In our most recent Remote Sessions webcast, Roger Grimes, computer security expert and Data-Driven Defense Evangelist for KnowBe4, gave a deep dive on phishing and how to properly mitigate and prevent phishing attacks.
Grimes has worked in the cybersecurity industry for more than 30 years, authoring 13 books and more than 1,300 articles. His job history includes major companies such as Microsoft, McAfee, and Foundstone.
What is phishing?
Grimes defines phishing as the process of maliciously masquerading as a trusted entity to acquire unauthorized information or to create an action that conflicts with the best interests of the victim or their company.
Also known as spamming, phishing is typically done through email, SMS, and phone attacks. These attackers have criminal intent, as they'll lure in victims by claiming to be a friend, family member, bank, or other well-known companies and websites.
Malware and attackers can "break in" in various ways. These attacks can come from malicious instructions, social engineering, or authentication attacks, as well as heavy network traffic.
Defending against phishing
The general defense methods for protecting oneself against an attack can be thought of as the pillars that support your overall security online. These pillars are described by Grimes as essential in the workplace and include strategies that can mitigate almost all kinds of non user-related issues.
The pillars mentioned are policies, technical controls, and security awareness training. These methods aim to put end-users in an advantageous position when under attack or presented with anything suspicious.
The most common root causes for initial breaches stem from social engineering and unpatched software, as those account for more than 90% of phishing attacks.
Social engineering has its tells, though. Common ways to spot it are unexpected subjects or unexpected email addresses, requests for any kind of password, and any email with links that are not congruent to the display names.
Grimes suggests adopting defense principles to enable concrete methods when taking precautions against phishing. These principles fall in order: identify the initial exploitation methods, rank the methods by frequency and success rate, and then implement ranked mitigations against these top methods.
If you detect a phishing email, make sure to avoid all links, and report them!
Policies
Many different kinds of policies can be implemented to work against attacks, but it's important to have some fundamental principles in place to set an overall example throughout the company. Grimes suggests common practices such as locking your computers, not sharing passwords with others or over an email, and being careful about changing your bank information.
Drafting an Acceptable Use Policy to be able to agree on certain terms can be extremely helpful while staying general and focused on avoiding becoming compromised online.
Technical controls
Installing technical controls can allow for a more secure system, and anti-malware, anti-spam, and content filtering controls are a good start. As far as this software goes, though, its effectiveness can be limited.
Firewalls and VPNs can't hurt but won't offer as much as an EDR (Endpoint Detection and Response) or intrusion detection will. The main goal of preventing, detecting, and removing is what makes these anti-virus software essential.
Grimes also mentioned that the utilization of a password manager and any multi-factor authentication (MFA) can be a positive assistance to your online security, but stressed the fact that it still allows for user error and doesn't make the user completely un-phishable.
Security awareness training
Possibly the most important pillar, training employees, was what Grimes alluded to the most when discussing how to maintain security in the workplace. The value of knowing how to recognize social engineering and properly mitigate and report it is sizable.
Grimes details the training process as something that should occur weekly, or monthly, and can include test emails, phone calls, or any common staged attack. He includes how in the event someone fails the phishing test, they are only required to do more training and learning, rather than for the failure to become a fireable matter.
The webcast recording is available to watch on-demand here, and attendees can qualify for 1 CPE credit.