52 lines
3.7 KiB
Markdown
52 lines
3.7 KiB
Markdown
---
|
||
title: "Telling users to ‘avoid clicking bad links’ isn’t working"
|
||
date: 2022-12-28T16:03:00+02:00
|
||
draft: false
|
||
tags: ["infosec","breach","email","encryption"]
|
||
author: "9x0rg"
|
||
hidemeta: false
|
||
ShowReadingTime: true
|
||
ShowPostNavLinks: true
|
||
showtoc: false
|
||
cover:
|
||
image: "<image path/url>"
|
||
alt: "<alt text>"
|
||
caption: "<text>"
|
||
|
||
---
|
||
By **David C**. Technical Director for Platforms Research and Principal Architect - [NCSC](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK)
|
||
|
||
### Infosec tenets simply don’t work
|
||
|
||
*Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing.*
|
||
|
||
Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is **not** their job
|
||
|
||
### Mitigating credential theft for organisational services
|
||
|
||
- mitigate the threat of credential theft by mandating [strong authentication](https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/enterprise-authentication-policy) across its services, such as device-based passwordless authentication with a FIDO token.
|
||
- set up [multi-factor authentication](https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services) (MFA).
|
||
|
||
### Mitigating malicious downloads through defence in depth
|
||
|
||
**Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network**.
|
||
|
||
**Preventing delivery of phishing email**:
|
||
- use email scanning and web proxies to help remove some threats before they arrive
|
||
- [DMARC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none) and [SPF policies](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/create-and-iterate-an-spf-record) can significantly reduce delivery of [spoofed emails](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing) to users
|
||
|
||
**Preventing execution of initial code**:
|
||
- put in place *allow-listing* to make sure that executables can't run from any directory to which a user can write,
|
||
- for anything not covered in *allow-listing*, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
|
||
- disable the [mounting of .iso files on user endpoints](https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7)
|
||
- make sure that macro settings are locked down (see the NCSC's [guidance on macro security](https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office)) and that only users who absolutely need them – and are trained on the risks they present – can use them
|
||
- enable [attack surface reduction rules](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide)
|
||
- ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files
|
||
- keep up to date with current threats with wider reading about any new attack vectors emerging
|
||
|
||
**Preventing further harm**:
|
||
- *allow-listing* is again a powerful way to prevent further harm once a malicious file is opened
|
||
- DNS filtering tools, such as PDNS (for UK public sector and also the [private sector](https://www.ncsc.gov.uk/guidance/protective-dns-for-private-sector)) can block suspicious connections and prevent many early-stage attacks
|
||
- organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts
|
||
|
||
Source: [National Cyber Security Center](https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working) (UK) |