According to a post on ComputerWeekly, Ira Winkler, president of Secure Mentem, told attendees of the RSA Conference 2015 in San Francisco that humans represent only two of ten potential kill points for phishing attacks. A phishing attack can only be successful if eight possible layers of technological controls are missing or have failed.
According to Winkler:
Before the user is ever confronted with a phishing email, there are opportunities to block the attack at the pre-mail server and mail server stage.
Technologies for detecting and deleting phishing emails can be implemented in the internet infrastructure to block these attacks before they reach mail servers.
At the mail server there is another opportunity to implement technologies to quarantine phishing emails.
It is only if these first two layers have failed to block a phishing attack that a user becomes involved.
Users only fail if technologies have failed first or if the right controls have not been implemented by internet service providers or in mail servers
While these points are true, it paints an incomplete picture. Phishing attacks don’t just happen via email anymore. As I’ve written many times, apps with a WebView expose end-users to potential phishing attacks.
- Mobile apps with a WebView offer zero protection against phishing attacks. Unless of course, they’re protected by the MetaCert Security API
- No mobile browser offers any protection against phishing attacks. This means malicious webpages will open even though the desktop counterparts will provide protection by showing a warning page. So, if you click on a known malicious link inside an email on your mobile device, your browser will offer no protection.
Phishing attacks represent a combination of user and technological failures
In the case of apps, end-users can’t be blamed at all for phishing attacks – not when they’re using legitimate apps that don’t display the URL of websites inside the app WebView.
Read the post on ComputerWeekly here.