Employees are the weakest link - Enable your employees to effectively become a part of your security team. PART I: Companies’ role in Antiphishing Prevention

Details

Category: Social Engineering

Published: Wednesday, 11 January 2017 18:25

This article is the first part of a series published by the DOGANA Consortium with the purpose of providing information on how enabling employees to effectively become  a part of the enterprise security.

PART I: Companies’ role in Antiphishing Prevention

Bearing in mind that phishing is becoming more and more common among cyber-criminals and has devastating outcomes, enterprises are keen to fight this ever-increasing threat by any and all means.

Threat actors know where your weakest link resides and they are aggressively exploiting it: spear phishing attacks have proven to be incredibly effective for cybercriminals. Data suggests that one in five employees will click on a malicious link and the time to detect a breach is a staggering 205 days. 

Organizations need a better way to fight back against targeted attacks and prevent data breaches.
In today’s threat landscape, in order to prevent substantial financial and reputational damages caused by phishing, companies must implement an automatic response that can reduce the timeframe from discovery to remediation from weeks to minutes.
To effectively mitigate the risks of phishing attacks, companies must combine employee training (since over 90% of breaches are attributed to phishing emails targeting employees) with efforts with machine learning that is smart enough to immediately respond to attacks and share attack intelligence, empowering them to proactively defend their network gateways and endpoints from increasingly frequent and complex email phishing attacks.

Initial Prevention:

IT teams and businesses decision makers play a decisive initial role in the company’s ability to prevent attacks such as phishing and spear-phishing.

• Make a clear statement in your communications reinforcing that you will never ask for personal information via email so that if someone targets your customers, they may realize the request is a scam. Businesses should ensure that their online communications never ask their customers to submit sensitive information via email, personal visits, or phone.
• These controls must be augmented with strictly enforced communication processes and a comprehensive user education program which teaches users how to recognize, resist and report phishing attacks.
• As a rule of thumb, it's a good idea to communicate with users using a corporate website rather than email.

Details of what exactly the company will and will not do need to be explained somewhere on the site in easy-to-understand terms. Short notifications or clear links to help pages should be located on all key pages. (For example, the phrase: "This bank will never send you an email" located on webpages and in emails lets customers know they will never receive email from the company, so any emails received from "you" have to be fraudulent.)

Server Based Solutions should also be put into practice, such as:

• Brand Monitoring: Crawling on-line websites to identify "clones“ (looking for legitimate brands), which are considered phishing pages. Suspected websites are added to a centralized “black-list“ (which could be known by the employees).
• Behaviour Detection: for each customer a profile is identified (after a training period) which is used to detect anomalies in the behaviour of users.
• Security Event Monitoring: Security event analysis and correlation using registered events provided by several sources (OS, application, network device) to identify anomalous activity or for post mortem analysis following an attack or a fraud.
• Strong Authentication: using more than one identification factor is called strong authentication. There are three universally recognized factors for authenticating individuals: something you know (e.g. password); something you have (e.g. hw security token); something you are (e.g. fingerprint).
• New Authentication Techniques: new techniques of authentication are under research, such as using an image during the registration phase which is shown during every login process.

IT teams can also have an active role in the changing of security and awareness culture among the employees:

• IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.
• IT should deploy enterprise-grade alternatives to the consumer-focused file sync and share, file-transfer, real time communications, and other applications that are commonly used today.
• Decision makers should conduct a thorough analysis of the entire organization to understand where data is stored and who has access to it, as well as the tools that employees are using to access corporate data and network resources.
• IT should establish detailed and thorough acceptable use policies for the use of every type of communication or collaboration system that is in place now or might be used in the foreseeable future.

It is also important to survey the tools that are most commonly used (and maybe shouldn’t be) – there are several capabilities that employees use that can create significant risks. For example:

• Personal Webmail accounts that users employ when the corporate email system is down or when they need to send files that are too large to be sent by the corporate email system.
• Consumer-focused file sync and share tools that give users access to all their files from any platform, but that typically do not scan content for malware or other threats.
• File-transfer tools that are designed to send very large files independently of the corporate email system, and so do not get scanned for malware.
• Personally owned smartphones or tablets that can be the target of mobile malware.
• Social media tools that can be used to send corporate content or that can allow malicious content to enter an organization via short URLs or adware other malicious links.
• Employees’ home computers, which often are shared by family members who download non-secure content, and for which anti-virus defenses are often out-of-date.
• The growing variety of mobile apps, cloud-based applications and other tools that can subject corporate data to infiltration by malware or expose sensitive data to exfiltration by cybercriminals.

Recommended actions to mitigate the risks posed by the above-mentioned behaviours include:

1. Conduct regular and complete internal security audits;
2. Establish detailed and thorough security policies;
3. Use advanced security controls on corporate communication such as e-mail encryption and digital signatures to help employees identify social engineering attempts;
4. Monitor incoming communication for malware;
5. Establish a policy on “bring your own device” that controls the use of personal devices for access to corporate resources;
6. Implement best practices for user behaviour with a combination of policies, procedures and training.

The practices for best user behaviour should also, and mostly, be centred in the essential element of good security: the human component. The importance of good and frequent user training to bolster this initial line of defence cannot be overemphasized.

