The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory on best practices to thwart email-based phishing attacks. The advisory is aimed at election-related entities, but the advice is relevant for anyone.
“Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals,” the advisory states. “Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing.”
CISA recommends implementing multi factor authentication (MFA) for all email accounts, preferably with a hardware key or an authentication app. If a service doesn’t offer any type of MFA, CISA says to consider switching to another service.
“Physical security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website,” the agency explains. “Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account. Authentication apps work by having a user enter a code from an app. Although authentication apps can still be vulnerable to phishing attacks, they offer more protection than SMS or email-based MFA. Only use SMS and email-based MFA methods if other forms of MFA are unavailable. SMS and email-based MFA methods are vulnerable to phishing and SIM swap attacks, though they still offer better protection than password-based single-factor authentication.”
CISA also advises using a password manager to help employees create and keep track of unique, complex passwords for each of their accounts.
“Password managers protect against phishing by generating secure, random passwords and automatically filling passwords when visiting websites,” the advisory says. “Password managers will not automatically enter passwords on malicious websites, giving employees a crucial cue that they should not proceed. ”
New-school security awareness training can help your organization put these principles into practice.