1
0
9x0rg.com/content/posts/infosec/infosec-tenets-simply-dont-work.md

52 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Telling users to avoid clicking bad links isnt working"
date: 2022-12-28T16:03:00+02:00
draft: false
tags: ["infosec","breach","email","encryption"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
cover:
image: "<image path/url>"
alt: "<alt text>"
caption: "<text>"
---
By **David C**. Technical Director for Platforms Research and Principal Architect - [NCSC](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)
### Infosec tenets simply dont work
*Why organisations should avoid blame and fear, and instead use technical measures to manage the threat from phishing.*
Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is **not** their job
### Mitigating credential theft for organisational services
- mitigate the threat of credential theft by mandating [strong authentication](https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy) across its services, such as device-based passwordless authentication with a FIDO token.
- set up [multi-factor authentication](https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services) (MFA).
### Mitigating malicious downloads through defence in depth
**Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network**.
**Preventing delivery of phishing email**:
- use email scanning and web proxies to help remove some threats before they arrive
- [DMARC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none) and [SPF policies](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) can significantly reduce delivery of [spoofed emails](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) to users
**Preventing execution of initial code**:
- put in place *allow-listing* to make sure that executables can't run from any directory to which a user can write,
- for anything not covered in *allow-listing*, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
- disable the [mounting of .iso files on user endpoints](https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7)
- make sure that macro settings are locked down (see the NCSC's [guidance on macro security](https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office)) and that only users who absolutely need them and are trained on the risks they present can use them
- enable [attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide)
- ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files
- keep up to date with current threats with wider reading about any new attack vectors emerging
**Preventing further harm**:
- *allow-listing* is again a powerful way to prevent further harm once a malicious file is opened
- DNS filtering tools, such as PDNS (for UK public sector and also the [private sector](https://www.ncsc.gov.uk/guidance/protective-dns-for-private-sector)) can block suspicious connections and prevent many early-stage attacks
- organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts
Source: [National Cyber Security Center](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)