Like This Blog 0

Added by Mike Danseglio January 19, 2015

Phishing is a combination of social engineering and technology that tries to trick users into disclosing sensitive information. You’re probably already familiar with the stereotypical Nigerian Prince email – an unsolicited email from an unknown sender identifying himself as a Nigerian Prince and offering to pay you to help him transfer his money to your country. This scheme is well known as a fraud scheme and an attempt to gather bank account and tax identification information to commit identity theft and various crimes.

A far worse aspect of phishing is happening in the corporate world. Targeted phishing emails (sometimes called spear phishing) convince employees to disclose sensitive data about their organization. These often include user names, passwords, server names, and critical business system identities.

Most IT professionals consider phishing not a significant threat. That’s usually because in the past, these emails contain obvious indicators: spelling mistakes, malicious URLs, and obfuscated sender identities. That’s simply not the case anymore. Corporate phishing is now a complex attack that is well-written, well-planned, and contains few indicators that it is anything other than an authentic email that should be taken seriously. Spelling errors and EXE attachments are things of the past.

What Tools Should You Use to Counter Phishing?

Most IT professionals have email scanning and filtering systems. Some prefer to route all email through a trusted third party for analysis and reporting. Others implement malware scanners on email servers. Yet another approach is implementing a layer 7 firewall that scans for phishing content across applications.

None of those are great solutions. They all fail to address the key component in phishing attacks. There is always one common component that makes a phishing attack successful regardless of the sophistication or investment in the attack. One example of that common component is shown in Figure 1.

Figure 1. The user is the common component of all phishing attacks.

Phishing attacks target the typical corporate user. Attackers write emails and lure users to web sites that appear to further their career, help the company, or have some other benefit that’s not clearly a scam.

To properly counter phishing attacks you need to educate users so that they can defend themselves.

Why User Education is Key

Phishing attackers craft their files and emails in a way that avoids the technological protections that I mentioned. They examine malware scanning engines and firewall rules to ensure that their email, images, and files are not considered malware. So these attacks frequently reach users without being blocked.

By educating users you are implementing a long-term and high-return countermeasure. In my experience, teaching users about these threats and how to respond is quick, inexpensive, and have profound long-term security benefits. In general, you want to educate your users on these points:

• Attackers target all companies and organizations regardless of size, industry, etc.
• Attackers will send them emails that may or may not have attachments and links
• Report all suspicious emails to IT or a designated reporting group/individual

How you implement user education on phishing is entirely up to you and depends on your organizational culture, budget, time constraints, etc. In-person training, online video training, awareness posters, email, seminars… they all have a tremendous impact on user education.

The Free Anti-Phishing Resource

I don’t expect you to be an expert in security training and creating training material. That’s why I’m an expert in security training and creating training material! But you might be surprised by how much user education material is available to you right now. Even more surprising is that most of it is entirely free.

The best place to start is the Anti-Phishing Working Group (APWR). Not only do they provide a ton of sample emails, posters, and other training materials, they also link to both vendors and neutral third-parties that provide more of the same. It is the best starting place you can use when looking for any anti-phishing user education material.

So what are you waiting for? Go grab some material and plan out your user-centric anti-phishing strategy!

Stay safe!

Mike Danseglio -CISSP / MCSE / CEH
Interface Technical Training – Technical Director and Instructor

Mike Danseglio teaches Security classes at Interface Technical Training. His classes can be attended in Phoenix, Arizona or online from anywhere in the world with RemoteLive.

• CISSP (Certified Information Systems Security Professional)
• Certified Ethical Hacking and Countermeasures v8
• Computer Hacking Forensic Investigator – CHFI v8
• CompTIA Security + Certification Skills