--- title: "Telling users to ‘avoid clicking bad links’ isn’t working" date: 2022-12-28T16:03:00+02:00 draft: false tags: ["infosec","breach","email","encryption"] author: "9x0rg" hidemeta: false ShowReadingTime: true ShowPostNavLinks: true showtoc: false cover: image: "" alt: "" caption: "" --- By **David C**. Technical Director for Platforms Research and Principal Architect - [NCSC](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK) ### Infosec tenets simply don’t work *Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing.* Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is **not** their job ### Mitigating credential theft for organisational services - mitigate the threat of credential theft by mandating [strong authentication](https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy) across its services, such as device-based passwordless authentication with a FIDO token. - set up [multi-factor authentication](https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services) (MFA). ### Mitigating malicious downloads through defence in depth **Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network**. **Preventing delivery of phishing email**: - use email scanning and web proxies to help remove some threats before they arrive - [DMARC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none) and [SPF policies](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) can significantly reduce delivery of [spoofed emails](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) to users **Preventing execution of initial code**: - put in place *allow-listing* to make sure that executables can't run from any directory to which a user can write, - for anything not covered in *allow-listing*, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing - disable the [mounting of .iso files on user endpoints](https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7) - make sure that macro settings are locked down (see the NCSC's [guidance on macro security](https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office)) and that only users who absolutely need them – and are trained on the risks they present – can use them - enable [attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide) - ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files - keep up to date with current threats with wider reading about any new attack vectors emerging **Preventing further harm**: - *allow-listing* is again a powerful way to prevent further harm once a malicious file is opened - DNS filtering tools, such as PDNS (for UK public sector and also the [private sector](https://www.ncsc.gov.uk/guidance/protective-dns-for-private-sector)) can block suspicious connections and prevent many early-stage attacks - organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts Source: [National Cyber Security Center](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)