Phishing – the capture and exploitation of access data – is one of the most common methods of attacking IT systems. Companies are well advised to protect themselves against phishing attacks with the measures described below.
How important is phishing defence?
Anyone who follows the press even halfway attentively will notice how frequently news reports about companies and organisations being hacked and then blackmailed by professional gangs have become commonplace. Whether authorities, hospitals, large-scale industry, hotel chains or medium-sized companies – anyone who is vulnerable is attacked. The turnover of the (sometimes semi-state) gangs runs into the millions. The damage caused goes far beyond this, as in addition to the ransom, there is also the threat of repair costs and possible fines – not to mention the loss of image.
The best possible protection starts as early as possible. As one of the main attack vectors is the use of fraudulent or stolen access data and working your way into the systems from there, protection starts with defence against phishing and social engineering.
The threat is so massive that even government agencies are now increasingly turning to the public with information. Below we summarise the advice from the US Cyber Security and Infrastructure Security Agency (CISA). The linked document contains even more information and advice for interested parties. If you want to delve deeper into the topic of phishing defence, we recommend reading it.
Training and sensitising employees
As in many other areas, it is very important to sensitise employees in the company to phishing attacks. All employees should be able to recognise whether a communication or its content is or can be suspicious in any way. Every employee must know how to react to suspicious communication and, in particular, that no links or attachments etc. should be opened.
Appropriate training measures must be carried out across the board and, if necessary, repeatedly. If possible, they should be tailored to the specific situation of your own organisation. A merely theoretical general training course will not have the desired success.
Tip: Try out the interactive information security training for employees at activeMind.academy now – with a chapter on phishing, of course!
Technical measures for phishing defence
Domain-based message authentication (DMARC)
Attackers try to appear as trustworthy as possible when phishing. It is not uncommon for them to pretend that the contact comes from within the organisation, for example by sending an email with a fake internal sender address. It is even more common to pretend that the message comes from a trustworthy partner, such as a bank or an IT service provider.
Domain-based message authentication is based on the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) and can recognise such forgeries. Put simply, it checks whether the sender named in the mail and the actual sender match.
It is important that the technology is not only used, but also strictly configured. Dubious emails should be rejected directly at the receiving mail server. Many organisations shy away from this step, as under certain circumstances some legitimate messages can also be rejected. However, the risk of missing individual messages, where the sender – should it be important in any way – may contact you again by other means, should be acceptable in comparison to the security gain.
Monitoring email and messaging
Internal network traffic should be monitored to see if there are any suspicious deviations from the usual use of email and messengers in the organisation.
Introduction of further security mechanisms
Organisations should consider which other security tools can be used. For example, solutions that make it more difficult to manipulate the Domain Name System (DNS) make sense.
Use of multi-factor authentication (MFA) as an additional safeguard for strong passwords
Requiring more than just a username and password for at least some login processes is one of the most important steps towards increasing security. Every organisation should consider using MFA.
In addition to selecting the appropriate solution, MFA login attempts should also be monitored. Attacked accesses must be blocked if necessary and the attack as such should also be known to those responsible in the organisation.
It should also be noted that MFA does not replace the need to use strong and secure passwords.
External access only via VPN
External connections to the internal network should only be possible via VPN and in this case should always be secured using MFA.
It is generally recognised that good, up-to-date virus protection is one of the basic measures. It can be improved by taking a few additional steps.
Policies should already be set up at the gateway and firewall to prevent certain processes from the outset. The targeted blocking of certain addresses on the Internet and selected file types that are susceptible to infection can also be helpful.
No privileged authorisations for users
This is not new advice, but it is still frequently disregarded. Understaffed or otherwise overburdened IT, covetous superiors or convenience lead to a very easy security loophole to close: excessive access and editing rights.
Users should not have any privileged rights, either locally or otherwise, but should be able to obtain them separately on a case-by-case basis if necessary and unavoidable. Each user should only be given the rights that they absolutely need to complete the tasks assigned to them (need-to-know principle).
It is grossly negligent to carry out daily work with elevated rights.
Exclusive use of authorised applications
Applications must not only be assessed technically and legally from a data protection perspective, this is also highly advisable from a general information security perspective. In all cases, it is advisable to have a final list of approved applications after a detailed audit, which are installed/distributed centrally if possible or made available internally via a confidential source. Available updates for these authorised applications should also be installed immediately and, if possible, automatically and mandatorily.
This measure can be usefully supplemented by blocking macros.
Reaction to phishing incidents
If there is reasonable suspicion that login credentials have been compromised or malware has been executed, a response must be made:
- Affected accounts should be deactivated/blocked and, if necessary, set up again.
- The use of the affected accounts should be thoroughly investigated to determine what activities attackers may have already carried out and that these activities have now ended.
- Possibly infected hardware must be isolated and must no longer have Internet or network access. Any malware found must be investigated and removed if possible.
- Affected devices may only be used again once they have been completely reset to normal operation and their proper function has been ensured.
Tip: Please also read our guide on how to deal with phishing attacks that have already occurred.
In view of the very high risks, all organisations and companies, regardless of their size, should take the issue of phishing defence very seriously. Phishing and social engineering attacks are sometimes fully automated or made to order. Attackers are primarily interested in compromising systems. Whether the goal is worthwhile is a completely different question. Those responsible must be crystal clear that nobody is too small or uninteresting.
The protective measures mentioned can significantly reduce the risk of phishing attacks and should be suitable for all organisations. If you need help with this, the experts at activeMind will be happy to assist you.