Updated: Jun 17, 2020
Email phishing remains the most prevalent attack vector for cyber attacks. According to Verizon’s 2019 Data Breach Investigations Report, 94% of detected malware was received via email. This includes a variety of distribution methods including email attachment, direct install, and web drive-by. Such attacks seek to exploit the most vulnerable link in the security chain—humans. Unlike technical security controls, people want to be helpful and can be manipulated using low-tech techniques such as pretexting, social proof, and intimidation. Attackers know this and have become quite adept at exploiting such weaknesses using social engineering.
Perhaps this is one of the reasons that many security professionals, myself included, strongly emphasize the importance of ongoing user education as part of a larger security awareness and training (SAT) program. If you’ve ever read any of Kevin Mitnick’s books, the infiltration feats he achieved were largely due to his social engineering rather than technical prowess. That’s not meant to take away from Mitnick’s technical abilities, but rather to demonstrate that in most cases it’s not necessary to use technically crafted attacks to compromise organizations.
Risk management is about identifying the most impactful risks (as determined by using threats, vulnerabilities, likelihoods, and impacts) and mitigating them to an acceptable level. In today’s landscape one of the most significant organizational risks is that of social engineering, for even seemingly impenetrable fortresses are being compromised with these low-tech attacks. One of the best ways that organizations can mitigate the risk of such compromises is by investing in a proper SAT program.
Employee awareness is critical in the effort to defend against the constant stream of phishing attacks. Phishing simulations and employee training help reduce organizational risk by equipping users to actively identify and report potential phishing attacks. They must recognize what they’re up against with the understanding that it’s a shared responsibility to be ready when (not if) they are targeted. However, SAT is just one piece of the puzzle. Effective security is layered security, whereby each layer uses its strengths to cover the weaknesses of others, and vice versa. Here are three critical components to compliment your SAT program and protect your organization from email phishing attacks, the most common social engineering vector.
Comprehensive Email Security
The fewer malicious emails that get in front of your users, the less likely a compromise becomes. Email filtering is a must and there are many enterprise solutions to choose from. A good email security solution should include email forgery and known-malicious domain/IP address protections while supporting features such as sandboxing and ongoing configuration.
If a user provides their credentials to a malicious actor, MFA acts as a failsafe by adding another authentication layer. This mitigates many threats given the prevalence of highly automated, wide scale attacks. Properly implemented MFA can make it significantly more difficult for attackers to establish an initial foothold in your environment.
24x7x365 Security Monitoring
Despite your best efforts, attacks will succeed. Given this fact, your security operations team must be monitoring around the clock to minimize detection and mitigation time. Security monitoring acts as a final layer of defense against email phishing attacks and can stop a would-be compromise in its tracks.