I.T. Security and Linux Administration

Nov 30 2012   5:52PM GMT

Proper Handling of Phishing



Posted by: Eric Hansen
Tags:
security

SANS recently put up an article involving handling phishing attacks within the network: https://isc.sans.edu/diary.html?storyid=14578

While most of the points are sensible, and should be what everyone follows, there is one that I actually disagree with: blocking the URL.

Most of the URLs provided in phishing emails are garbled text that no one actually looks at when the e-mail looks promising and legitimate.  This also tends to cause providers to shut down websites quickly for one reason or another.  This makes the effort of filtering URLs, blocking them and then unblocking them (as to not clog up the firewall/DNS lookups) more of a hassle than anything else.

There is very little anyone can do beyond security awareness training on how to educate others to not click on unknown links.  What sysadmins should focus on, besides security awareness training, is proper ACLs.  As a good example, lock down machines to download files to a specific central server (i.e.: mount a remote directory onto each machine), and feed each file through an AV or whatnot and if everything is detected as clean, move it to the appropriate directory.  Using something like Fabric, this is far from difficult to accomplish.

Sysadmins have a lot to do on their day-to-day tasks as is, constantly adding and removing websites from the firewall and DNS zones should not be the same.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: