Synopsis

Phishing is the number one method of entry into any organization and has continued to increase exponentially every year. In this article I’m going to give you a few tips and tricks I’ve learned along the way, that will help you protect and educate your users, which can be, one of the weakest links in the security chain.

Phishing is on the rise

According the the 2016 Verizon DBIR, the majority of phishing cases were not used to steal credentials but to install malware. As technical professionals, we know, or should know by now, that phishing is a huge problem, and yet the rate of breaches started with a phishing attack go up each year. Did you know that the average click rate of a phishing email is almost 30% now?

Where did we go wrong?

Why is this? Where are we going wrong? I think one of the biggest areas we as security professionals can improve upon is user training. I’ve had my fair share of conversations with people in security that believe that user training is a waste of money and with limited security budgets already, believe money is better spent elsewhere. Yes, there are many challenges that come up when trying to train both technical and non-technical users, but we need to make sure we are doing everything we can, because at the bottom of it all, we are responsible for our organization’s security.

The number one question I see in regards to user training is how. How do we get users to actually pay attention to training? How do we keep our users informed, without overwhelming them with boring facts, that don’t always relate to their jobs? We NEED to be proactive with training and information, we can’t wait until we’ve already been hit.

How can we change this?

First off, we need to make sure everyone, from regular users to help desk, all the way up to admins and developers, understand that security is something that all of us need to do. We need to create a security conscious mindset for anyone on the network. This can be tough, it’s easy to pass the buck, this isn’t my job, someone else will take care of it. We need to stress the importance of staying vigilant. One way I’ve had success, is going over the effects of how something as simple as clicking a link in an email or downloading an attachment can affect that user, our network and the company as a whole. If we can get users to understand the importance of staying vigilant, it will make everyone’s job much easier. I stress the importance of staying vigilant at work and at home, the more they practice and stay in the mindset the easier it will be.

Now let’s get onto the fun stuff, the technical things. One of the best ways to prevent successful phishing attacks is recognizing them before they are in the network. But what are easy ways for our users to recognize an email as a phishing email? One of the first things I teach all of my users, if you aren’t expecting an email, take a few extra seconds to verify a few things.

  1. Verify the sender address. Check for any misspellings, verify the domain, etc. 

  2. Next, go over the body of the email. Is it generic? Can you tell by the tone of the email if it’s really from who it looks like? Is there a strange sense of urgency? paypal_Phish_urgency

  3. DO NOT click any links or attachments. If there are links in the body of the email, hover above them, this will display the full URL of the link. phishing_link

  4. When in doubt, send an email to the original recipient or visit the actual site. DO NOT click reply or any links but send a new email or visit the site on your own.

  5. No response or still not sure, forward it on to your security team to take a look.

Be Responsible.

We encourage all of our users to forward any email they believe is suspicious. Giving users a sense of responsibility is extremely important in getting them to have that security mindset that will improve your overall security presence. Since I’ve started this training, I receive emails a few times a month, some legitimate phishing emails, others just random spam. But I personally thank each user for every email, reminding them to stay vigilant. If you make it easy for the user, they will make it easy for you.

Make it fun.

Another thing we can do as security professions is make the training fun and include a few games to reinforce their training. You can create your own very easily or find them online. I believe that an educated user is one of our best defenses and can even be a weapon against phishing attacks.

Can Training Prevent it?

I believe that training is one of our best defenses against phishing attacks. One of the main reasons phishing attacks are successful is because our users are unaware of the techniques used by attackers. Making our users aware will decrease the success of phishing attacks, making our networks more secure. Since I started unofficial user training on phishing we’ve had several reported phishing attempts and were able to stop them before any damage was done.

More Reading & Other Resources

2016 Verizon Data Breach Investigations Report

2016 Phishing Trends & Intelligence Report: Hacking the Human

OpenDNS Phishing Quiz