Sometimes, the best conversations start with "Who wants to go running tomorrow morning at 6am before the conference?"
Today was one of those days when I wake up in a foreign city, several time zones away from home at 5am local time to go for a run with fellow Information Security friends, and the end result is a lot more than I bargained for. This morning my friend Phil convinced me to go running here in Disney Land at ISSA International... and I'm so glad I did.
We started talking about pragmatic security and "Matt" who will not get further identified since he asked not to be, got us talking about practical approaches to Phishing. Matt's organization has taken an approach to combating phishing that I've never heard of before...
Every message that enters Matt's organization at the external mail gateway has an [EXTERNAL] subject header pre-pended to it. What a genius way, which causes almost nothing, to combat external entities from sending you internal looking email.
What's interesting here is that this now helps the awareness campaigns they're running. Rather than teaching everyone to be suspicious of all email coming to them, they can tell them to be suspicious of anything with the [EXTERNAL] tag. How awesome is that? Obviously there are still limitations to this - but along these lines you can do things like internal-only graphic headers, and other interesting things.
I thought this was worth mentioning since many of you out there are spending a ton of time and energy worrying about external phishing attacks which can spoof internal emails really closely - but there are small things you can do like Matt's organization did to maximize the benefit without spending a dime. Does your messaging infrastructure allow you to pre-pend a subject line? Or maybe you can add something to every email that comes in from the external gateway that says, in bold letters, "This message was received from outside the organization" as the first line of every message? You don't need to buy a messaging gateway when you can do it pretty easily with any open-sourced email gateway...
I hope you find this advice interesting, and maybe something you can implement to combat the incredible amount of phishing activity going on lately because I'll be honest, there are times when even I am fooled by the brilliant forgeries that look exactly like legitimate messages from trusted sources ... until you realize that the email from the administrative team asking you to change your password on a rarely-used HR system has come from outside the organization!