Phishing goes beyond anti-virus

Anti-virus software will not put a stop to phishing attacks, but deployment of proper identity and access management (IAM) policies can go a long way towards reducing vulnerabilities.

So said Karel Rode, principal consultant at EMC's security division RSA, speaking during the Identity Indaba in Fourways, yesterday.

According to Rode, studies show the most efficient anti-virus offers 42% protection to users, adding that hackers are always developing new phishing techniques to exploit people for financial gain.

He said that with the increased Internet penetration in SA, as new users coming onboard daily, the country was also facing a rise in the number of phishing incidents.

Describing how phishing attacks are surging globally, Rode said the number of identity thefts in the US in 2009 numbered 11.1 million, which represented a 12% increase from 2008. “The total losses that were reported during the same period amounted to $54 billion.”

He added that US organisations lost 7% of their annual revenues to fraud committed by employees between 2006 and 2008, at an estimated cost of $994 million. Internet fraud in Australia, said Rode, accounts for the largest percentage of crime in that country.

For deploying apt IAM applications, Rode said companies will have the advantage of securing automated workflow strategies.

“ICM allows for role-based auditing and enforcing a single management model across the enterprise. This has the benefit of centralising security on a single, role-based model and translating it into a format that is compatible with each system and can be used for effective management,” he said.

With most organisations use just a password to secure remote access to the Internet, Rode noted this is the weakest link in as far as security was concerned.

“Passwords present the biggest threat to security in organisations, especially insider crime. Some employees stick their passwords on desks while some share them with colleagues, leaving them vulnerable to attacks,” he explained.

Highlighting the key principles of IAM, Rode added: “IT departments should ensure that only authorised account users have access to the network while only active user accounts should exist”.

However, he stated that organisations should also take into account temporary as well as returning staff regarding access to the network. “Administrators and users should also have strong passwords by having end-user education as well as a clear policy definition in place.”

According to Rode, there should be a regular review of user access by the IT department. “Access must be based on a user's business needs defined by the segregation of duties. Most importantly, all user accounts must be identifiable and owned by a responsible person.”

“If organisations trust their account owners or administrators, the question to be asked is, who then will guard the guards?” noted Rode. He said audit trails that enable compliance and regulatory requirements should be put in place to secure all accounts.

Rode suggested that all user accounts be authenticated before users gain access to them. “AAA (authentication, authorisation and accounting) is the standard procedure that is to be followed regarding access.”

He added that since a lot of users including employees, guests or contractors gain access to the system, sometimes even using managed and unmanaged devices (laptops, smartphones, tablet PCs), the need for AAA is crucial.