Users should not be blamed for successful phishing attacks, says security awareness expert.
Ira Winkler, president of Secure Mentem, told attendees of the RSA Conference 2015 in San Francisco that humans represent only two of ten potential kill points for phishing attacks. A phishing attack can only be successful if eight possible layers of technological controls are missing or have failed.
“Phishing attacks represent a combination of user and technological failures,” said Winkler.
Before the user is ever confronted with a phishing email, there are opportunities to block the attack at the pre-mail server and mail server stage.
Technologies for detecting and deleting phishing emails can be implemented in the internet infrastructure to block these attacks before they reach mail servers.
At the mail server there is another opportunity to implement technologies to quarantine phishing emails.
It is only if these first two layers have failed to block a phishing attack that a user becomes involved.
Read more about phishing attacks
- Phishing attacks are the most popular causes of data breaches in the enterprise.
- The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for the scam.
- Phishing attacks on mobile devices are increasing as adoption of internet-connected mobile devices and services grows.
“Users only fail if technologies have failed first or if the right controls have not been implemented by internet service providers or in mail servers,” said Winkler.
However, he said if users have been properly trained to recognise and report phishing attacks, these attacks can be blocked at this third stage.
User awareness programmes should be designed to ensure that users are able to recognise potential phishing attacks and know where to report it.
“But awareness, like all countermeasures, is not perfect and can fail because even smart people make mistakes when confronted with a well-crafted phishing email,” said Winkler.
However, even if a user clicks on a malicious link in a phishing email, all is not lost because technologies exist to warn users of potentially harmful links and attachments.
“The user has the opportunity to report attempted phishing attacks to enable administrators to delete any associate unopened phishing emails on the mail server,” said Winkler.
“But if a user decides to open an email even though it has been quarantined, the email client should still be able to prevent malicious code from executing,” he said.
Even if the email client prevents the malicious code executing, the network should be able to detect and block malicious activity.
“The network can be equipped to be a layer of defence. It should be able to prevent malicious activity, identify rogue clients and prevent any infection from spreading,” said Winkler.
“And if malicious code executes, the network should be able to block data from being sent out of the network and stop any illicit login attempts,” he said.
Although Winkler concedes that in many cases security awareness programmes need to be improved, he said businesses need to acknowledge that the success of phishing attacks is not due to user failures alone.
“Phishing attacks are inevitable, but they can be prevented by putting technological detection and blocking capabilities at every layer,” said Winkler.