Security Basics mailing list archives
Re: HOW TO PREVENT FHISHING ATTACKS
From: Patrick Kobly <patrick () kobly com>
Date: Wed, 02 Feb 2011 15:17:45 -0700
On 1/28/2011 10:46 PM, Marcel Grabher (sallas) wrote:
You know... This is one of the things that upsets me a lot about discussions around this and other similar topics. For sure, protecting against phishing and malware require user diligence. Users need to start taking responsibility for their own security - protecting their own interests. But that doesn't mean that there aren't ways we can help users to do this.get a gun and kill the users. good luck in mexico
With respect to phishing, most of the controls that will help the situation are controls that help users distinguish between legitimate contact and suspicious mails (users don't know what "suspicious mails" look like, and we've done a poor job of making it easier for them to distinguish):
- Use SPF and DKIM. In order to have any significant benefit, though, these require uptake by the users' mail service providers, and there's little you can do to impact that. - Coordinate communications. Your customer service rep's need to be aware of promotional campaigns - when they're occurring, which customers are contacted and what the nature of the communication and follow-on data collection is - Have a solid communications and data-collection policy. Tell your users what types of information you will never solicit from them, then never solicit this information. A few months ago, a bank that I do business with ran a contest which they promoted via email. In order to enter, they asked for your VISA or account number. Communications that go out to clients and the resulting user activity flows need to be examined by people uninvolved with the particular campaign and need to be scrutinized for markers that you're telling your clients to avoid. - The links provided in your communications should lead to the domains your clients already know are yours. Link to your domain, not to surveymonkey.com or a 3rd party communications firm's site. - Provide a convenient, independently verifiable method of validating all communications. i.e. "If you are unsure of the legitimacy of this communication, call us at the toll-free phone number listed on our corporate web site." And make that number easily available. And staffed by people who know what's going on. This applies to any form of communication - email as well as phone / snail mail. - Prefer communication in a secure media. Build a direct messaging functionality into your online banking site. When you need to contact your users, contact them through that mechanism rather than email or phone when possible. The user knows that it's you communicating with them. - Start to digitally sign emails and publish your keys. Mail client producers will only start to support digital signatures out of the box when organizations start using them. Make sure your clients know that you *always* sign emails that you send. - Limit the users' risk. Don't collect static authenticating information in any interaction flow that starts with a communication from you. Look into one time passwords, authentication tokens or two-factor authentication. Each of these may limit the utility of information gathered by a phisher if your clients fail to distinguish a phishing attack.
Just some thoughts... PK
On 28 January 2011 00:44,<mzcohen2682 () aim com> wrote:Hi Guys, I am preparing a set of recommendation for a client of mine which is a bank , a set of controls against fhisging attacks, besides of telling the bank to teach there customers how to protect against those attacks ( not opening suspicious mails etc etc) what other recommendations are good? are there some technological tools to prevent those attacks that the bank can implement? I heard something about imperva radar service which should protect against fishing attack, some one has experience with that tool? what about other tools that the bank can implement? many thanks! Marco ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: HOW TO PREVENT FHISHING ATTACKS, (continued)
- Re: HOW TO PREVENT FHISHING ATTACKS John Renne (Feb 03)
- Message not available
- Message not available
- Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
- RE: HOW TO PREVENT FHISHING ATTACKS Jon Davis (Feb 08)
- Re: HOW TO PREVENT FHISHING ATTACKS Paul Johnston (Feb 10)
- RE: HOW TO PREVENT FHISHING ATTACKS Gadi Naveh (Feb 15)
- Message not available
- Re: HOW TO PREVENT FHISHING ATTACKS John Renne (Feb 03)
- Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
- RE: HOW TO PREVENT FHISHING ATTACKS Lynch, Gordon CTR NHRC (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Eggleston, Mark (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Craig S Wright (Feb 03)