Security Rant: Phishing Prevention and Mitigation

I think there are 3 parts to phishing defense.

1. Investigation

You have to gather statistics on the current state of the environment. Should the customer even invest in training or tools to prevent links from being clicked?  They won’t know until they run a campaign to find out how many users fall prey to typical phishing techniques.

I know companies that use Black Squirrel Labs (at Black Hat last year) for Phishing campaigns against employees.
Phishline, Wombat, and ThreatSim are all good too.  It’s really GUI preference and price at that point.

2. Security Awareness Training

Let’s be honest, for the most part security awareness training doesn’t work.  I know someone in operations at a large financial in NYC that says the employees there just click through the training to mark as finished and don’t actually learn.  Which leads to quarterly training on the same topics hoping that one day they’ll “get it”.

Whether it’s custom built training, in-house training, or canned training from solutions mentioned before, the rate of adoptions is VERY LOW.

Most employees don’t know that clicking on an email can subject them to Sony/Target like compromises.  They assume hackers are getting in with Mountain Dew and terminal screens, not through mistakes THEY are making.

What I’ve seen work in the industry is one on one or small group training with security professionals/consultants once you’ve identified the users who make the mistakes,.  It’s more time consuming, but it also portrays the significance of what they’ve done.

And let them know they’ve been targeted/singled-out because of previous behavior.  I guarantee you a lot of employees won’t be clicking on any more fax emails.  Not because of some security training they rushed through, but because they was “caught” and something “bad” happened because of it.

3. Phishing Prevention vs. Mitigation

This is where a mix of network, application, and endpoint security come in.  None of the threat simulation campaign solutions actually mitigate phishing.  They help prevent with awareness and knowledge, but they will always have holes.  We are all infallible humans.  This is where mitigation comes in.

Application security: 

The majority of phishing still comes from e-mail.  Products like Proofpoint, McAfee, FireEye, Trend Micro, IronPort are designed to filter out spam AND phishing.  But someone could embed a sophisticated fishing link and get by most of them.

Endpoint Security:

For the e-mails that make it through and EVERYTHING else.  Let’s face it, your users aren’t just checking their secure corporate e-mails.  They’re checking,,, and some people are still using AOL!  All of those links are making it to their computers and bypassing your application security.  Not to mention the Facebook, LinkedIn, and Twitter links everyone is clicking on.

This is where endpoint security comes in.  Traditional Antivirus (AV) solutions have evolved to check web creditability before allowing the browser to finish the HTTP GET.  Some of the big players in endpoint security with regards to phishing are: ESET, Sophos, Kaspersky, McAfee, Symantec, Trend Micro, and Palo Alto.

Network Security:

Most networks have deployed next-gen firewalls.  These firewalls are capable of anti-spam, anti-virus, and intrusion detection.Juniper, Fortinet, and Palo Alto lead the way in next-generation firewall phishing protection.

These security mechanisms go beyond checking for link safety.  They inspect the payload of packets on the network.  This way, even if a clicked phishing link makes it through application, and endpoint security, the dangerous payload won’t make it back to the user.

As with all security, a multi-layered and varied technological approach is always best.  Security against phishing is no different.

Leave a Reply

There aren't any comments at the moment, be the first to start the discussion!