The compromised user often takes much of the blame when a phishing attack is successful, but layers of technology must fail as well, Ira Winkler, president of Secure Mentem, said during a session at RSA Conference 2015 in San Francisco.
Starting from the beginning, Winkler said that mass phishing campaigns are often carried out by botnets, and that internet service providers can attempt to nip the problem in the bud at this point by investigating unusual amounts of traffic coming from, say, the average everyday computer user.
Once a phishing email makes it through filters and other similar technologies, the user element really comes into play, Winkler indicated. At this point, a user interacting with an email deemed malicious should be presented with various warnings before anything happens, he said.
In the final phases of the attack, after a user proceeds to go ahead and open a file or click on a link, systems should prevent malicious files from executing and suspicious websites from opening, Winkler said. If it doesn't, other technology should be in place to prevent any malicious activity from making its way across the network, he added.
When it comes to educating users, Winkler said there is a difference between awareness and training. “Training [programs provide] people with a fixed body of knowledge and maybe [test] them on it,” he said, adding that awareness is not training, and that awareness programs are not all that great.
Winkler went on to say that phishing programs - in which organizations send out phishing emails to employees - are often ineffective. He explained that, most of the time, the very protections that prevent phishing emails from going through are turned off, so employees are only educated on spotting emails they will never see in a real-life scenario.
Winkler noted that, in the end, it is a minority of people who end up actually clicking on phishing messages, but he said that all it takes is one. There is “no such thing as a perfect countermeasure,” he added.