There are several technical methods of stealing passwords via malware or software vulnerabilities, and one of the most difficult to defend against occurs when users disclose their credentials unknowingly.

Yes, I am referring to phishing. Specifically, phishing that tricks users into accessing a fake website and entering their credentials.

We often see fake Gmail or Dropbox emails, and most users have the skills to deduce that those are classic phishing emails.

However, the lines get a little blurred when a phishing email seems to come from a work-related or other trusted source.

Imagine an email that claims to come from your IT department, inviting users to log into the new HR system. If standard communication practices and channels are in place, this announcement will likely seem odd. However, if that is not the case, this email may prompt users to, at least, click the link. And if the phishing site looks convincing enough, a trusting user may even enter his or her credentials. At that point, the damage is done.

So how can an organization defend against this method of phishing?

One of the best defenses is to implement 2-factor authentication wherever possible. If credentials are stolen, a second factor is required before an attacker can leverage those credentials. This will not stop an attacker from stealing credentials, but it may prevent an attacker from using them successfully.

Another important defense is to train users.

This allows users to practice the skills in order to spot phishing and allows the security team to learn valuable insights from user behavior that might be taken for granted by a technical person.

For instance, users may make the assumption that the organization has filtering in place to prevent any malicious email from getting through, which simply isn’t true. Regardless of any high (Read more...)