service focuses on
the human element," said Rohyt Belani, CEO of Intrepidus Group. "We use
techniques recommended by reputed bodies like SANS, and those found to be most
effective by researchers at Carnegie Mellon University to train users in
recognizing and thwarting targeted phishing attacks."
    For more information, to view a demo or sign up for a trial account, go to
http://phishme.com.
    About PhishMe
    PhishMe is a software solution designed to help prevent damage, theft and
loss caused by targeted (spear) phishing attacks. PhishMe facilitates and
automates the execution of mock phishing exercises, provides clear and
accurate reporting on user behavior, and most importantly provides targeted
end user training. This method of delivering training materials is recommended
by SANS and found to be most effective by researchers at Carnegie Mellon
University.
    About Intrepidus
    Intrepidus Group is a leading provider of information security consulting
services and software solutions. With offices in New York City and the
Washington DC metro area, the company offers innovative solutions to help
clients build employee awareness around common information security issues.
Intrepidus Group's consultants conduct hands-on assessments of critical
applications, networks and products to uncover vulnerabilities, and provide
strategic and tactical recommendations to address identified issues.
    Intrepidus and PhishMe.com are trademarks of Intrepidus Group. All other
product and company names herein are or may be trademarks of their respective
owners.
SOURCE  Intrepidus Group

Media, Sabrina Sanchez of Ventana Public Relations, +1-925-875-1968,
sabrina.sanchez@ventanapr.com, for Intrepidus Group