Maksim Kabakou - Fotolia

Security Think Tank: Four key elements to defending against phishing attacks

What are the most effective types of security controls and end user training approaches to dealing with phishing?

Fraudulent and malicious electronic mail continues to be a favoured method for attackers to create a network breach from the inside. Like the famed Greek horse at Troy, years of work on an impenetrable outside wall can be undone from the inside with the click of a mouse.

Phishing attacks have become more pervasive and convincing over the years. While mistyped and poorly worded examples are still around – such as a note from “Sistem Admin” [sic] – hackers have learned to use graphics, grammar and phrases that appear strikingly similar to those of a legitimate message.

The sources of these messages use a wide range of tools to lure unsuspecting victims, yet there are some common themes they apply. The recognition of these themes has led to a mix of technical and training approaches to combat the threat.


Some phishers use a blanket approach, sending realistic messages to millions of recipients. They often add a plea that prompts the receiver to click on an included link in response to an urgent situation. Ironically, this plea often claims to be a response to a security incident. Those clicking through, alarmed at the alert or lured by the promise of riches, may be directed to a very real-looking website that happily accepts their personal identification and bank account information on behalf of the attacker.

A growing trend has been for attackers to emulate a senior executive in an organisation. In a report, the FBI warned of such business email scams where a message appears to come from an executive. The report stated: “From October 2013 through to February 2016, law enforcement received reports from 17,642 victims, amounting to more than $2.3bn in losses.” These types of attack are often hard to detect since they may not include a suspicious or infected link or attachment.

Where links are included, it is important to remember that a message may mask the real URL. The user often has to hover over the hyperlink to see the real, intended destination, such as a malicious website. Other emails include an infected attachment that acts as the Trojan horse. A corrupted document, image or spreadsheet can use embedded macros or some other executable code that leads to all sorts of mayhem on the victim’s system.


The tools and processes for addressing and mitigating such attacks are as varied as the methods used by the attackers. Quite often, the organisation needs to apply multiple layers of countermeasures, such as those described by Human Element’s Human-Based Cyber Defense approach.

A strong weapon in our arsenal continues to be effective user security training. Organisations that provide repeated and continuous phishing awareness campaigns find that, while the problem never goes away, repeated rounds of testing and personalised training result in increasingly improved awareness. Some teaching tools provide a pop-up message with remedial advice when a target takes the bait. The most successful programmes enable the training team to work directly with users that repeatedly fail such tests, using the resulting information to improve training methods.

There’s some research into the science of why these attacks work by tricking our own impulses, such as Breaching the human firewall: social engineering in phishing and spear phishing emails by an Australian research team. Such research helps us understand and analyse user behaviour and improve countermeasures.

For those attempting to deliver training and impress the importance of remaining alert to emailed scams, insight from dedicated organisations such as Isaca is invaluable. Most of us with security responsibilities simply do not have time to study all relevant literature, so the work done in collecting and sharing best practice from published works and other submissions is extremely useful.

On a technological level, simple steps and settings within the email program can show results. Settings changes can help quarantine suspicious emails or at least provide visual cues about their suspicious nature.

An email system might be set to automatically add a prefix or suffix to messages. For example, the subject can be set so a spoofed message from my CEO might look as follows: “Subject: [EXTERNAL] Please send me our employee tax forms”. Similarly, a suffix can be added to the internal address list, helping to confirm the real source. A more secure version of this protection is through the use of digital electronic signatures, such as that provided through a secure/multipurpose internet mail extension (S/Mime).

There is quite a lot of good work going on behind the scenes to improve the security of electronic mail protocols and, thus, prevent some of the malicious messages from reaching the intended victims. The US National Institute of Standards and Technology (Nist) recently released Special publication 800-177, trustworthy email, which provides recommendations for deployment and configuration of state-of-the-art security technologies, such as security-enhanced Domain Name System, or DNSSec to detect and prevent phishing attacks.

Effective vulnerability management, such as through antivirus, software patches and regular updates, is critical to preventing the flaws that phishing attacks often exploit. Proactively mitigating the potential damage of an attack is critical, too, such as by minimising the attack surface available from a given workstation. Also, because personal authentication credentials provide such critical access and might be easily disclosed, the use of multifactor authentication is one way to help mitigate the effects of phishing attacks, even successful ones.

What next:

Because of the success and relative ease of deploying phishing attacks, organisations are likely to continue to be targeted through this method. Organisational defences include user awareness training, email system security configuration, use of strong authentication – especially on critical digital assets – and vigilant vulnerability mitigation and management.

Ultimately, keeping up-to-date on threat trends and ensuring best practice is communicated to, and absorbed by, the organisation is the best defence.

Greg Witte is a member of Isaca’s Cybersecurity Working Group and a senior security engineer for G2.

Read more on Security policy and user awareness