One of the most common malware attacks, and the largest challenge to Online Security is that of phishing. It is one of the most difficult for IT Security to guard against, principally because it mostly relies on a user delivering the goods, rather than dropping in an identifiable piece of malware.
Phishing is basically a means of stealing important data, including personal data for use in identity theft, credit card information for theft of goods or services, business information for blackmail or sale to a competitor. Delivery vectors include email, website popups, websites themselves, and by telephone impersonating a known vendor or IT supplier.
In recent times, phishing attacks have become more sophisticated. The started out as the bulk emailing of a standard email, relying on the scatter-gun approach that most will miss but some must hit the target. Today, they are much more sophisticated. They tend to be targeted attacks looking for specific information and crafted to reassure the reader that they are genuine.
However they arrive, all these methods rely on a user taking a course of action that enables the attack.
What can the alert IT Head do to spruce up his IT Security and Online Security defences to guard against phishing attacks?
If we define IT Security as the overall process of securing an organisations systems and data, and Online Security as the digital anti-malware process and procedures, then we can prepare for phishing attacks and how to deal with them when they occur.
Here are four basic things to do:
This is the most important action to take.
Most phishing attacks start with the user. Without knowledge they will click on a link in a spam email, on a website or website pop-up. They will divulge information over the phone to someone pretending to be from a known supplier or IT company. Emails can be crude, or very well crafted to imitate emails received from a reputable source. In all cases they invite the reader to take some action.
The first step therefore is a process of continuing education to train users how to identify a potential phishing attack, and what to do and not do if they see one. Make it an induction event, and part of a continuing educational reinforcement process.
One key point is to tell them that they must not click on a link in an email from someone they do not know. As an example, a user receives an email from their bank asking them to confirm their account details. The mail is a spoof email, and all they will do by clicking on the link and following the instructions is to hand over their banking details to thieves.
Other spam emails ask to open an attachment. The attachment contains a piece of malware, often a trojan which when installed on the user PC passes information back to the thief. They must not open the attachment unless they know the sender.
Users should add the sending address of spam emails to their spam filter, and under no circumstances move an email back from their junk folder to the inbox and open the attachment or click on the link.
Continuing user education is a key element in the barriers against Phishing.
Corporate level barriers
The IT environment must include comprehensive industrial strength anti-malware defences. Make sure that the software is kept up to date, both at a system level, and in the signatures used to identify malware.
The software should also include a component that identifies spam email, either from a list of known spam addresses, or from key identifiers in the mail itself. Indicators include blank senders, inconsistencies in the mail headers and questionable attachments.
Have more than one technology and solution
Phishing comes in many forms. It is unlikely than one fits-all solution will be sufficient to guard against it. The solution will be multi-faceted, incorporating elements at the user-level and corporate level.
Crudely put, don’t have all your eggs in one basket.
It isn’t a question of if it happens, but one of when it happens. As part of the education and awareness programme, users must know what to do if they suspect a phishing or malware attack. It must be a non-punitive policy, perhaps even one that rewards users for their awareness and action. One obvious point – don’t use email or the trouble-ticket system to report the problem.
The IT department must have procedures in place to follow up on a reported attack. They must assess the attack, and depending on the seriousness take the appropriate action.
We are taught from the cradle onwards about personal safety, not to talk to strangers, be courteous and save for our futures. Our parent reinforce these ideals regularly. Organisations must take the same educational approach to cybersecurity.