The Clients also play an important role in preventing phishing attacks:

• Any effective solution must include them: when it comes to phishing, a company's clients are one of the first lines of defence;
• Even though it may not seem like the responsibility of the company to educate clients about online security, ensuring that they can recognise phishing attempts and protect themselves is a low-cost, low-tech solution to defending the reputation of the business.
• Clients should be told how to check the security settings of their Web browsers, how to check for the "padlock" and certificate signature on pages, as well as tips such as not sharing passwords, PIN or account numbers with anyone. From time to time, clients should be reminded to install the latest patches and to run an antivirus scan.
• It's also, however, wise not to overload them with too much information and make them fearful of using the company's online services. Special deals on antivirus software should be provided as low-cost protection and to show that the company does take security seriously.
• Customers also need an easy method to report phishing scams and advice on recognizing a scam.

Bearing all this in mind, the company should focus on a fundamental element - for their good functioning and for their security: employees. Companies’ practices and rules can determine if their employees are their weakest link or, on the other hand, strong security walls and an effective element of the security team. 

• Employees should be strongly encouraged and continually reminded to keep software and operating systems up-to-date to minimize a known exploit from infecting a system with malware.
• Employees need to employ passwords that match the sensitivity and risk associated with their corporate data assets. These passwords should be changed on an enforced schedule, and should be managed by IT.
• Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more sceptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the “human “firewall” can provide the best possible initial line of defence against increasingly sophisticated phishing and other social engineering attacks.
• Employees should be tested periodically to determine if their anti-phishing training has been effective.
• Employees should be given training about best practices when connecting remotely, including the dangers of connecting to public Wi-Fi hot spots or other unprotected access points.
• Employees need to be trained on why not to extract potentially suspicious content from spam quarantines that might end up being phishing emails.
• Employees need to be given a list of acceptable and unacceptable tools to employ for file sync and share, social media and other capabilities as part of the overall acceptable use policies in place.
• Ensure that all employees maintain robust anti-virus defences on their personally managed platforms if access to any corporate content will take place on them.
• Employees should be reminded continually about the dangers of oversharing content on social media. The world will not be a better place if it knows that you had breakfast in Cancun this morning, but it could give cybercriminals a piece of information they need to craft a spear-phishing email.

Don’t miss the second part of this series: “The Human Component’s Fundamental Role in AntiPhishing Prevention — Initial Training”, which will be published on January 23.

For more information consult the Sources of this Research:

• APGW: http://www.antiphishing.org
• Berkeley Resources: https://security.berkeley.edu/resources/phishing
• BizTech Magazine: http://www.biztechmagazine.com/article/2006/01/phishing-protection
• Black Hat Briefings: https://www.blackhat.com/presentations/bh-europe-08/Rosiello/Presentation/bh-eu-08-rosiello.pdf
• Carnegie Melon University: Lessons From a Real World Evaluation of Anti-Phishing Training: https://www.cs.cmu.edu/~ponguru/eCrime_APWG_08.pdf
• Computer Weekly: http://www.computerweekly.com/tip/Preventing-phishing-attacks-Enterprise-best-practices
• Federal Communications Comission: https://transition.fcc.gov/cyber/cyberplanner.pdf
• Federal Trade Commission: https://www.consumer.ftc.gov/articles/0003-phishing
• Global Learning Systems:
  - http://www.globallearningsystems.com/products/anti-phishing-training
  - http://www.globallearningsystems.com/index.php/products/phishtrain/
• InfoSec Institute:
  - https://www.infosecinstitute.com/phishsim
  - http://resources.infosecinstitute.com/top-9-free-phishing-simulators/#gref
  - http://resources.infosecinstitute.com/category/enterprise/phishing/spear-phishing-and-whaling/#gref
  - http://resources.infosecinstitute.com/category/enterprise/phishing/phishing-tools-techniques/
• InfoSecurity Magazine: http://www.infosecurity-magazine.com/blogs/effective-phishing-assessment/
• IronScales: https://d30npevhrs2eg4.cloudfront.net/wp-content/uploads/2016/11/07090852/combatting-modern-email-phishing-attacks.pdf
• Looking Glass Cyber Solutions: https://www.lookingglasscyber.com/blog/phishing-quiz-whats-your-aptitude/
• KnowB4:
  - https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
  - https://s3.amazonaws.com/knowbe4.cdn/Best+Practices+for+Dealing+with+Phishing+and+Next-Generation+Malware+-+KnowBe4.pdf
• MediaPro: https://www.mediapro.com/courses/phishing-awareness/
• PhishLabs: https://www.phishlabs.com/t2-spear-phishing-protection/employee-defense-training/
• PhishMe: http://phishme.com/product-services/reporter
• PhishTrain:
  - https://www.phishtrain.com/email
  - https://medium.com/@phishtrain/2-0-phishtrain-update-features-f69f865d2af0#.hfjdr1cqp
• SonicWall: https://www.sonicwall.com/phishing/phishing-quiz-question.aspx
• Tangible Security: https://tangiblesecurity.com/index.php/services1/employee-security-awareness-training
• TechTarget:http://searchsecurity.techtarget.com/news/2240181849/Emerging-antiphishing-tools-use-testing-training-to-educate-users
• The State of Security: https://www.tripwire.com/state-of-security/security-awareness/bsidesdc/
• Wombat Security:
  - https://www.wombatsecurity.com
  - https://www.wombatsecurity.com/security-education/educate

by Maria Monteiro, Filipe Custódio (VISIONWARE)