Author: Scott Matteson
Phishing attacks, which involve what are essentially fake-out attempts to persuade unsuspecting users to reveal confidential information or click links which can install malware, are a major problem. Unfortunately, despite numerous security controls and educational endeavors to help assist users, this malice isn’t going away any time soon.
I spoke with Stephen Cox, VP and Chief Security Architect at cybersecurity organization SecureAuth to discuss the plague that is phishing attacks and the challenges involved with thwarting them.
Scott Matteson: What are the major challenges you see with protecting users?
Stephen Cox: One of the main challenges we face in the security industry is how to encourage users to take steps to protect themselves. As we’ve rushed into the digital age, and our personal information has flowed freely onto social networks and other web properties. We’ve almost been conditioned to share rather than protect. This information can be and is being harvested to be used against us in phishing-style attacks.
There is certainly an onus on corporations to protect sensitive data and the security industry to combat bad actors, but it will be difficult without the help of the end users themselves.
Scott Matteson: What strategies work best?
Stephen Cox: A main focus of the security industry should be on user experience (UX). We’ve found that a good, clean UX goes a long way to encourage users to enable security controls like multi-factor authentication (MFA) and keep it enabled to protect themselves. Conversely, bad user experience is a death sentence for user-facing security products. Users will cast bad security controls asunder without a second thought.
Corporations should focus on limiting the amount of sensitive data they collect and using industry best practices, like those recommended by the NIST Cybersecurity Framework, to protect the data they do collect. They should then focus on implementing a strong multi-factor and adaptive authentication solution to render credentials obtained via phishing useless to the attackers. Adaptive authentication has a very rare quality of improving security without impacting usability. End users should be encouraged to enable multi-factor authentication wherever possible.
Scott Matteson: What can organizations do from a technology standpoint?
Stephen Cox: One of the main goals organizations should have to combat phishing is rendering stolen credentials useless. Combating the misuse of credentials is of the utmost importance in the current threat landscape. Identity security should be elevated to the same level in the mind of security operations teams as network and endpoint security. It is now the third pillar of security.
From a technology standpoint in identity security, organizations can employ adaptive authentication. Adaptive authentication goes beyond vanilla two-factor authentication by employing multiple layers of risk analysis on top of a strong multi-factor authentication workflow. We recommend an out-of-band method such as symbol-to-accept, backed by a biometric on the user’s device. Simply having stolen credentials obtained via phishing would not allow an attacker to succeed in this scenario. Adaptive authentication can also be configured to only prompt the user if the risk has been detected, so organizations can employ workflows that are very user-friendly.
Scott Matteson: Can you speak to the psychology of users: What makes them prone to fall for this stuff?
Stephen Cox: One thing we have observed with users is the propensity to disregard security warnings without much care. One of the reasons we developed symbol-to-accept was because attackers with stolen credentials would simply repeat push-to-accept requests to an end user until the end user finally pressed accept to get rid of the constant prompting. Symbol-to-accept encourages the user to stop and think about the prompt before accepting or denying it, as they have to press the correct symbol to accept. It also makes a nice, pleasing user experience.
Scott Matteson: What approaches can you recommend based on a carrot-and-stick philosophy to keep users safe?
Stephen Cox: Listen to your users. Focus on UX in your user-facing security interfaces and don’t forget about delighters: Features that users may not expect but increase satisfaction in your products. Implement a good user experience, and your users will follow.
Scott Matteson: What are your thoughts on sending users fake phishing email attempts to train them?
Stephen Cox: You can implement every security tool in the market, be up-to-date on every patch, and have around-the-clock visibility in your security program, but you can’t fully secure humans. User awareness programs are a fantastic idea but still have a ways to go. Equipping your users with the knowledge they need to spot these types of attacks can certainly help them to avoid falling victim, and flag any potentially malicious emails to security personnel.
Scott Matteson: What difficulties are associated with regulating phishing attempts and keeping things running per “business as usual?”
Stephen Cox: Phishing is so rampant and often so quick to success that large organizations can be overwhelmed with the sheer volume of suspicious activity associated with this attack vector. Locking down accounts that have been compromised can leave users unable to access the resources they need to do their work. It really speaks to the need to have an organized security operations and incident response program, so that suspicious activity can be detected and addressed quickly, the user’s credentials can be reset efficiently, and users can return to their normal level of productivity.
Scott Matteson: What are the bad guys doing next?
Stephen Cox: The recent leaks of massive amounts of social media data to third parties show that personal data can be and is being harvested, and it’s just a matter of time until it gets into attackers’ hands. I expect phishing attacks to become even more targeted over the next few years as attackers harvest and organize the personal information that is so freely available on the Internet today. It will make phishing attacks even more effective than they are today.
Scott Matteson: How do you plan to combat that?
Stephen Cox: The goal of many attackers after they gain a foothold is to obtain credentials and move laterally through an environment as if they were a normal user. It speaks to the need to eliminate passwords from the equation so that if credentials are obtained, they are not useful as a vector to breach and move through organizations. Organizations should recognize that identity is now the third pillar of security after network and endpoint, implementing identity-related automation workflows into their security operations to contain attackers before they do damage.
This article originally appeared on TechRepublic on January 4th, 2019