IT security is multi-faceted and ever-evolving, and the
criminal act of phishing is the latest form of malicious software
to be drawn to the public’s attention.
Apacs figures confirm the number of phishing sites grew more
than six-fold during the past year. Although a lot of high-profile
media coverage raises awareness of personal identity and theft
through conventional phishing, “spear-phishers” are a less
publicised phenomenon.
A spear-phishing message looks like it comes from your employer
or a colleague who might send IT communications and could include
requests for user names or passwords. In fact, the e-mail sender
information has been spoofed in an attempt to gain access to a
company’s entire computer system.
As always with IT security, the measures needed to address
phishing cross multiple parties and jurisdictions. Not only is
there the need for businesses to educate employees, the technology
industry as a whole needs to approach phishing on three levels:
partnerships, technology and education.
Last month, Microsoft launched its Global Phishing Enforcement
Initiative (GPEI). Part of the initiative focuses on quickly
identifying and shutting down domain names that spoof Microsoft
brands. So far, this has been effective in the US, resulting in an
80% drop in phishing-related attacks on our brand. With this
success in mind, we recommend these measures to other companies
that are liable to attack.
The major thrust of the GPEI, however, is partnering with
relevant organisations such as Interpol and EuroISPA, the
pan-European association of internet service providers.
The pervasiveness of the phishing threat makes partnerships and
co-ordinated action essential. Microsoft already partners with
public and private sector organisations around the globe, including
the Anti-Phishing Working Group (APWG).
The GPEI is a sustained effort by Microsoft to bring legal
action against phishers. The company will engage in 100 legal
actions against phishers in 10 European, Middle Eastern and African
countries over the next few months, in addition to 123 civil cases
already raised against phishers worldwide.
Through technology, Microsoft advocates the development of a
“trust ecosystem” that creates an environment where people, devices
and code can be properly identified and held accountable for their
actions. The ecosystem underpins industry-wide support of an
interoperable and open standards-based identity metasystem.
Other key tenets of Microsoft’s overall security technology
include the way the company develops new code and removes security
complexity for IT professionals and consumers. The final component
is building confidentiality, integrity, availability and
accountability into the Microsoft platform, as Windows Vista will
demonstrate.
Microsoft is also collaborating on an internet standard proposal
designed to help eliminate domain spoofing and provide greater user
protection against scams. Internet Explorer 7 has been improved to
help protect consumers and now includes a phishing filter that
detects suspicious sites. There are also several technologies
within Windows XP SP2 that help thwart common phishing methods.
With many phishing attempts initiated through spam e-mails,
Hotmail’s anti-spam technology is already stopping 3.4 billion spam
e-mails a day.
Improved awareness of phishing helps to combat the risks
presented. To that end, Microsoft remains committed to training its
internal developers (almost 600 employees now CISSP certified),
partners and law enforcement personnel (1,200-1,500 annually). The
company also supports numerous awareness campaigns; including
www.microsoft.com/security
and government-led initiative
www.getsafeonline.org.
Success in combating phishing means that, hopefully, by
Infosecurity Europe 2007, phishing will have dropped out of the
limelight. The ever-evolving threat landscape created by
sophisticated cyber criminals will have doubtless moved the game
on, but industry efforts as a whole will aim to make it harder for
them to succeed.
Ed Gibson is chief security adviser at Microsoft UK.
Microsoft will be exhibiting at stand 610 at Infosecurity Europe
2006