Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Phishing – a hierarchy of measures for successful defense

Phishing is a popular tool for attackers. With parallels to occupational health and safety, this plague can be combated at various levels, comments Janis König.

Save to Pocket listen Print view
Creative,Code,Skull,Hologram,On,Modern,Computer,Background,,Cybercrime,And

(Image: Pixels Hunter/Shutterstock.com)

3 min. read
iX Magazin
By
  • Janis König
This article was originally published in German and has been automatically translated.

Matt Linton from Google recently published a very good article entitled "On Fire Drills and Phishing Tests", in which he compares today's phishing drills with earlier fire drills. But there is (fortunately!) more than just training for and against phishing. To categorize all possible countermeasures, we can refer to the hierarchy of measures from occupational safety. This divides the tools into the levels of prevention, reduction, technical measures, administrative measures, training and personal protective equipment.
An opinion by Janis König

Janis König actually wanted to become a software archaeologist. At intcube, she now realizes her enthusiasm for cryptography, good processes and software architecture. She writes for iX about her ideas for better information security.

Training alone is not enough

It is also known: The further down we go in this hierarchy, the more ineffective the tools become. In this context, it is depressing to note that the focus in many companies has become completely fixed on training. But let's go through the individual levels: In email-based phishing incidents, the complete avoidance of the source of danger would be to do away with (externally accessible) email. It's easy to dismiss this approach, but there are indeed some companies where I would question whether all employees really need their own public email address. Admittedly, the increased use of cloud services makes such a restriction increasingly difficult - externally accessible email addresses are required for everything - but not impossible. But as soon as customer contact becomes necessary, that's it - right?

Here, too, it is possible to reduce the remaining danger surface. We all know – and hate – them: customer contact forms. But from an anti-phishing point of view, these are great tools, as they severely limit the format of the data and contact transmitted, making it visible to everyone in the respective support team, and making it controllable. Obviously, even this method cannot cover all use cases, and a more interactive channel is often desired, especially in B2B contact. Microsoft Teams is slowly gaining acceptance here, even for B2B - even if there is obviously room for improvement, but it is also a way of limiting phishing.

Watch out, snake oil

We are now moving towards technical measures that can be distributed across a company infrastructure in a scalable manner: Password policies, mail scanners, blocking suspicious attachments - a veritable treasure trove for snake oil salesmen. Administrative measures could be structures within the organization that seek to reduce the impact of a phishing attack by having fixed processes for certain procedures that hopefully intercept at least some of the classics.

And finally: personal protective equipment, i.e. technical measures. However, these require correct operation (and therefore successful training) to be effective, such as flagging potentially dangerous content. These measures support training and can make it more effective, but should not actually be a critical pillar of our safety architecture.

And yet the focus is always on people. We can't change them, even if we try to help them. It is easy to start at the bottom of the hierarchy. But if we want to combat the risk, we should tackle the phishing problem more fundamentally.

(pst)

Spiele

Back to top
Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten