In addition to having the right tools in place, a company
must understand the role their employees play in information security.
Employees possess credentials and overall knowledge that is critical to the
success of a breach of the company's security. One of the ways in which an
intruder obtains this protected information is through phishing.
The purpose of phishing is to collect sensitive information
with the intention of using that information to gain access to otherwise
protected data, networks, etc. An attackers success is contingent upon
establishing trust with its victims. We live in a digital age, and gathering
information has become much easier as we are well beyond the dumpster diving
days.
There are various phishing techniques used by attackers that
can negatively affect an organization and its employees. Common phishing
techniques include:
Embedding a link
in an email that redirects an employee to an unsecure website that requests
sensitive information.
Installing a
Trojan via a malicious email attachment or advertisement, allowing the intruder
to exploit loopholes and obtain sensitive information.
Spoofing the
sender address in an email to appear as a reputable source and request
sensitive information.
Attempting to
obtain company information over the phone by impersonating a known company
vendor or IT department.
In order to protect itself against phishing attacks, a
company can take the following steps:
Educate employees
and conduct training sessions with mock phishing scenarios.
Deploy a Spam
filter that detects viruses, blank senders, etc.
Keep all systems
current with the latest security patches and updates.
Install an
antivirus solution, schedule signature updates, and monitor the antivirus
status on all equipment.
Develop a security
policy that includes, but is not limited to, password expiration and
complexity.
Deploy a web
filter to block malicious websites.
Encrypt all
sensitive company information.
Convert HTML email
into Text Only email messages or disable HTML email messages.
Require encryption
for employees that are telecommuting.
Companies can implement multiple measures to protect
themselves against phishing attacks that threaten the confidentiality,
integrity, and availability of their data. They must keep a pulse on the
current phishing strategies and confirm that their current security policies
and solutions can eliminate threats as they evolve. It is equally as important
to make sure that employees understand the types of attacks they may face, the
risks associated with these attacks, and how to address them. Informed
employees and properly secured systems are key when protecting your company
from phishing attacks.
Article Source: http://EzineArticles.com/9070250
No comments:
Post a Comment