Is there an answer to phishing?

4 02 2012

Social engineering and phishing, in particular, present a very difficult challenge for security professionals and administrators alike.  It is much easier, technically speaking, to compromise user accounts and possibly computer systems using a phishing attack than other forms of penetration.  In fact, it’s not only easier but also quite effective.  The mere fact that phishing continues to happen in massive amounts testifies that it works.  An example is a recent targeted attack this past December on Military Personnel [1].  Being an email administrator myself for several years I have seen its effectiveness.  As several of our users gave in to the phishing schemes we continued to be targeted.

This attack became a very difficult and annoying challenge to resolve.  It’s difficult to detect, if not impossible, and a huge pain to recover from.  Unfortunately, email has been a highly effective medium to perform social engineering because it allows someone to easily spoof the sender email address.  To combat this, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) specifications were introduced.  They allow receiving domains to authenticate email by verifying whether the sender is a legitimate source.   However, there hasn’t been one universally accepted specification to allow widespread adoption.  Additionally, complex email domain setups and lack of communication among sending and receiving domains as to what should happen to a non-authenticated email  has decreased their effectiveness [2].  The proposed answer to this is DMARC.   

DMARC is a proposed new standard that is supported by a group of big name companies, such as AOL, Google, Yahoo, Microsoft, Bank of America, and Paypal [3].  This new standard utilizes existing technologies such as SPF and DKIM while introducing a reporting feature to allow senders to review email authentication results at receiving domains.  These enhancements to existing email security technology along with the support from the biggest email providers on the internet is definitely a huge step forward in email security.  Having a common standard for email authentication will enable widespread adoption, making it effective against many phishing attacks.  Can this be the answer to phishing?  The chair of DMARC and Paypal Senior Manager, Brett McDowell, confesses that fully authenticated email will not stop email fraud [4].  This is very true.  DMARC will certainly help but it cannot provide complete protection.  With DMARC fully in place attackers couldn’t use the real domain names in their phishing emails but they could continue to use their own registered domain names while using spoofed display names.  People get easily fooled by the content of the email body alone, regardless of the sender email.  This has been my experience.  Attackers can use some alternative domain they have or use a legitimate yahoo account to do their phishing and it will bypass DMARC.

You could certainly come up with content filter rules to try to detect phishing emails that bypass DMARC.  However, this would be difficult to catch everything and is not the best option as you could risk blocking legitimate email.  It seems that technology can compensate only so much for human weakness.  People need to be educated.  In a security guide, the Internet Security Alliance issues one of their top ten recommended practices as “Accountability and Training”.  This basically states that users must be trained “in all policy topics” and the consequences of violation [5].  This recommendation cannot be ignored as part of the answer to phishing.  It is a must that people are educated in online fraud and phishing schemes to help prevent the remainder of phishing attacks entering the system.  An organization must commit to training their users in security issues and continually reviewing them.  As good as this sounds, it is not so simple to get this message across to people.  Some people just don’t get it.  In fact, my experience has shown me that regular announcements and headline messages at the login page still prove to be insufficient.  Further, I have seen an individual fall twice to phishing after being taught the first time.  Unfortunately, there is only so much we can do to stop phishing.  User intelligence is the key to ultimately reduce phishing attempts as attackers will stop if they are unfruitful. 

 _________________________

[1]  InformationWeek .  “Aggressive Phishing Attack Targets Military Personnel” , 12/28/2011. http://www.informationweek.com/news/government/security/232301104?cid=nl_IW_daily_2012-01-30_html&elq=7184510d5ea14947b3b3d050507ff614

[2]  DMARC.  http://dmarc.org/overview.html

[3]  DMARC.  http://dmarc.org/about.html

[4]  The Wall Street Journal .  “Email Giants Move to Slash ‘Phishing'”,  01/30/2012. http://online.wsj.com/article/SB10001424052970204652904577191360158848618.html?mod=dist_smartbrief

[5]  Internet Security Alliance.  “Common Sense Guide for Senior Managers – Top Ten Recommended Information Security Practices”,  July 2002, p. 6.  https://netforum.avectra.com/temp/ClientImages/ISA/fdacd3e0-60cc-4ede-a53e-891971ebeea2.pdf

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: