Top 10 Strategies To Avoid Phishing Attacks10:00 AM EST Tue. Nov. 06, 2012
It comes as no surprise that phishing has emerged as one of the primary attack vectors for criminals trying to gain access to sensitive information of both a business and personal nature. It opens the door to a wide range of exploits that can be used to steal both money and data. According to one recent survey, phishing cost organizations an estimated $2.1 billion in losses over the last 18 months. Solutionary, an Omaha, Neb.-based MSSP, recently issued recommendations for best practices to combat phishing. Here are a few of the highlights.
Use dedicated systems for payment processing and disable email access on related systems. While this strategy stops short of air gapping, it does go a long way toward enhanced security. If an attacker cannot access the payment processing systems, it becomes much harder to obtain payment user names and passwords, thereby making the funds-transfer element much more difficult to achieve.
Use multifactor authentication to support payment processing systems, leveraging a hardware token and PIN to gain access to the system, rather than relying primarily on user names and passwords. While they still have a useful role in the authentication process, user names and passwords do not go far enough to combat the more contemporary threats. In addition, fingerprint readers and other biometric components also will go a long way toward protecting against criminal access.
Disable Internet access for systems involved in payment processing. This would make the malware unable to communicate with command-and-control servers. In most cases, if you are protecting the sensitive systems, there is no need for them to access the Internet and the dangers that are frequently carried over the public wide area. A review of your processes and procedures is advisable in advance of making such a move, but cutting the proverbial cord can do much to enhance security.
In many cases, efforts to enhance security overlook the embedded security features in products that are already in use. Make a concerted effort to identify which features are already available using products that you have already purchased. In particular, leverage your email security tools. Outlook, for example, has the ability to help filter malicious links that are frequently used in phishing attempts.
Keep antivirus and antimalware software up to date and conduct scans on a regular basis. On one hand, such advice may seem obvious. On the other hand, you might be amazed by how many basic precautions are frequently overlooked. While much of the malware used in phishing attacks are not detected by most antivirus software, at least some of them are detected, and AV vendors are becoming more aware of that need. Also, AV software can help identify additional issues with your systems.
Reputation-based website, IP address and URL filtering can go a long way toward helping to protect against employee access to malicious sites. In many cases, such access occurs by accident without the employee's knowledge. An effective whitelisting strategy is also suitable for this objective, particularly in situations in which employees require access to specific websites, but not the rest of the Web.
Consider the implementation of time-of-day requirements for payment processing. For example, 9-to-5 hours in your particular time zone could be an effective parameter, or you may choose to somewhat expand that to accommodate offices in other time zones. But in most cases, there is an opportunity to restrict access during the middle of the night. Many exploits occur after working hours and could be mitigated through the use of policies that prohibit funds transfers prior to human review.
Consider limiting access to payment processing systems from mobile devices and systems based in home offices, particularly if those devices are personally owned. In situations where people work from home on an ongoing basis and require access to financial systems, an effective VPN and other strategy is highly advisable. Remote systems are typically more vulnerable to attack than systems on the company premises.
As noted earlier, many employees succumb to phishing attacks by not recognizing them for what they are. It is wise to offer employee training on strategies to identify phishing emails and advise employees to restrict their business affairs, as well as your company's affairs, to specific email addresses. This will help employees to identify messages that are real from messages that are malicious. In addition, checking the URL and refusing to open links can also contribute to added security.
In addition to putting in place the necessary technologies processes and procedures to combat phishing attempts, it is wise to let the people with whom you do business know that you are aware of the threats and taking action to help protect them. Advise your employees, partners and customers that you will not request account information via email, and that any such request should be viewed as a malicious phishing attempt -- and live up to that code.