Phishing continues to be one of the most effective hacking techniques. Although the majority know what phishing is, it’s not always clear how to appropriately defend against it. A multilayered, defense-in-depth approach works well to mitigate phishing attacks. Phishing, the fraudulent practice of sending emails purporting to be from reputable companies, to induce individuals to reveal personal information, such as passwords and credit card numbers, persevere due to its success rate. People get caught out time and time again, although they are aware of the prevailing risk. So, layering the defenses will limit the effects of phishing. It remains a consistent way to mitigate the risk.
Eight layers of a strong phishing defense
In the fight against phishing, education is the single most effective way to deal with an attack. Phishing is a fraud. The attackers use a misleading email and pretend the email is coming from a valid company and person to trick the target into divulging information or granting unauthorized access. In many cases, the attackers aim to acquire valuable information such as credit card numbers and credentials — usernames and passwords that provide access to platforms. This is often achieved through the attacker sending a link or a file to the user.
Phishing attacks are challenging and becoming more and more advanced. Attackers continue to improve their craft, and the emails become more challenging to identify as fraudulent, resulting in individuals falling for them time and time again. It is a challenging attack to stop as users are at the forefront. Thus, education remains a fundamental part of the defense and should be prioritized and maintained.
2. Rule of least privilege
Limit users’ access as much as possible. It’s vital to ensure that users only have access to what they need to fulfill their function. If they do not need access to a resource or system, don’t give it to them! It’s often the case that most users don’t need the access that they think they need. Once access is granted, it’s challenging to take it back.
Furthermore, roles change within companies, and when this occurs, access rights must be checked so that access continues to align with what is required only. Review access rights periodically. Don’t skip this review and ensure strictness and remain firm.
The access that systems have should be carefully thought out too. Systems should be treated in the same way as people about access control. Systems should also only have the access that they require to fulfill their purpose. For instance, if a computer or device does not need access to a server to function, then don’t give it access. Having entities such as mobile phones on corporate networks or certain IoT devices (a kettle, for example) on the same network as your company file server, does not make sense. Instead, put them on a separate network that is isolated from the company’s “crown jewels.” If these devices are isolated and are compromised, they can’t be used as a springboard to get to the organization’s files. It may sound unlikely, but it happens. So, instead, use the rule of least privilege, and be safer for doing so.
3. Email scanning
Scan the email on the way in and on the way out of the organization with a tool that is not part of the ecosystem. This means if you use a particular cloud provider, forward the email to a third party that is not connected to that cloud provider for additional scanning. Through doing this integrity of the email can be ensured. Often attackers break into a cloud platform and send the phishing email within the system.
Alternatively, attackers create an email in the inbox of the user, which means that it’s not even sent, so it can’t be scanned. In these instances, they are difficult to stop with scanning, so other layers of defense, including education, are critical.
4. Multifactor authentication (MFA)
MFA helps in defending against phishing attacks because if a user is tricked by a phishing email and the credentials are compromised and stolen, the attacker will still require the one-time use component of the credential. Thus, the attacker will not have access if MFA were implemented. So, use MFA as part of the layered phishing defense.
5. Tighten your geo-location
Only accept connections and emails from geographic locations that you deal with and ensure that the users are only able to visit and interact with countries that they need to — especially when using corporate devices. It’s surprising how half of the planet, at a minimum, can be eliminated from the equation through doing this. This will reduce the attack surface and will result in a more secure posture.
Moreover, if the computers and users are blocked from addressing other geo-locations, it means that an extra layer of defense is in place, which the attackers will need to get over to exploit the user through phishing.
6. Proxy and filtering
Filter all access to and from the computers and from user interactions with links. By limiting where the users can go and by implementing user and application-aware proxies, connections can be filtered. This is quite simple to achieve if the devices which the users utilize are configured correctly. Remember to include the mobile devices that are primarily used by all. One easy way to do this is by using a secure and trusted DNS service that filters the DNS request. Very soon, secure DNS will be the norm, and this will further enhance overall security. Already, vendors of browsers are implementing versions of secure DNS to avoid the trickery.
7. Disable external links
If a link is not to and from a system that is trusted by the organization – disable it. It’s surprising how habitual users are and often use the same sites daily to do their work. Thus, it’s possible to create a list of trusted sites and only allow traffic to and from those sites for added security. After a couple of days, that profile will encompass a trusted list. From time to time, a user might require an additional site, if a new application or process is introduced. This approach is not as difficult as one may think and adds a robust level of security, far superior to allowing access to everything.
8. Manage the credentials most likely to get phished
This is an “out-of-the-box” idea that is nowadays being adopted. In simple terms, groupings of privileged accounts exist that are used for transactions, including special usernames and passwords and credit card numbers. These credentials are only active for a small window, for instance, when the transaction needs to go through. Subsequently, the credentials are deactivated, and the credit card invalidated until required again.
This control is beneficial, as the window of opportunity is consistent but limited to minutes, and the attacker would need to know when that small window of opportunity is available to exploit the credentials.
If alerts exist on theses credentials whenever they are used, it will be apparent if they are compromised. If the accounts are locked, and the cards deactivated, and you get an alert, then you know that the accounts have been compromised and appropriate actions and measures can be taken.
Using the assumption that the credentials get compromised despite all other layers of phishing defense in place, the management of credentials is a useful safety net.
Featured image: Shutterstock