Cisco published a guide, made of 5 tips useful to prevent and combat one of the most powerful and dangerous cyber threats: Phishing.
The Cisco objective is to raise awareness and alert both people and companies in order to avoid possible attacks, helping to contrast the spread of vulnerabilities exploitable from attackers.
Phishing attacks consist in a message or an email with a link which leads to an apparently trustworthy site where you are required to insert your personal information, sometimes it happens that in addition to data fraud, malware is also downloaded on the victim’s device.
Usually, it is sufficient for the attackers to obtain credit card data or bank account credentials for profit. In other cases, it is possible that the final target is a company and the user is used as a means to obtain login-in credential to the company private platform. In fact, more complex cyber threats like ransomware and Advanced Persistent Threats (APT) often start from a successful phishing attack.
It is important to classify the different types of phishing in order to distinguish them when they occur:
- DECEPTIVE PHISHING
It is the most common one and it targets a group of people, trying to obtain private information useful to launch other attacks or steal money (e.g. the attacker pretends to be a bank, requiring account credentials).
- SPEAR PHISHING
Similar to the previous one, but instead of targeting a group, it focuses on a single person. It is important to pay attention to the information you share on social networks or other public sites. The attackers could collect data from there and then use it to make a more personalized and trustable communication.
When the target of the attack is “a big fish” for example a CEO or a CFO of a company, this type of phishing requires a lot of effort from the attacker which has to study the company and its structure before the attack execution.
It is that type of attack which aims to hijack the user to a web site which seems perfectly reliable, but it is fraudulent. It is not necessary to click on the link to open the fake site; this attack is possible also if the user types the correct link.
HOW TO COUNTERACT PHISHING?
The first step Cisco suggests to put in place is an adequate training of the employees, including also the managers, it is important to teach them how to recognize a fraudulent e-mail and then how to approach it. The response they have to put in action is important too. The leader company of the IT industry then points out which are the 5 fundamental pillars to avoid phishing.
- Implement a solid authentication process: the Multifactor Authentication plays a crucial role, it reduces the external access from non-authorized players. It basically consists of authorizing the access thanks to a second secure code or device in addition to the password (e.g. WebAuthn or Fido2 security keys).
- Reduce password dependence with the Single Sign-On (SSO): it aims to reduce the creation of weak passwords, allowing the access to different sites or apps with one single set of credentials.
- Keep a detailed inventory of devices: it is difficult to protect devices you are not tracking, so if you maintain under strict control the movement of the technological devices into your company you would probably prevent or counteract a possible attack.
- Apply adaptive access criteria: it is important to give the access to the right person with the right device, every employee should access only necessary assets and be required to follow a security process before obtaining access to critical ones.
- Constant monitor of unusual access activity: it allows to promptly detect and identify violation and then to put in place the proper countermeasures.
In conclusion, it is important to adopt a skeptical and careful approach when we receive emails or messages, especially when they are sent by unknown senders.
It is crucial for every company to raise awareness such that the pillars listed above are respected to successfully avoid phishing attacks which can lead to monetary loss or to further attacks.
Author: Andrea De Gennaro