RE: HOW TO PREVENT FHISHING ATTACKS

["Eggleston, Mark" <meggleston () healthpart com>]

Well said Adam.  I do believe that two-factor authentication provides
some remediation to this risk though.  ING Bank also has implemented a
(cheaper) challenge response mechanism - picture authentication.  When a
user creates or has his/her account created they must select a picture
only they know.  Then whenever they sign-on they must also
acknowledge/authenticate the picture too.

Phishing attacks would have a high hurdle to try to pass either of these
technical security controls.

Regards,

Mark Eggleston, CISSP, GSEC, CHPS
Manager, Security and Business Continuity 
Information Services 
Health Partners of Philadelphia, Inc. 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adam Pal
Sent: Wednesday, February 02, 2011 4:35 PM
To: mzcohen2682 () aim com
Cc: security-basics () securityfocus com
Subject: Re: HOW TO PREVENT FHISHING ATTACKS

Hello Mzcohen2682,

Phishing is a social engineering technique, so the only proficient way
to protect against is: training, security awareness, training...

If we take the scenario of withdraw administrator rights - whats the
benefit for phishing attack? Having no administrator privileges wont
stop the user entering whatever credentials the Email is asking for.

The weakest member member of the chain is the user.



Best regards,
 Adam Pal   

Friday, January 28, 2011, 12:44:06 AM, you wrote:

<==============Original message text===============
mac> Hi Guys,

mac> I am preparing a set of recommendation for a client of mine which 
mac> is a bank , a set of controls against fhisging attacks, besides of 
mac> telling the bank to teach there customers how to protect against 
mac> those attacks ( not opening suspicious mails etc etc) what other 
mac> recommendations are good? are there some technological tools to 
mac> prevent those attacks that the bank can implement? I heard 
mac> something about imperva radar service which should protect against 
mac> fishing attack, some one has experience with that tool? what about
other tools that the bank can implement?

mac> many thanks!

mac> Marco

mac> -------------------------------------------------------------------
mac> ----- Securing Apache Web Server with thawte Digital Certificate In

mac> this guide we examine the importance of Apache-SSL and who needs an

mac> SSL certificate.  We look at how SSL works, how it benefits your 
mac> company and how your customers can tell if a site is secure. You 
mac> will find out how to test, purchase, install and use a thawte 
mac> Digital Certificate on your Apache web server.
mac> Throughout, best practices for set-up are highlighted to help you 
mac> ensure efficient ongoing management of your encryption keys and
digital certificates.

mac> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
mac> be442f727d1
mac> -------------------------------------------------------------------
mac> -----


<===========End of original message text===========



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

This message, together with any attachments, is intended only for
the use of the individual or entity to which it is addressed. It
may contain information that is confidential and prohibited from
disclosure. If you are not the intended recipient, you are hereby
notified that any dissemination or copying of this message or any
attachment is strictly prohibited. If you have received this
message in error, please notify the original sender immediately by
telephone or by return e-mail and delete this message along with
any attachments, from your computer.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------