Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CISA’s Advice on Countering Phishing

    Multi Factor AuthenticationThe US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory on best practices to thwart email-based phishing attacks. The advisory is aimed at election-related entities, but the advice is relevant for anyone.

    “Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals,” the advisory states. “Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing.”

    CISA recommends implementing multi factor authentication (MFA) for all email accounts, preferably with a hardware key or an authentication app. If a service doesn’t offer any type of MFA, CISA says to consider switching to another service.

    “Physical security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website,” the agency explains. “Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account. Authentication apps work by having a user enter a code from an app. Although authentication apps can still be vulnerable to phishing attacks, they offer more protection than SMS or email-based MFA. Only use SMS and email-based MFA methods if other forms of MFA are unavailable. SMS and email-based MFA methods are vulnerable to phishing and SIM swap attacks, though they still offer better protection than password-based single-factor authentication.”

    CISA also advises using a password manager to help employees create and keep track of unique, complex passwords for each of their accounts.

    “Password managers protect against phishing by generating secure, random passwords and automatically filling passwords when visiting websites,” the advisory says. “Password managers will not automatically enter passwords on malicious websites, giving employees a crucial cue that they should not proceed. ”

    New-school security awareness training can help your organization put these principles into practice.

     

    Return To KnowBe4 Security Blog

    Find out if your organization's MFA solution
    can be hacked by cybercriminals now!

    Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

    masareport-thumbHere's how MASA works:

    • You will receive a custom link to take your assessment
    • Answer a series of technology questions relevant to your MFA solution
    • Get an instant high-level snapshot of potential risks with your MFA
    • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

    Assess My MFA Solution Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/multi-factor-authentication-security-assessment

    Topics: Phishing, MFA

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews