COLUMN

Phishing protection begins with training, antiphishing evangelist

By Eric Ogren 15 Oct 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.

Technical approaches help, but cannot prevent users from clicking through or being redirected to a phish site. The use of SSL and certificates can help prove to the user that they are at the desired website, but are not much help in telling the user when they are being phished. Security-aware DNS services can help reduce transparent redirects to phish websites and antispam technology is imperative in blocking the bulk of phishing-oriented email, but the sheer volume of attack messages makes it likely that some attacks will break through to user inboxes. Security technology cannot be everywhere and user education is still the key in reducing the success rates of phishing attacks.

Eric Ogren's recent security columns: Feds push cybersecurity jobs, PCI DSS changes ahead. The federal government plans to fill cybersecurity jobs, the payment industry is studying PCI virtualization best practices and Microsoft offers free endpoint protection software. Whitelists, SaaS modify traditional security, tackle flaws It is time for IT professionals to transform security into a capability that is as dynamic as the attack landscape, says security expert Eric Ogren of the Ogren Group.  Secure virtual desktop software enables remote client security: Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.

Even if you have ongoing user education, it's time to give employees and customers at least three antiphishing messages before the holidays. Gift giving of the holiday season and the prospect of launching the New Year with a too-good-to-be-true deal will drive a spike in phishing attacks. A marketing rule of thumb is to "tell, tell, tell" because the listener needs to hear the message three times to be remembered. Spend a few minutes looking at identified phishes to help create an antiphishing educational campaign that reaches its audience via email, video snippets and social communications such as blogs, Twitter and websites.

It is in everybody's best interest to identify and block phishing attacks as quickly as possible, before a customer, prospect or employee falls prey to an attack. Reach out to security vendors and organizations such as the PhishTank to streamline communications when there is a suspected phish. Establish metrics for the number of phish inquiries received, response times to clear and number of phishing complaints to the customer service desk. Protect your business reputation and relationship with users by confirming phishing attacks as rapidly as possible so security vendors can block access. Designate an antiphishing evangelist and offer that resource to employees and customers. The designated person is responsible for tracking phishing attacks against the company, responding to user inquiries about the legitimacy of corporate communications and coordinating policies and procedures amongst security, IT, marketing, customer support and security vendor teams. It is important to have a go-to resource, especially for companies such as online merchants and financial institutions that are commonly phished.

The business model of phishing attacks works because trusting individuals click on a link and enter confidential information that can then be used for financial gain. The strongest recourse is to teach users to recognize the behavior of phishing attacks, to quickly confirm or clear a suspected phishing attack and to continuously evangelize to keep the community aware of the major trends in phishing attacks with recommended preventive actions. Security teams starting now have a chance to protect employees and customers alike for the holiday season and beyond.

Tags: Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary