CISA’s Advice on Countering Phishing

Multi Factor AuthenticationThe US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory on best practices to thwart email-based phishing attacks. The advisory is aimed at election-related entities, but the advice is relevant for anyone.

“Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals,” the advisory states. “Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing.”

CISA recommends implementing multi factor authentication (MFA) for all email accounts, preferably with a hardware key or an authentication app. If a service doesn’t offer any type of MFA, CISA says to consider switching to another service.

“Physical security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website,” the agency explains. “Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account. Authentication apps work by having a user enter a code from an app. Although authentication apps can still be vulnerable to phishing attacks, they offer more protection than SMS or email-based MFA. Only use SMS and email-based MFA methods if other forms of MFA are unavailable. SMS and email-based MFA methods are vulnerable to phishing and SIM swap attacks, though they still offer better protection than password-based single-factor authentication.”

CISA also advises using a password manager to help employees create and keep track of unique, complex passwords for each of their accounts.

“Password managers protect against phishing by generating secure, random passwords and automatically filling passwords when visiting websites,” the advisory says. “Password managers will not automatically enter passwords on malicious websites, giving employees a crucial cue that they should not proceed. ”

New-school security awareness training can help your organization put these principles into practice.

Find out if your organization's MFA solution
can be hacked by the bad guys now!

Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

masareport-thumbHere's how MASA works:

  • You will receive a custom link to take your assessment
  • Answer a series of technology questions relevant to your MFA solution
  • Get an instant high-level snapshot of potential risks with your MFA
  • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

Assess My MFA Solution Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing, MFA

Subscribe To Our Blog

Free Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews