We're living in the age of DevSecOps, which means that everyone on the IT team must contribute to IT security. Security is no longer the realm of security specialists alone. What does that mean in practice? To take one example, consider phishing, a form of cyberattack that is becoming more and more prevalent. For organizations that have embraced DevSecOps, fighting phishing is the responsibility of the entire IT team.
With that reality in mind, here's a primer on what IT pros can do to help stop phishing, even if they don't specialize in security. As we'll see, because IT admins play a key role in protecting phishing attacks from reaching end users, it's only with their help that organizations can embrace DevSecOps and stop phishing attacks in their tracks.
Types of Modern Phishing Attacks
The first step in fighting phishing today is to recognize the kinds of phishing attacks that pose the greatest threat.
In phishing's early days, phishing was limited to email attacks that attempted to trick recipients into giving away sensitive information or downloading malware onto their computers.
Although email phishing still happens today, phishing can come in many additional forms as well:
- Website phishing or spoofing, wherein attackers create fake websites designed to look like legitimate ones
- Domain phishing, which involves creating domain names or subdomain names that resemble those of legitimate sites. This type of phishing attack is often used in conjunction with website phishing.
- Smishing, which uses SMS messages to solicit sensitive information from targets or entice them to open malicious links
- Vishing, which uses voicemail as the attack vector
- Spear phishing, which refers to any type of phishing attack that targets a specific individual or small group, as opposed to a broad attack aimed at a large number of users
- Whaling, a type of spear phishing attack that targets high-profile individuals, like CEOs.
This is not an exhaustive list of the types of phishing attacks that IT pros (and the end users they support) must contend with today. But it highlights the ways in which phishing has grown more sophisticated during the past several years. Gone are the days when scanning email for signs of generic phishing attacks sufficed for insulating end users from phishing.
Best Practices for Fighting Phishing
How can IT engineers contribute to DevSecOps by heading off these types of attacks? Here's a list of common strategies.
1. Educate end users about phishing.
Most IT pros know it’s important to educate end users about how to identify a phishing attack and how to respond. The challenge is figuring out how to deliver that education effectively. In many cases, you can’t count on end users to read through long anti-phishing emails, much less show up to a seminar about fighting phishing.
For that reason, be realistic with your anti-phishing education program. If you educate end users by sending them emails about phishing attacks, keep those emails short and sweet. Another way to deliver quick and effective education is to build some kind of short anti-phishing training into your company’s onboarding process for new employees.
With that said, when you educate end users about phishing, don’t try to teach them the ins and outs of how phishing works. Instead, give them easy-to-digest pointers about recognizing phishing, such as looking for bad grammar or messages that urge recipients to do something right away. And let end users know that phishing attacks can come in many forms beyond email messages.
2. Make an anti-phishing support channel available.
When your end users suspect they may have received a phishing attack, they need to be able to contact IT support and get quick guidance. If a phishing report goes unanswered for hours or days, you miss out on a crucial opportunity to nip a phishing attack in the bud. Delays also increase the chances that end users will become fed up with waiting for help, and will go ahead and click a malicious link that they think might be legitimate.
For this reason, consider setting up a dedicated support channel (such as a special email address or phone number that users can contact) just for reporting phishing-related incidents. And make sure the IT staff who respond to that channel are well qualified in dealing with phishing attacks.
Doing these things will help to ensure that end users who may have been targeted by phishers will not have to wait for a generic IT support request to work its way through the system before they receive guidance on how to proceed.
3. Identify (and block) spoofed websites and domains.
It’s easy for attackers to spoof websites or domains to carry out phishing attacks. Fortunately, because this type of spoofing usually follows the same patterns, it is also relatively easy for software tools to detect these attacks.
You don’t need a state-of-the-art AI algorithm to recognize that a domain name like googgle.com that was registered a month ago by an unknown entity may be illegitimate. (That’s not a real-world case of phishing, but it’s a basic example of what a spoofed domain might look like.) Crowdsourcing is another effective way to identify spoofed websites and add them to blacklists.
Various IT security vendors offer tools that can monitor network traffic and detect attempts to visit domains or sites that may be spoofed. They can also automatically block those sites so that your users can’t be tricked by them.
Requiring website encryption and valid certificates for websites within your network is another way to help prevent end users from being exposed to spoofed sites or domains.
4. Back up data.
There are 1,000 reasons (if not more) why it’s important to keep data backed up. But in case you need another one, consider phishing. If your end users suffer a phishing that successfully tricks them into installing malware on their systems, having a data backup that you can use to roll them back to a clean state is critical.
Backing up data won’t actually help to prevent phishing, but it goes a long toward responding to (and recovering from) successful phishing attacks.
There is no way to prevent phishing entirely. Nor can you predict with certainty which types of phishing tricks attackers will try next in an effort to evade the anti-phishing measures that organizations have in place. But given the right mix of tools and strategies, IT professionals can minimize the chances that a phishing attack will be successfully carried out against their end users. In so doing, they can also reinforce DevSecOps best practices by making security a central part of other IT management processes.