Phishing attacks are a constant threat to organizations small and large. This post will explore some basic tips (technology and process) to keep you and your business safe in the face of this seemingly endless threat.
According to the APWG (Anti-Phishing Working Group), The number of unique phishing reports submitted doubled from 2014 to 2015. The FTC (Federal Trade Commision holds the average loss to each successfully phishing to $1200 USD. According to 3rd Microsoft Computing Safer Index Report released in February 2014, the annual worldwide financial impact of phishing could be as high as $5 billion. Phishing is clearly a growing threat used consistently by cybercriminals. This should less arise alarm from us and more call us to better understand how we can protect ourselves and our companies from it. But before we do, let’s explore some fundamentals.
Phishing is a cybercriminals attempt to acquire PII (Personally Identifiable Information) such as username/password, credit card or, SS# by masquerading as a trustworthy entity via electronic communications. These communications can be spoofed emails, spam, instant message, text message, social media posts or links on Facebook, Twitter or Google +. Regardless of the method of delivery, phishing attempts to socially engineer a users to click on a link to visit an illegitimate version of a real website to extract the information a cybercriminal then uses to commit.
Spear Phishing is a form of phishing specifically directed at individuals. Determined attackers can use open source intelligence gathering techniques and find information on their targets via public data sources such as social media sites.
Whaling is phishing targeting senior executives in the C-suite and other high profile business leadership.
Characteristics of Phishing Message
Legitimate looking communication that contain a sense of urgency such as:
- Financial Statement
- Account bill
- Legal subpoena
- Customer complaint
- Government communication
Creating a sense of urgency is usually a key that you are being socially engineered and manipulated by a phishing effort. Don’t fall of this urgency, instead find the official website of the organization or their official phone number and call about the issue.
How to Protect Your Company from Phishing
The general the rule is quite simple.
- Trust no communications
- Use common sense
- Take technical and process precautions listed below…
Trust not, click not Trust nothing communication, application or update unless you can validate its source. Be suspicious of any email, text, IM, online chat, posts, tweets, online advertising, phone call (any communication) asking for your PII (Personally Identifiable Information)
Don’t read/open/click on spam, IM’s, websites, social media content that you do not know or trust.If an email seems suspect do NOT open it. Delete it. Then open a new browser window and go directly to the organization in question or call them and ask to clarify the issue from the number listed on their website.
Validate Company Website Google the organization and go to their official website. If you do respond with PII make sure it is over a secure, encrypted channel such as via their website via SSL/TLS. Learn how to know if their SSL/TLS certificate is valid.
Backup your data to disk/tape, and internet backup (encrypted in transit and at rest). At least 2 forms of backup one local and one remote is important. Businesses should always have automated and managed backup services to ensure they have an option to recover should an unfortunate situation arise. This should be a part of any disaster recovery and business continuity effort.
Don’t run EOL (End of Life) software Don’t run software that is unpatchable due to the manufacturer discontinuing support. Ex. Windows 95/ME/2000/etc. and even XP(as of 04/14) or Apple OS 8/9.
Encrypt where required Encrypt when and where required. Microsoft Windows, OSX offer built in encryption as well as a myriad of 3rd party applications.
Patch your system All your enterprise desktops, servers, network devices, tablets, smartphones need to be actively patched. Companies should have some form of patch management in place to actively patch desktops, servers and networking devices.
Patch third party applications Most important of these is browsers, email applications, Adobe applications such as Acrobat Reader, Flash and Oracle Java. If you don’t require these plugins, remove them entirely. In a business environment patch management should address ALL applications with active effort to patch them on a scheduled basis.
Least privilege Run as regular user not Administrator/Root. Windows (Standard User), OSX (Standard User). This simple step will reduce your risks quit a bit.
Use strong passwords & password managers >12 alphanumeric characters, not a word in any language.
RoboForm (commercial), 1Password (commercial), KeePassX (open source), KeePass (open source)
Turn on Multi-Factor Autentication Everywhere Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inference factor (“something only the user is”). You can use MFA in a multitude of forms to improve your authentication options. See my blog posts on MFA options.
Deploy both software/hardware firewall Most anti-malware suites have a software firewall in them which should be configured to meet your needs and improve your organizations security stance. Additionally, hardware firewalls should always be used. Companies should deploy either a Next Gen Firewall, UTM or proxy solution to filter out known phishing and malware.
Deploy IPS (Intrusion Prevention System) & or SEIM IPS systems detect malicious activity, log it and attempt to block it. They are a critical piece of any holistic infosec effort. SEIM (Security Information & Event Management) systems give an organization a “birds eye” view of information security related aspects of the systems and networks. These are powerful tools any enterprise can use to improve their security posture as it relates to phishing or other threats.
Get Quality Anti-malware Anti malware should cover you against the myriad of threats that are out there. A quality anti-malware isn’t optional on any operating system (Apple OS X included), smartphone and tablets. Anti-malware is tested and rated by independent 3rd party labs so you can see which brands are most effective.
None of these will work in isolation so I encourage you to use them all concurrently. No single effort, technology or practice will make us 100% secure but the sum of many best practices will certainly improve our security stance and reduce our risks.
Congrats, you made it to the end of the list without the need for headache medicine (hopefully). Bravo! =) It is my hope that this post was somewhat helpful. I wish you and yours a safe and secure Holiday season. Stay safe and secure out there.