I ran across some very interesting research recently done by NSS Labs. They compared twelve of the most popular antivirus engines, they call them endpoint protection products (EPP) and tested these tools specifically for blocking phishing attacks. The results are surprising, as Trend Micro wins this battle with 92%, closely followed by Kaspersky with 85% and the rest do not score above an abysmal 64%.
There is one mitigating factor they claimed. NSS observed that the browser is actually a better frontline defense against phishing attacks, so they also tested four popular browsers, which block phishing sites twice faster: five hours instead of an average of 10 hours for the endpoint products. Oh, that is a lot better you might think: "not that big of a risk".
Think again. Let's combine the NSS data with a recent report from the AntiPhishing Work Group. They have released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years:
NSS perhaps inadvertently omitted to mention that the average phishing site uptime (time how long it takes for a phishing website, once detected, to remain up) is less than a day. Worse, the Global Phishing Survey reports a median uptime of just five hours and 45 minutes.
And that is where your vulnerabilty window is, the bad guys send phishing attacks that strike directly at your employees, and for the (most important) first 5 hours there is no protection from either the browser or the EPP. Your mail server could have a phishing filter which might or might not catch that attack. That is why it is -crucial- to implement mandatory security awareness training:
I strongly suggest you read the whole report for yourself. One thing to note is that there were twelve products tested, one of which is Microsoft Security Essentials, but at the time I write this, that product is mysteriously missing from all the graphs. You wonder if that's just an error, or if there are more sinister reasons for that. Here are some of the key findings and recommendations:
- Nearly 90% of users are inadequately protected against phishing by endpoint protection products (EPP). The effectiveness of AV products claiming to offer phishing protection ranges from 3% to 92%.
- End users should use current web browsers as a first line of protection against phishing attacks. Invest time in understanding phishing attacks and modifying behavior to avoid becoming a victim. Assign a higher priority to exploit prevention, socially engineered malware blocking, and general detection capabilities over phishing detection when selecting EPP products. Here is the NSS report with a link to the downloadable PDF:
There is one mitigating factor they claimed. NSS observed that the browser is actually a better frontline defense against phishing attacks, so they also tested four popular browsers, which block phishing sites twice faster: five hours instead of an average of 10 hours for the endpoint products. Oh, that is a lot better you might think: "not that big of a risk".
Think again. Let's combine the NSS data with a recent report from the AntiPhishing Work Group. They have released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years:
NSS perhaps inadvertently omitted to mention that the average phishing site uptime (time how long it takes for a phishing website, once detected, to remain up) is less than a day. Worse, the Global Phishing Survey reports a median uptime of just five hours and 45 minutes.
And that is where your vulnerabilty window is, the bad guys send phishing attacks that strike directly at your employees, and for the (most important) first 5 hours there is no protection from either the browser or the EPP. Your mail server could have a phishing filter which might or might not catch that attack. That is why it is -crucial- to implement mandatory security awareness training:
I strongly suggest you read the whole report for yourself. One thing to note is that there were twelve products tested, one of which is Microsoft Security Essentials, but at the time I write this, that product is mysteriously missing from all the graphs. You wonder if that's just an error, or if there are more sinister reasons for that. Here are some of the key findings and recommendations:
- Nearly 90% of users are inadequately protected against phishing by endpoint protection products (EPP). The effectiveness of AV products claiming to offer phishing protection ranges from 3% to 92%.
- End users should use current web browsers as a first line of protection against phishing attacks. Invest time in understanding phishing attacks and modifying behavior to avoid becoming a victim. Assign a higher priority to exploit prevention, socially engineered malware blocking, and general detection capabilities over phishing detection when selecting EPP products. Here is the NSS report with a link to the downloadable PDF:
