CISA, NSA, FBI Issues Guidance On How To Stop Phishing 

Wednesday, CISA, in coordination with the NSA, FBI and Multi-State Information Sharing and Analysis Center, published “Phishing Guidance: Stopping the Attack Cycle at Phase One,” to assist organizations with preventing phishing attacks.

As expected, the guidance references social engineering tactics used to gain login credentials, as well as malware installations executed through spam emails. The agency provided a large number of suggested mitigations including enabling strong email controls and firewall rules, while encouraging user training around social engineering and phishing.

While the guidance is applicable to all organizations, it also includes a section of tailored recommendations for small-and medium-sized businesses that may not have dedicated network defenders or with limited resources.

“When we see news of compromises that stem from phishing, it’s all too easy to blame the victim organization for not having implemented all the mitigations that would have stopped the attack. With the benefit of 20/20 hindsight it’s easy to see what went wrong. But the ease of compromises cannot be solely blamed on the defenders. We need to have a more robust industry-wide conversation about the products that are delivered to customers in a state that not only makes these attacks possible, but in many cases, inevitable,” said CISA Senior Technical Advisor Bob Lord.

Emily Phelps, Director, Cyware had this comment:
   “Even the most sophisticated technology platforms and tools are not immune to the age-old tactics of phishing. This vector remains a popular attack strategy because of its low level of sophistications and high level of effectiveness. While advanced security solutions are imperative for safeguarding an organizations’ digital assets, human-centric training is also crucial to address social engineering attacks. The reality is no single mitigation method is foolproof. Organizations and individuals, regardless of their sector or size, must adopt multifactor solutions to reduce the risks of phishing attacks.”

Dave Ratner, CEO, HYAS follows with this:
   “We applaud CISA and the other government agencies for publishing guidelines and strategies to prevent phishing attacks, and we encourage their use, but the best defense always comes from a defense-in-depth approach.  Despite improved training, education, and mitigation, phishing attacks will become more sophisticated and sometimes even the most diligent personnel may fall victim or make a mistake. That’s why pairing the education, training, and mitigation with a Protective DNS solution is critical for a more complete and resilient approach, to ensure that the phishing attacks which do get through nonetheless are stopped before they leak credentials or cause damage.”

Craig Harber, Security Evangelist: Open Systems add this:

   “CISA, the NSA, the FBI and the MS-ISAC did a nice job providing a solid set of recommendations for small-to-medium-sized businesses that were actionable. One thing that I’d have like to have seen included was a reminder that in today’s world small, medium, and large businesses are integrated together to form an ecosystem to deliver a product or service. There is a greater chance that a smaller supplier adopts a lower standard may result in a potential attack path for the larger economy.”

This is an excellent move by the CISA and others. And every business big or small needs to read this guidance and make sure that their employees read it as well as the best way to stop an attack is to make sure it never happens.

Leave a Reply

%d bloggers like this: