Organizations can fall into two categories: Those who have been successfully phished, and those that will be successfully phished. Some experts may be bold to say there is nothing more certain in life than death, taxes, and phishing.
Wisegate, a peer-driven IT research company, recently held a roundtable discussion on the topic of phishing. An internal poll showed 100 percent of the participants had been previously phished, 80 percent successfully. The question, “Can increased user awareness and/or improved technology successfully detect and prevent phishing?” has since been asked in reports, surveys, and one-on-one interviews with CISOs. Unfortunately, the answers and conclusion are not promising.
User awareness training can only do so much. It can be relatively simple to train employees to be wary of emails constructed with poor grammar, typographical errors, and strange URLs, but it is more difficult, impossible even, to teach anyone to detect a personally targeted email.
This roundtable also found a dearth of effective technology to prevent phishing. As soon as anything proves effective, phishers simply adapt their techniques. Technology cannot outpace hackers.
What can be done? Not much, to be honest. The roundtable contributors offered several individual recommendations, but phishing is a global problem that requires a global solution. This form of cyber attack needs better international threat intelligence sharing, and globally harmonized legal definitions and sanctions. Many law enforcement agencies are making strides toward this, but a truly international legal treaty has yet to be seen.
One avenue that may be worth exploring is a publicly available master database of dirty URLs, but this would require altruism above the norm. The Federal Bureau of Investigation, as well as other national law agencies, would need to combine their intelligence with competing private security firms, who actually base their products on their own proprietary intelligence. It would be to serve the greater good and be extremely difficult to coordinate. But not impossible.
While CISOs know they cannot prevent phishing, they are not downhearted. They instead seek to reduce the risk to an acceptable level.
“If I can increase the detection of phishing emails from, say 10 percent to 50 or 60 percent, then I consider that a success,” one CISO explained. “It is then up to me to have enough other internal controls to catch anything that gets through.”
The CISOs questioned in the roundtable did share their own best practices, including :
- Sandboxing: A security measure that allows code to be executed in an isolated environment. This allows users to safely test suspect malware.
- In-Line Stripping: This automatically removes links within emails and optionally replaces them with a link to a company warning or training page.
- Behavioral Practices: One CISO shared relative success to thwarting phishing attempts by encouraging staff to forward emails with questionable links to the security team for evaluation. The CSIO has no formal analytics for this approach, but it is rooted in the unscientific security policy known as ‘paranoia pays.’ The success depends on the staff’s own paranoia.
One thing is for certain; phishing is an issue that will not be resolved soon.
You cannot stop phishing. There is no silver bullet. But you can try to catch as many phishes as possible, and trust your other security controls to help mitigate other risks.[su_box title=”About Wisegate” style=”noise” box_color=”#336588″]Wisegate is a member-based IT research company that serves the industry’s most senior-level IT practitioners. Wisegate’s editorial team keeps a pulse on what matters to IT via its members, and publishes member-based advice, best practices and collaborative insights for the IT industry’s most pressing and important issues. [/su_box]