maxkabakov - Fotolia

Manage Learn to apply best practices and optimize your operations.

Throw users a line to thwart an email phishing attack

Phishing attacks are the most popular causes of data breaches in the enterprise. Here are three reasons why.

Go beyond the fancy hack attacks you see on television shows and the highly unlikely (and overhyped) exploits to find the real security threat -- email phishing. Aside from compliance burdens and the lack of financial support for security, phishing is likely an organization's greatest security threat. Any given network is merely a click away from compromise. And it's happening all too often.

Many of the recent breaches, as well as some of the largest ones of all time, stem from phishing attacks using good old-fashioned email. No matter what you think of your Exchange system's security, there are three reasons why a phishing attack will ultimately create problems in your messaging environment. Watch out for these three common slip-ups and come up with a game plan on how to prevent an email phishing attack.  

1. You're not aware of the warning signs.  Seventy-three percent of organizations have a breach plan in place, according to a recent Ponemon Institute/Experian study on data breach preparedness. But I'm not convinced that most organizations would know when they've been hit by an email phishing attack. A lack of security controls and improper oversight go a long way toward facilitating successful phishing attacks.

It's even more basic than that. Many people don't know what normal is supposed to look like on the network. If you don't understand that fundamental aspect of your network, how are you going to know what something "bad" looks like? Furthermore, for every phishing email that's blocked or ignored, odds are high that several others got through the system. With all of the noise on the network, the variables involved in phishing attacks and the subsequent malware that may be downloaded, it can be virtually impossible to find and block or stop the attack once it's on your soil.

Tracking data breaches

Data breaches are a common occurrence, so it's important to know the extent of these breaches to learn how they could affect your Exchange setup. This website tracks breaches dating back to 2005 and includes details about the types of breaches that have occurred as well as the organizations that have been affected. 

2. You don't have the proper technologies to detect or prevent an attack. Most organizations have a solid Exchange infrastructure. From system redundancy to messaging encryption and everything in between, the resiliency is often there. But resiliency is likely not the criminals' target in an email phishing attack. Instead, they're going after the lack of security controls in and around your endpoints, your Web access and your end users.

How can you better control this threat? Technologies such as identity and access management, data loss prevention and security information event management are great to start. Even if you just stay current with the latest Windows OS, Web browsers and third-party software updates, you can be well ahead of the phishing curve. However, if you're like many organizations that rely on traditional firewalls, content filtering, antivirus tools, and weak event logging and monitoring, you're a sitting duck for an attack.

Any given network is merely a click away from compromise.

3. Your user security awareness program stinks. I've yet to see a security awareness program that really stood out to help people learn. In fact, most programs aren't actual programs at all; they're likely annual email blasts sent to employees and a poster or two in the break rooms. The lack of management support for security has created a dangerous checkbox mentality. Going through the motions to satisfy an audit requirement won't cut it.

On the other hand, your end users are just going through the motions so they can get their work done. They're not thinking about what they're doing because they've successfully done X, Y and Z tasks a thousand times. Yet this lack of situational awareness is exactly what gets people, large corporations and government agencies into trouble. You have to set end users up for success.

Stop cramming policies down your end users' throats that involve telling them what not to do; chances are that they're going to violate those policies anyway. Instead, take some time to help them improve their situational awareness. Show them how to properly do things with their email. You can do this using everyday examples (e.g., driving in cars and walking down the street) without having to bore them with techie stuff they don't get.

There's no secret element for solving the email phishing attack challenges you face, but you need to answer one question: Are you taking the proper steps to reduce your risk and minimize the impact if a phishing breach occurs? If you can't answer this in the positive, the integrity of your Exchange environment and the security of your network hang in the balance.

About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.

Next Steps

This is part two in a series about how admins can learn from recent data breaches to protect their Exchange environments.

Part one covered some of the common causes of data breaches and how to recognize them.

Stay tuned for part three, which looks at layered security approaches for your organization.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What measures do you have in place to prevent phishing attacks in your Exchange setup?
Within my company we have a policy of what can be opened and what must be filtered through our Microsoft Exchange system. All employees must adhere to not opening unsolicited emails, anything not directly company related and to avoid clicking on any links within the emails unless it originated from a proven client or within our employee to employee communications system. We have found these protocols to help with the Exchange setup against phishing attacks.
In addition to education, one approach we’ve taken to help minimize the impact of malicious links or phishing emails is to have people contact the service desk when they receive a suspicious email. The service desk can then work quickly with the information security and corporate communications teams to isolate the threat and inform the rest of the company of the potential threat. When combined with other security tools, this has proven successful (on more than one occasion) in identifying a risk and addressing it before anything happened.
Good article. However, sometimes, using examples or throwing out some ideas adds value to an article like this - (for example - mentioning SANs securing the human training for your users, perhaps some other applicable or methods would take this article to the next level. Not just "good" - it would be "strategic" and cutting. Some articles peak my interest, I rush to read them, hoping for some fresh perspective and some real world answers, steps and guides to help a situation. However, when I finish reading these gems, I often wonder how I can actually apply what I have read.
I'd be curious as to the percentage of phishing attack in the corporate environment vs. personal/home environment.  It does not really matter how many times you tell users not to do something, somebody always think "That's for the other people, not me". In today's world it seems inevitable that no matter how hard we try and safeguard our systems, someone will always be  trying to poke their nose where it does not belong.
I think encouraging a three tiered email system would be helpful. For me, that means a business email system (that is tightly limited to work and just work, and internal email almost exclusively), a personal email system (again, limited to one on one communications where possible) and an "open boundaries" email system, where group interactions, social media communications, etc. take place. This way, the odds of being phished are greatly reduced, and focused on a single domain. Again, to make a system like this work, organizations need to teach their users more about phishing and hacking, not just a rubber stamp saying "well, we told our users what not to do".
Sorry you didn't find this piece terribly valuable, digidwain. I wrote it with that very goal in mind. I strongly believe that most IT/security programs are deficient in these areas. As humans we're always looking for that magical answer to solve our problems. I've found that to be an elusive goal. Instead, making small tweaks here and there is usually the best way to achieve success in your existing program and efforts. I'm confident that if you look deeply enough - with as much of an unbiased and fresh perspective as possible - you'll find some room for improvements taking these points into consideration.
ToddN2000 - great point. The phishing risk at home certainly creates risk for the enterprise!
I like your idea Michael. It's one of those ideal scenarios that could really help solve the challenges we face. Given the complexities and ingrained "we've always done it this way, what do you mean we have to change how we communicate!?", I don't think it'll work. Maybe the social media bigots' predictions will eventually come true and email will die off. Not to worry, the criminal hackers are already phishing in that sea. :-)