Shostack + Friends Blog


Phishing Defenses

Phishing behaviors, as observed in the wild. A sunken boat, surrounded by phish

There’s a good article on the UK’s National Cyber Security Centre blog, Telling users to ‘avoid clicking bad links’ still isn’t working. It starts:

Let's start with a basic premise: several of the established tenets in security simply don’t work. One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job. The NCSC carries out and reviews red team operations, and a common observation is that red teamers (and indeed criminals or hostile states) only need one person to fall for a ruse for an attacker to access a network.
We're even aware of some cases where people have forwarded suspicious emails from their home accounts to their work accounts, assuming that the security measures in place in their organisations will protect them.

That is a heck of an observation, and deserves deeper analysis. Are the people forwarding suspicious emails to work being rational? Conflating burden and effectiveness? Cleverly offloading response work onto professionals? Lacking any other methods for testing a suspicious email?

Almost the entire article is excellent, but there’s a fly in the ointment, and that is a sentence which starts out well: “Firstly, because one of the above controls may fail, and so defence in depth is always good.”

Defense in depth may, indeed, sometimes be useful. But there’s an ocean between ‘sometimes useful’ and ‘always good.’ The article touches on one of the costs in the very preceding sentences, “... worth training users to spot suspicious links.” That training has cost, as does the work to spot and report links. Is that cost worthwhile? Is it the best use of our time in training people? The sentence reminded me of a lesson from J.E Gordon. As he writes in The New Science of Strong Materials,

If we make the structure too weak we may save weight and money, but then the chance of the thing breaking too soon will become unacceptably high. Contrariwise, if we make a structure so strong that, in human terms, it is likely to last ‘for ever’ – which is what the public would like – then it will probably be too heavy and expensive. As we shall see, there are many cases where more danger is incurred by extra weight than is avoided by the corresponding increase of strength. (Chapter 15, and My review of Gordon’s Structures)

People, and their time, are our most precious resource. We should be exceptionally cautious in how we spend it.

Image: Midjourney, “the underwater scene with different types of fish underwater character illustration, In the water there are fish, cleverly avoiding being caught by an evil fisherman in a rowboat on top of the water. The fish are the heros. in the style of hazy landscapes, light brown and azure, lush landscape backgrounds, orange and azure, flat backgrounds.” (disappointed)

Disclaimer: I really wanted to spell it Cybre, to go with Centre.