Re: Anti-Phishing Strategies

[p1g <killfactory () gmail com>]

I agree with Tim.

You have to push some of the responsibility to your end users. You
need to also state in your policies that the end user must absorb the
responsibility.

'Normal Education Stuff' cough cough. What is that?

I hope it includes incident reporting. I do however feel it is your
responsibility to help educate the end user. Help them to identify
suspicious activity. Teach them to report an incident even if they are
not sure it is a real incident. You have to start a culture where the
end user feel comfortable reporting anything and everything.

Now, I know it is easier said than done for a lot of companies. Mine too.

I have found that sending 'Security Bullentins; to all users at the
first sign of a phishing attack. Also, include a copy of the email in
the bulletin. This is usually an eye opener for employees. They get to
see a 'REAL' email with suspicious content. They get to see how 'REAL'
or 'convincing' they look.

Be sure to reiterate your awareness points in the email. remind them
that legit companies WON'T use emails to collect sensitive
information. Not to open untrusted or unsolicited emails.

Everytime I send out a bulletin, and I mean EVERY time, users will
will open up and report suspicious activity they didn't think was
suspicious, but now they know.


This doesn't solve the problem, but it really helps.

I've blabbed too much.

My 2 cents..
On Wed, Apr 9, 2008 at 3:50 PM, Timmothy Lester
<Timmothy.Lester () primeadvisors com> wrote:
> We are doing all the "normal education stuff"
>
>  It is my personal opinion that NORMAL education is not enough..  Most of
>  the time this is just information that goes in one ear and out the
>  other.  Since it's a "customer" you are dealing with, I don't know how
>  you should be responsible, but in any case you need to TRAIN people
>  rather than educate them.  You almost have to scare people, by holding
>  them responsible for their ignorant actions.
>
>  A little off subject  -- I think that everyone that owns a piece of
>  equipment should be responsible for it and have the correct knowledge to
>  maintain and use it.  There is a healthy swarm of botnets and drones
>  scouring the net because people don't take simple precautions, and
>  people don't care enough to learn.
>
>  Lame analogy -- If you own a car, you should know when the breaks are
>  going bad and change them before you crash and hurt someone.   It's your
>  responsibility to make sure you are able to stop your vehicle.  Whether
>  or not you ask your husband or mechanic to check them (that's your
>  choice).  If you own/use a computer, you have two choices.  Have someone
>  who knows how to use the machine maintain your security updates, check
>  mail before you get it, and check every webpage before you visit it, OR
>  LEARN and ask if your unsure.
>
>  * I'd be interested to see what the "targeted and somewhat successful
>  phishing attack" was.  If a company is "targeted", there is no software
>  solution that can filter out every phishing "attack".
>
>
>
>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>  On Behalf Of Al Cooper
>  Sent: Wednesday, April 09, 2008 1:11 PM
>  To: security-basics () securityfocus com
>  Subject: Anti-Phishing Strategies
>
>  One of my customers has recently been a target of a targeted and
>  somewhat
>  successful phishing attack.  I am looking at strategies to counteract
>  this
>  and future attacks.  We are doing all the normal education stuff, but
>  the
>  customer base is large.
>
>  I am looking at companies like MarkMonitor & Cyveillance.  Does anyone
>  have
>  any experience with these type of companies?
>
>  Any other strategies that I should consider?
>
>  Thanks for your help,
>
>
>
>
>
>  --
>  This message has been scanned for viruses and
>  dangerous content by MailScanner, and is
>  believed to be clean.



-- 
-p1g
SnortCP, C|HFI, TNCP, TECP, NACP, A+
 ,,__
o" )~ oink oink
 ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke