Captain Hook; don't be phished


Introduction

Email phishing (EP) is a prevalent issues among security professionals. EP is a form of deception delivered via an email with an aim to collect intelligence, steal assets, or install malicious softwares. EP could be an initial attack of a concerted effort that is aimed to cause organisation wide harm or reaching more important assets in order to maximise profits of the crime.


Why is EP so effective?

Low cost, low risk, and high return for criminals. Without much investment or skillsets, a criminal can cover a massive quantity of users with little fear of being apprehended. From a security standpoint, general user overall security composure is key. For senior management, each would have to be handled uniquely, but a stricter security is usually justified.


User support is key

User support is of paramount importance in the effectiveness of EP mitigation efforts. The mentality of the security policy should be to treat and educate your users as intelligent defenders in order to foster awareness and engagement in the holistic security management effort. All users should be aware that every email one receive could be a phishing email.


Why are users vulnerable?

Phishing email is aimed to cause you to act without thorough thinking. Such aim is accomplished by depriving the amount of time user spends into decision making through misplaced trust or unwarranted urgency. Here are some usual red flags for users to watch out: high pressure tactic, fear induction, authority command, monetary gains, passwords, personal information, sexual enticement or coercion.


Mitigation:

  • Prevention - conceal IP address and email address

  • Deterrence - advertise security management and investigations policy

  • Detection - software based email header and content check. Spam filter; Client side sandboxing for email and browsers

  • Delay - Slow down! Allow time for prudent thinking before action. Warnings on potentially malicious email address, contents, URLs, and attachments. Action confirmation buttons. Fear and urgency management through security policy (e.g. tasks that require expedition shall be done via recorded video phone call with witness present). Independent verification of information (e.g. the email shows ABC Bank's phone number as +852 2525 2525; verify that number on ABC Bank’s website before calling.)

  • Deny - Pre-approved list of URLs, deny by default firewall, least amount of permissions on available action, and endpoint security management.

  • Response - training, incident report procedure (important for likelihood quantitative analysis), device isolation, and investigations.

The above is a subset of what could be done. Like any security measures, the cost of mitigations shall not exceed the value of the assets.


Bottom Line

In order for a security program to be successful, security professionals must strive to earn the support of senior management, peers (HR, IT, Facility, etc), and general users by showing the tangible benefits of security measures without hindering business operations.