Defenses against phishing

In a local Slack forum someone recently asked about how phishing and IoT attacks compare in number.  My answer was...

Phishing in all its variants is by far the biggest vector because (in most forms) it requires essentially no effort by an attacker.  An IoT attack needs to be specifically executed against a target by an attacker, so most "run of the mill" SMBs are not that likely to be on the receiving end of this.  All orgs are going to be on the receiving end of phishing, though, and continually.

For phishing, the best defenses are:

  • training users about phishing
  • using long, random strings for all passwords
  • providing the org's users with a password manager (e.g., BitWarden, 1Pasword, LastPass)
  • enabling 2FA on all accounts that support it (preferably not SMS-type 2FA; TOTP authenticator apps like Authy are nice compromise between security, cost, and convenience)
  • through the org's Acceptable Use Policy (AUP), requiring employees to (a) use long, random strings for all passwords, (b) use only the org's designated password manager for storing the credentials for all accounts, and (c) enable 2FA on all accounts that support it, and to use SMS-type 2FA only if there is no other option available
  • using an email provider that does a very good job of filtering out spam
  • if the org is larger, providing a Single Sign-On (SSO) system to employees, to get rid of as many password-based account logins as possible (e.g., Okta, Ping, Microsoft AAD)