Ben's Book of the Month: Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing


Posted on by Ben Rothke

Much of the encryption used today is based on the Advanced Encryption Standard (AES), selected by the National Institute of Standards and Technology (NIST) as the U.S. federal government standard. Besides being free to implement, it is extremely hard to break. 

After being in production for over 20 years, AES has been shown to be resistant to most attacks. But it is not immune to brute-force attacks. The downside to brute-force attacks against AES is that it takes time, a lot of time. It would take about a billion years for an array of supercomputers to brute force a single AES 128-bit encryption key. 

Moving to AES 256-bit encryption key, even if you had every computer within Amazon Web Services (AWS) working on the problem, it would take tens of billions of years to break. And that is for but a single key. Therefore, no one is using supercomputers in parallel to break AES keys. Parenthetically, if someone has so much computing power, it would be more profitable to mine Bitcoin.

Attackers wanting to breach systems who don’t want to wait billions of years have found something relatively easy and infinitely more cost-effective to launch successful attacks, and that is phishing. Phishing is sending emails claiming to be from a legitimate source to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing is prevalent, given that it is possible to send out tens of millions of emails for a pittance. And even with grammar and spelling mistakes, people still fall for them.

Any organization that does not have formal policies and processes to deal with phishing is placing itself at significant risk. In Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing (Wiley), author Roger Grimes has written a practical and valuable piece on how to do that. Phishing and wrong-number text scams are brilliantly simple but highly effective attack vectors. In this very practical and actionable guide, Grimes details in depth what firms need to do to mount a fighting chance against phishing attacks. are brilliantly simple but highly effective attack vectors. In this very practical and actionable guide, Grimes details in depth what firms need to do to mount a fighting chance against phishing attacks.

Contrary to popular belief, wrong-number text scams and phishing attacks are not done by rogue hackers from their college dorms. Criminal gangs often nation-state-supported, work behind very well-organized and managed organizations to launch these often sophisticated attacks. Unless a firm has a comprehensive set of policies, awareness programs, and technical strategies to mount a defense against phishing, they will invariably be victims. 

Part one of the book is Introduction to Social Engineering Security, with parts two through four on Policies, Technical Defenses, and Creating a Great Security Awareness Program. In truth, only part one is about phishing, while the rest of the book can be applied to effective information security practices. The lesson is that a good phishing defense has to be built on a good foundation of effective information security controls.

An important topic the book details is what to do in the event of a successful phishing attack. Given the sophistication of many cybercriminal gangs, combined with the ineffective security programs at many firms, knowing what to do in the event of a successful phishing attack is paramount. Truth be told, most firms that don’t have effective anti-phishing controls in place will likely not have a clue what to do in the event of a successful phishing attack, so they are doubly punished.

Since phishing is a message-based attack, controls at that level are paramount. Part three on technical defenses provides a very detailed look at what firms can and should put in place to defend against phishing.

Protocols and email authentication methods such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and more are discussed in depth. There’s no shortage of security tools firms can use to defend against phishing. The critical point is that it requires proactive security to do that. Don’t wait for a successful phishing attack to do that. By then, it’s far too late.

The Ponemon Institute reported in their 2021 Cost of Phishing study that the average cost of a business email compromise attack was close to $6 million. The cost of this book is $28. You do the math.

Any firm that does not have a defined program to deal with threats against phishing, email invoice fraud, and the like will invariably fall victim to these attacks. For those looking to have a fighting chance against these scourges and more, Fighting Phishing is an excellent guide to help.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Hackers & Threats

phishing hackers & threats government regulations risk management governance risk & compliance Encryption security awareness

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs