Article Options

Combating Phishing on Zero Budget

 
Wh1t3Rabbit| October 25, 2012
4 Comments

Sometimes, the best conversations start with "Who wants to go running tomorrow morning at 6am before the conference?"

 

Today was one of those days when I wake up in a foreign city, several time zones away from home at 5am local time to go for a run with fellow Information Security friends, and the end result is a lot more than I bargained for.  This morning my friend Phil convinced me to go running here in Disney Land at ISSA International... and I'm so glad I did.

 

We started talking about pragmatic security and "Matt" who will not get further identified since he asked not to be, got us talking about practical approaches to Phishing.  Matt's organization has taken an approach to combating phishing that I've never heard of before...

 

Every message that enters Matt's organization at the external mail gateway has an [EXTERNAL] subject header pre-pended to it.  What a genius way, which causes almost nothing, to combat external entities from sending you internal looking email.

 

What's interesting here is that this now helps the awareness campaigns they're running.  Rather than teaching everyone to be suspicious of all email coming to them, they can tell them to be suspicious of anything with the [EXTERNAL] tag.  How awesome is that?  Obviously there are still limitations to this - but along these lines you can do things like internal-only graphic headers, and other interesting things.

 

I thought this was worth mentioning since many of you out there are spending a ton of time and energy worrying about external phishing attacks which can spoof internal emails really closely - but there are small things you can do like Matt's organization did to maximize the benefit without spending a dime.  Does your messaging infrastructure allow you to pre-pend a subject line?  Or maybe you can add something to every email that comes in from the external gateway that says, in bold letters, "This message was received from outside the organization" as the first line of every message?  You don't need to buy a messaging gateway when you can do it pretty easily with any open-sourced email gateway... 

 

I hope you find this advice interesting, and maybe something you can implement to combat the incredible amount of phishing activity going on lately because I'll be honest, there are times when even I am fooled by the brilliant forgeries that look exactly like legitimate messages from trusted sources ... until you realize that the email from the administrative team asking you to change your password on a rarely-used HR system has come from outside the organization!

 

Good luck!

Labels: Enterprise security
Labels:
Comments
John Fowler(anon) | ‎10-25-2012 12:57 PM
Options

While it sounds like a simple solution, I think you'd have to put a few additional smarts in.  For example, say joe@not-my-company.com sends me an E-mail with a subject line of "Subject".  I see it as "[EXTERNAL] Subject".  Joe is an important contact of mine, so I reply, and my mail program helpfully sets the subject line to "Re: [EXTERNAL] Subject".  Joe might wonder about that, but he replies anyway, and I see his reply to my reply as "[EXTERNAL] Re: [EXTERNAL] Subject".  A few more messages into the conversation, and you can see where this is headed.

 

Jeff LoSapio(anon) | ‎10-25-2012 01:40 PM
Options

How common is it to start tuning out stuff we see all the time, but isn't important to us?  It's safe to assume that employees at this company will quickly grow accustomed to seeing "EXTERNAL" on many emails, and will subconsciously tune it out.  I'm this way with Internet ads -- I don't even see them anymore, but they are on almost every site I visit.  

Combining this approach with a consistent and effective security awareness messaging might produce better results, but the long term ROI of traditional security awareness efforts is pretty dismal.  We find that dynamic training, presented to the end user when they click on a phishing email is the only effective way to achieve a quantifiable change in end user behavior.  

 

The right message is delivered to the person who needs it at the time they need it the most -- when they are getting "compromised".  Establishing an on-going program of continuous phishing simulations has proven to reduce end users from clicking on phishing emails at rates of up to 70% -- down to less than 5%.

bilholst(anon) | ‎10-25-2012 04:35 PM
Options

Couple of things.   One.  Saying 'don't quote me'  lends artificial authority.   (Social engineering)

Two.    That line of code  'If external put external in subject line'  should be an option in a outlook/browser/etc app.

Marc Blackmer(anon) | ‎10-26-2012 10:48 AM
Options

I think this was a creative approach and it got the ball rolling for this organization.  Quantifying the potential cost to the business, justifying budget, securing the OPEX to actually make use of a purchase, and suffering analysis paralysis are uphill battles we're all painfully aware of.  No doubt this approach will need refinement, but at least he got started.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Follow Us
Community Announcements
50 Must Read IT Blogs