Opinion: Fight phishing without blaming victims
Bogus e-mails designed to trick recipients into clicking malicious links are increasingly common. For criminal hackers, these so-called "phishing"听messages are听an effective tool for breaching an organization's online defenses, successfully penetrating large-scale organizations and striking single, high-value targets.
In fact,听phishing appeared to be the gateway for attacks on and .听
But the way to solve this problem isn't by blaming victims who click links within nefarious e-mails. Unfortunately, that's听what the听chief information security officer for the Department of Homeland Security, Paul Beckman, is .听
He wants to听revoke security clearances for employees who , saying that continuing to flunk such tests shows a lack of responsibility when it comes to handling top-secret information.
Yes, antiphishing training is effective. But only to a certain point. Training can reduce the number of malicious links that get clicked on within an organization but it will never eliminate the threat. Criminal hackers are crafty, and there will always be听that perfectly designed e-mail that'll fool even the savviest recipient. So, if your听security policy is to rely 100 percent on antiphishing training, you鈥檙e about to have a very bad day.
Thankfully there are plenty of techniques organizations can use to defend against phishing that do not involve shaming victims. Companies and government agencies听should ensure patch levels are up to date so that bad guys would be forced to use a previously unknown 鈥 or "zero day" 鈥 vulnerability to penetrate the network. That's often an effective听deterrent.
Organizations can also听limit employee network access to only those resources essential for their jobs. That way an attacker can't use an employee's credentials to infiltrate the entire network.
Updated antispam technology will also stop most mass e-mail attacks. If attackers do get through, a听properly segmented network will stymie their ability to deeply penetrate the network.听Continuous monitoring of the network will help, too. And, once and for all, enable two-factor authentication.
But all too often companies and cybersecurity firms focus on just stopping phishing.听Entire companies exist to conduct phishing tests against employees to see how susceptible they are to this social engineering attack.
Don't get me wrong, phishing is a big problem.听Recent studies have pegged the cost of phishing attacks against the average 10,000-person company at .听
Let's face it, employee will make mistakes when it comes to e-mail just like they'll make mistakes in other aspects of their jobs.听
But focusing too much on this attack vector, the cybersecurity industry is ignoring all of the other basic safety measures we should be deploying.
While the听National Counterintelligence and Security Center recently launched a phishing campaign called "Know Your Risk, Raise Your Shield," I just hope this campaign is not at the expense of other basic security fundamentals.
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter听.
听
