[BreachExchange] Reducing the risk of phishing attacks

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 4 18:46:52 EDT 2016


http://www.itworldcanada.com/blog/reducing-the-risk-of-
phishing-attacks/388062

Phishing has evolved into the most effective social engineering attack that
hackers use to infiltrate organizations. The goal of phishing is to con
employees into unknowingly downloading malware or revealing their access
credentials. The best defense is our individual vigilance.

The just ended National Cyber Security Awareness Month reminded us that our
individual and collective behaviors are what contains the risk of cyber
security incidents.

Below are the measures most organizations can implement, at modest cost, to
raise individual vigilance significantly and thereby reduce the risk of
successful phishing attacks.

Security awareness training

Security awareness training is the simplest counter-measure that reduces
phishing attacks. In many organizations, every person is required to attend
basic security awareness training. Typically the training outline includes:

Appropriate internet usage for organization and personal purposes.
Definition of phishing and other types of attacks.
Overview of motivations of hackers.
Adverse consequences of successful phishing attacks and other malicious
intrusions.
Adherence to password policy and how to secure personal access credentials.
How to spot suspicious incoming emails.
Limitations of the electronic surveillance defenses of the organization.
Review of the confidential information management policy including:

Proper handling of confidential information.
Admonition to not click on links or attachments in emails from unknown
sources.
Reminder to never give out organization information without appropriate
authorization.
Encouragement to report suspicious emails to the cyber security team.

Reporting phishing and other security incidents.
How the cyber security team investigates phishing and other incidents.
Physical security and access to buildings.

Background screening

Sometimes hackers join organizations as an employee or contractor just to
gather insider information. Background screening is an important policy to
pre-emptively counter future phishing attacks based on information
gathered. Screening should not be limited to employees but should include
vendor staff and contract workers because almost everyone is provided with
some form of access to the organization’s network and facilities.

Not screening or haphazard screening invites hackers to gather insider
information to use in future attacks.

Physical security

Every organization should operate an access control system to ensure that
only explicitly authorized people can access systems and facilities.
Everyone needs to learn to firmly challenge people they don’t recognize.

Frequent physical security oversights include:

Not rigorously deleting individuals from access control systems after they
leave the organization.
Providing too much access to individuals for the roles that they hold.

Mock social engineering drills

Occasionally, a phishing message should be sent to employees as a drill by
the cyber security team to gauge the effectiveness of security awareness
training in the organization.

Events that preclude value from drills include:

Not holding drills.
Holding too many drills and annoying large numbers of employees.
Sanctioning employees for understandable missteps rather than using such
drill-related incidents to reinforce training.

Information classification policy

The organization should develop – and employees should be expected to read
and sign an information classification and management policy.
Classification assigns a level of value and sensitivity to categories of
organization data. Each information classification includes different rules
for viewing, editing and sharing of the data.

The cyber security team should constantly monitor the information related
to the organization that is floating around on the web. The discovery of
confidential information should trigger an investigation. These processes
should protect confidential information and will make passive information
gathering more difficult for attackers.

Factors that undermine the policy and these processes include:

Foggy or complex and lengthy definitions for every information category.
Failure to investigate potential incidents.
Failure to censure employees for infractions.

For tips on cyber security, visit the Get Cyber Safe website.

What is your experience with reducing the risk of phishing in your
organization?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161104/b4c2e049/attachment.html>


More information about the BreachExchange mailing list