Phishing - Solution Approaches!

"There are essentially two major ways to defend against social engineering scams, in order to protect your company and its employees. One is training your users, and the other is technical security controls. We believe you have to implement a combination of both user training and technical controls to be successful. Relying on just one approach or the other will probably not decrease your risk to an acceptable level.

Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop many of these messages as they pass through the system. Often, the technical controls are working, but spearphishers continue to change their tactics to cope with the ever-improving technologies. Therefore, the user can be both the weakest point and the strongest resource in the defense of corporate networks. With the proper user training, you can turn the weak link into a protector of your organization.

Security Awareness Training

Security awareness training helps you educate your employees to stop risky activities such as clicking on a link in a questionable email, opening an attachment they are not expecting, or submitting something on a bogus forum.

Here are 15 good defenses to teach your company’s employees:

1.     Don’t trust links in an email.

2.     Never give out personal information upon email request.

3.     Look carefully at the web address; it could be a close approximation of the real URL.

4.     Type the real website address into a web browser.

5.     Don’t call company phone numbers listed in emails or instant messages; check a reliable source such as a phone book or credit card statement.

6.     Don’t open unexpected attachments or instant message download links.

7.     Be suspicious if emails says “do X or something bad will happen”.

8.     Be suspicious of any email with urgent requests for personal financial information.

9.     If the email sounds too good to be true, it probably is.

10.  Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your web browser; look for the https:// and/or the security lock icon.

11.   Regularly log into your online accounts and check your bank, credit and debit card statements to ensure that all transactions are legitimate.

12.   Use a reputable anti-virus program.

13.   Enable two-factor authentication whenever possible. This combines something the user knows (such as a password or PIN) with something the user has (such as a smart card or token) or even something the user is (such as a biometric characteristic like a fingerprint).

14.   Keep your operating system updated, ensure that your browser is up to date and security patches are applied.

15.   Always report “phishing” or “spoofed” e-mails to your IT department.

Through this kind of security awareness training, you turn each one of your employees into security sensors in your organization. So, there are actually people who can now spot a phishing campaign and can alert security so that they can react. This type of threat might have otherwise have flown under the radar of security.

Technical Security Controls

Of course, training needs to be coupled with technical security controls. These technical controls will prevent or block many of the threats so that they never reach your users. We’ll take a look at some of the different types of controls and how they work.

Vulnerability management is your number one defense against attackers. It identifies existing vulnerabilities in software programs, browsers and plug-ins and helps shield your organization from potential damage, as well as mitigate vulnerabilities through patching, changing configurations or making application updates to remove vulnerable code. Programs like Microsoft Office and Adobe Reader are the typical applications that get exploited through phishing, so it is important to stay on top of any vulnerabilities associated with these programs. You also need to make sure your vulnerability management program is maintained and monitored over time. The keys to vulnerability management are to get visibility on client-side vulnerabilities, focus on solutions that highlight vulnerabilities exploited by malware kits, as well as validate and prioritize vulnerabilities to identify high-risk issues that must be fixed immediately.

Patch management is used to fix vulnerabilities based on input from vulnerability management. Some fixes are implemented through patching and some are through changing configurations. Software updates and security updates need to be done in a timely manner to keep up with patching vulnerabilities.

Malicious URL and attachment blocking can be done with web filters and SPAM filters. Microsoft Outlook has incorporated a good filter that will put emails into the junk folder if they contain a suspicious link – for example, a link that doesn’t have a domain name but only an IP address. Outlook will automatically put that email into the junk folder or it won’t let you click on the link until you confirm that it’s okay. (Of course, you need to train employees that these emails have been placed in the junk folder for a reason!) There are also web filters that you install at the Internet gateway of your company that will block malicious URLs.

Intrusion Prevention System (IPS) is another form of defense. If, for some reason, a user does click on a suspicious link, and a website is serving up a browser exploit, an IPS can detect that and block web-based exploitation.

Data Loss Prevention (DLP) / Egress filtering is a system designed to detect a potential data breach and prevent it by monitoring, detecting and blocking sensitive data while in use, traveling over the network or in storage. Let’s assume that your network has been compromised and that somebody’s inside the organization to actually complete the action. They haven’t reached their goal until they’ve actually downloaded the sensitive information, so, DLP and egress filtering is all about stopping that sensitive data from getting out of the network.

Disabling Java may be a drastic approach to security but Java has been a huge attack vector for compromising systems via malicious links in phishing emails. If you are using critical applications running on browser-based Java, or if your users need Java to get their jobs done, you may want to configure the browser to prompt and ask for permission before launching Java and educate your users to only allow Java on websites they trust."

By, Rapid7