Modern field guide to security and privacy

Opinion: Fight phishing without blaming victims

Criminal hackers are skilled at crafting fake e-mails that dupe recipients. But instead of blaming the employees who click links that infect computers, organizations should work harder to fortify their networks.

Reuters

Bogus e-mails designed to trick recipients into clicking malicious links are increasingly common. For criminal hackers, these so-called "phishing" messages are an effective tool for breaching an organization's online defenses, successfully penetrating large-scale organizations and striking single, high-value targets.

In fact, phishing appeared to be the gateway for attacks on Sony Pictures and Anthem

But the way to solve this problem isn't by blaming victims who click links within nefarious e-mails. Unfortunately, that's what the chief information security officer for the Department of Homeland Security, Paul Beckman, is proposing

He wants to revoke security clearances for employees who routinely fail phishing tests, saying that continuing to flunk such tests shows a lack of responsibility when it comes to handling top-secret information.

Yes, antiphishing training is effective. But only to a certain point. Training can reduce the number of malicious links that get clicked on within an organization but it will never eliminate the threat. Criminal hackers are crafty, and there will always be that perfectly designed e-mail that'll fool even the savviest recipient. So, if your security policy is to rely 100 percent on antiphishing training, you’re about to have a very bad day.

Thankfully there are plenty of techniques organizations can use to defend against phishing that do not involve shaming victims. Companies and government agencies should ensure patch levels are up to date so that bad guys would be forced to use a previously unknown – or "zero day" – vulnerability to penetrate the network. That's often an effective deterrent.

Organizations can also limit employee network access to only those resources essential for their jobs. That way an attacker can't use an employee's credentials to infiltrate the entire network.

Updated antispam technology will also stop most mass e-mail attacks. If attackers do get through, a properly segmented network will stymie their ability to deeply penetrate the network. Continuous monitoring of the network will help, too. And, once and for all, enable two-factor authentication.

But all too often companies and cybersecurity firms focus on just stopping phishing. Entire companies exist to conduct phishing tests against employees to see how susceptible they are to this social engineering attack.

Don't get me wrong, phishing is a big problem. Recent studies have pegged the cost of phishing attacks against the average 10,000-person company at $3.7 million dollars per year

Let's face it, employee will make mistakes when it comes to e-mail just like they'll make mistakes in other aspects of their jobs. 

But focusing too much on this attack vector, the cybersecurity industry is ignoring all of the other basic safety measures we should be deploying.

While the National Counterintelligence and Security Center recently launched a phishing campaign called "Know Your Risk, Raise Your Shield," I just hope this campaign is not at the expense of other basic security fundamentals.

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.