52 lines
3.7 KiB
Markdown
52 lines
3.7 KiB
Markdown
|
---
|
|||
|
|
title: "Telling users to ‘avoid clicking bad links’ isn’t working"
|
|||
|
|
date: 2022-12-28T16:03:00+02:00
|
|||
|
|
draft: false
|
|||
|
|
tags: ["infosec","breach","email","encryption"]
|
|||
|
|
author: "9x0rg"
|
|||
|
|
hidemeta: false
|
|||
|
|
ShowReadingTime: true
|
|||
|
|
ShowPostNavLinks: true
|
|||
|
|
showtoc: false
|
|||
|
|
cover:
|
|||
|
|
image: "<image path/url>"
|
|||
|
|
alt: "<alt text>"
|
|||
|
|
caption: "<text>"
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
By **David C**. Technical Director for Platforms Research and Principal Architect - [NCSC](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)
|
|||
|
|
|
|||
|
|
### Infosec tenets simply don’t work
|
|||
|
|
|
|||
|
|
*Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing.*
|
|||
|
|
|
|||
|
|
Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is **not** their job
|
|||
|
|
|
|||
|
|
### Mitigating credential theft for organisational services
|
|||
|
|
|
|||
|
|
- mitigate the threat of credential theft by mandating [strong authentication](https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy) across its services, such as device-based passwordless authentication with a FIDO token.
|
|||
|
|
- set up [multi-factor authentication](https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services) (MFA).
|
|||
|
|
|
|||
|
|
### Mitigating malicious downloads through defence in depth
|
|||
|
|
|
|||
|
|
**Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network**.
|
|||
|
|
|
|||
|
|
**Preventing delivery of phishing email**:
|
|||
|
|
- use email scanning and web proxies to help remove some threats before they arrive
|
|||
|
|
- [DMARC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none) and [SPF policies](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) can significantly reduce delivery of [spoofed emails](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) to users
|
|||
|
|
|
|||
|
|
**Preventing execution of initial code**:
|
|||
|
|
- put in place *allow-listing* to make sure that executables can't run from any directory to which a user can write,
|
|||
|
|
- for anything not covered in *allow-listing*, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
|
|||
|
|
- disable the [mounting of .iso files on user endpoints](https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7)
|
|||
|
|
- make sure that macro settings are locked down (see the NCSC's [guidance on macro security](https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office)) and that only users who absolutely need them – and are trained on the risks they present – can use them
|
|||
|
|
- enable [attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide)
|
|||
|
|
- ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files
|
|||
|
|
- keep up to date with current threats with wider reading about any new attack vectors emerging
|
|||
|
|
|
|||
|
|
**Preventing further harm**:
|
|||
|
|
- *allow-listing* is again a powerful way to prevent further harm once a malicious file is opened
|
|||
|
|
- DNS filtering tools, such as PDNS (for UK public sector and also the [private sector](https://www.ncsc.gov.uk/guidance/protective-dns-for-private-sector)) can block suspicious connections and prevent many early-stage attacks
|
|||
|
|
- organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts
|
|||
|
|
|
|||
|
|
Source: [National Cyber Security Center](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)
|