Phishing is one of a number of exploits that attempt to get an individual to participate in something that is damaging either to themselves or to the wider organisation they are part of. This is achieved by luring the individual to open an attachment or click on a link, etc. Another method that’s been used successfully is scattering a bunch of thumb drives featuring malicious code around a parking lot and waiting for someone to plug it into the machine. The common element is the human one, and such attacks are also termed social engineering.
A study conducted at Columbia University showed the efficacy of email as a form of attack. Researchers sent out 2,000 phishing emails, which got 176 opens. Those 176 people were then warned that they'd fallen for a phishing attack. The researchers later sent another round of phishing emails to those same people, and 10 of them once again clicked. After another warning, and a third batch of phishing emails was sent out, three people fell for it again. It wasn't until the fourth round that no one opened the emails.
As that study shows, it's often people who are the weak links. Consequently, employee training continues to be a vital part of the defence strategy and the need for vigilance is vital and ongoing. Phishing is a form of attack where human decision-making is critical.
You can think of security as a pyramid where the horizontal axis is the number of incidents and the vertical axis is the level of sophistication involved. The top of the pyramid features the smallest number of incidents, but a level of sophistication that is very, very difficult to defeat. The bottom of the pyramid has the highest numbers and the least sophistication. This is often the realm of phishing or related exploits that depend on someone clicking without paying attention or exercising bad judgement.
Certainly training and awareness can help minimize the number of such incidents, and the effectiveness of training can be tested by running an exploit on oneself. Usually someone will click, but the numbers can be minimized.
The first line of defence remains looking at the traffic. With email for example, most organisations drop anywhere between 65% to nearly 75% of the incoming email. Some of the email is merely suspicious or annoying and you may see emails come through marked with labels such as [SPAM], [Marketing Mail] or the like. The intent is to avoid blocking something that might be legitimate, but to give the user a flag and the opportunity to delete or to create a rule to divert the emails so marked.
Most companies employ a security framework suck as NIST or ISO27001. Such frameworks include risk assessments, policies and controls to mitigate risks, and audits to demonstrate implementation. One of the key controls is always security and security awareness training.
Unfortunately, email will continue to be a top vector when it comes to breaching systems. We have relied far too heavily on email for far too long. We need to move away from email. It's time. We need to begin to seriously look at other communication modalities to help protect against these types of attacks. There are better, arguably more secure solutions out there for communications, examples being an internal intranet via Jive or social business applications such as Yammer or Slack.
Given that email is not going anywhere soon, measures need to be put in place to keep an organisation and its staff protected. Phishing in particular relies upon human mistakes and so to minimise the danger from phishing it is in the interest of CISOs to ensure all staff are trained, take responsibility collectively and individually for keeping the network and its associated data safe and secure and that effective traffic monitoring is implemented.
The bad guys are incentivised to attack consistently often with unsophisticated methods so organisations need to build resilience to be effective at defending against the attacks.