Part IV: Protecting Yourself
Train your users to detect and respond correctly to phishing emails.
Phishing relies on users trusting that the information contained in an email is accurate, valid, and trustworthy. Attackers will utilize dirty tricks to force a response from your users. Organizations need to be proactive.
First, implement a training regimen using commercial software or open-source options to simulate phishing emails. Numerous platforms exist that allow for custom email templates to mirror an organization's portals or out-of-the-box templates to mirror a blind phish from an external attacker. These internal phishing tests can be scheduled for specific users or groups of users for specific times. They can have varying difficulty levels to determine whether it is a phish or normal mail.
Furthermore, many of these toolsets will provide workflows for dealing with phishing emails. Training a user always to use the reporting method specific to the toolset will ensure that all suspected phishing emails are sent to a secure location for further analysis or removal from the email system. Many of these platforms are packaged with training modules for users. These modules range from basic best practices for email hygiene to potential threats and exposures after clicking on a real phish.
Finally, these platforms often offer reporting, metrics, and digestible reports for tracking users who fail internal phishing examinations, click rate on phishing emails, and report rate where a user successfully reports a test email as a phish. User training and training modules can then be assigned to users who fail a determined number of simulated phishes.
Use a password manager for all employees.
There are numerous enterprise password manager options on the market as well as open-source and commercial-grade options with enterprise capabilities. While selecting the correct password manager for your environment may be a complicated task, implementing and enforcing a password manager will reduce the need for reused passwords and insecure storage of passwords.
In tandem with implementing a password manager, train your users not to reuse passwords, generate secure passwords, and create a complex master password for access to the vault. Many password vaults or password managers have the option to generate secure passwords that contain a pre-determined number of characters using browser extensions or applications. These passwords can be automatically filled into forms for ease using browser extensions or applications.
Some password vaults also allow the option to create a check-in/check-out system with automatic password changes on check-in. An administrative password used for installing software could be compromised in a case like this, but the authenticated session would only last until the next check-in. When the password checks in, the compromised password and current password would be different, minimizing the time that even a skilled hacker acts with the account.
Using multifactor authentication—MFA—limits the risk of a complete account compromise after a user submits credentials to an attacker. Provided that the attacker was not listening for MFA and did not hijack the authenticated session, the attacker would not sign into systems requiring MFA even with valid credentials.
Enabling MFA and utilizing it wherever possible is a solid failsafe in the case of account compromise.
Do not scan QR Codes or Navigate to Web Links you do not recognize.
Attackers can set up malicious code, set websites to conduct drive-by downloads, or scrape valuable information when browsing their site. Avoid allowing the attacker to compromise your account by avoiding unknown sites altogether, especially when using company-owned equipment.
While the stakes are high and the remediations are many, there is no one-size-fits-all solution for a given organization. If you are looking for a partner to help you walk through risk assessments, remediation, or implementation of new tools and processes, give us a call.