I.T. Security and Linux Administration

Nov 30 2012   5:52PM GMT

Proper Handling of Phishing

Eric Hansen Eric Hansen Profile: Eric Hansen

SANS recently put up an article involving handling phishing attacks within the network: https://isc.sans.edu/diary.html?storyid=14578

While most of the points are sensible, and should be what everyone follows, there is one that I actually disagree with: blocking the URL.

Most of the URLs provided in phishing emails are garbled text that no one actually looks at when the e-mail looks promising and legitimate.  This also tends to cause providers to shut down websites quickly for one reason or another.  This makes the effort of filtering URLs, blocking them and then unblocking them (as to not clog up the firewall/DNS lookups) more of a hassle than anything else.

There is very little anyone can do beyond security awareness training on how to educate others to not click on unknown links.  What sysadmins should focus on, besides security awareness training, is proper ACLs.  As a good example, lock down machines to download files to a specific central server (i.e.: mount a remote directory onto each machine), and feed each file through an AV or whatnot and if everything is detected as clean, move it to the appropriate directory.  Using something like Fabric, this is far from difficult to accomplish.

Sysadmins have a lot to do on their day-to-day tasks as is, constantly adding and removing websites from the firewall and DNS zones should not be the same.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: