Phishing is one of the biggest security concerns for businesses at present. Phishing used to be about just gathering credentials and information, but with the advent of Phishing as a Service platforms and similar commoditization, it has become much more. Hackers mine data, drop malware, and in some cases even work to make deepfakes to get even more out of a business.

网络钓鱼是当前企业最大的安全隐患之一。 网络钓鱼曾经只是收集凭据和信息，但是随着网络钓鱼即服务平台和类似商品化的出现，它已经变得越来越多。 黑客会挖掘数据，丢弃恶意软件，在某些情况下甚至可以制造伪造品，以使更多企业破产 。

With the profitability of ransomware attacks combined with the low cost and risk to deliver them, they’re getting more and more prevalent and more complex. I hear about new attacks almost daily, and the only common thread is that a user clicked the wrong email attachment. That legitimate looking invoice email isn’t what you think it is, it’s advanced malware. Some may strike instantly, others will just mine the system and the site for data before dropping a payload. Either way, it ends with business being seriously impacted, even if it’s only for a few days.

随着勒索软件攻击的获利能力以及低成本和低风险的交付， 勒索软件攻击正变得越来越普遍和复杂。 我几乎每天都听到有关新攻击的消息，唯一的共同点是用户单击了错误的电子邮件附件。 看起来合法的发票电子邮件不是您想的那样，它是高级恶意软件 。 有些可能会立即罢工，而另一些可能会在丢弃有效负载之前就对系统和站点进行数据挖掘。 无论哪种方式，最终都会导致业务受到严重影响，即使只有几天也是如此。

网络钓鱼的工作方式 (How Phishing Works)

The key to stopping phishing is to understand how it works. Modern phishing attempts rely on a mix of technical elements and human fallibility in order to get through to users, and to get users to actually interact with the payload. Solutions that only address the technical side are doomed to fail eventually, while only training users isn’t enough because humans aren’t perfect.

阻止网络钓鱼的关键是了解其工作方式。 现代网络钓鱼尝试依赖于技术元素和人类易受错误性的混合影响，才能吸引用户并真正使用户与有效负载进行交互。 仅针对技术方面的解决方案注定最终会失败，而仅培训用户是不够的，因为人类并不完美。

Old style phishing involved either compromising an email or automating the creation or sending of emails from a source. Your friend’s email “kathy1984@[email of choice].com” got compromised because she used “password123” as her password and now a bot is sending links out. Maybe it’s a pseudolegitimate looking email like “microsoftadmin2020@[provider of choice].com” sending you an email that your account was compromised and you need to click now to prevent it from being further exploited. Technology has made most of these obsolete, but they still work from time to time when they get through.

旧式网络钓鱼涉及破坏电子邮件或自动从源中创建或发送电子邮件。 您朋友的电子邮件“ kathy1984 @ [email of choice] .com”遭到破坏，因为她使用“ password123”作为密码，并且现在有一个机器人正在发送链接。 可能是伪造的电子邮件，例如“ microsoftadmin2020 @ [provider of choice] .com”，向您发送一封电子邮件，指出您的帐户已被盗用，您需要立即单击以防止其被进一步利用。 技术已使其中大部分过时，但当它们通过时仍会不时起作用。

A technical solution can only get so perfect, and a person is going to make mistakes. Newer phishing attempts may link you to “app1e.com”. There’s a perfectly legitimate looking sign-in page and it will even redirect you through to the real Apple when you’re done, the phisher just has the credentials too now. If you don’t sit and inspect the certificate and the domain, it’s easy to get caught by this sort of attack. Many newer phishing attempts also tie in with exploits and similar to further maximize their ability to proliferate and to be profitable.

一个技术解决方案只能变得如此完美，一个人会犯错误。 较新的网络钓鱼尝试可能会将您链接到“ app1e.com”。 有一个看起来非常合法的登录页面，完成后它甚至会将您重定向到真正的Apple，网络钓鱼者现在也具有凭据。 如果您不坐下来检查证书和域，则很容易被此类攻击捕获。 许多新的网络钓鱼尝试也与漏洞利用相结合，以进一步最大化其扩散能力和获利能力。

网络钓鱼的技术解决方案 (Technical Solutions to Phishing)

While there are solutions at all levels, I’m going to focus on the easiest for an IT administrator to implement and maintain easily in addition to what is already at a site. I’m going to list tools which I have worked with, but any listed items in no way represent the entire market. We’re going to focus on network level solutions, email level solutions, and endpoint level solutions.

尽管在各个级别都有解决方案，但是除了站点中已有的内容之外，我将重点介绍IT管理员最容易实现和维护的最简单方法。 我将列出我曾经使用过的工具，但是列出的任何物品绝不能代表整个市场。 我们将专注于网络级解决方案，电子邮件级解决方案和端点级解决方案。

网路层级 (Network Level)

A network level solution is usually the easiest to integrate into a site. With something like OpenDNS, you just set the DNS server or forwarders to use the service and you stop a lot of attacks at a DNS level. There are more complex setups like setting up a Squid proxy to block malware and similar. Some firewalls even offer a malware filtering service or tie-in which can help prevent these types of attacks. Certificate enforcement at a network level is a great step to prevent some of the common name tricks with falsely signed certificates. The logic is, if a user can’t click the link, they can’t get phished.

网络级解决方案通常最容易集成到站点中。 使用OpenDNS之类的东西，您只需将DNS服务器或转发器设置为使用该服务，就可以在DNS级别阻止很多攻击。 还有更复杂的设置，例如设置Squid代理以阻止恶意软件和类似软件。 某些防火墙甚至提供了恶意软件筛选服务或绑定，可以帮助防止这些类型的攻击。 在网络级别执行证书是防止使用错误签名的证书进行某些常见名称欺骗的重要步骤。 逻辑是，如果用户无法单击链接，他们就不会被钓鱼。

The issue with network level tools is that they tend to be rather easy to get around and the lists tend to be somewhat static. While OpenDNS may have a malicious domain within 24 hours, that doesn’t mean you won’t get hit before they find out about it. Network level setups are just one component in the whole system to stop attacks from working. This sort of setup does basically nothing to prevent direct emails from getting through or other phishing attempts, but is extremely important nonetheless.

网络级工具的问题在于它们往往很容易解决，并且列表往往有些静态。 尽管OpenDNS可能在24小时内就有一个恶意域，但这并不意味着您不会在发现之前就受到攻击。 网络级设置只是整个系统的一个组成部分，可以阻止攻击的发生。 这种设置基本上不会阻止直接电子邮件通过或进行其他网络钓鱼尝试，但仍然非常重要。

Despite a network level setup not targeting the root cause of phishing, it’s still the first step because it tends to be the easiest to setup and implement, and it blocks more than just phishing. This is a good security step for pretty much any site. Phishing is a huge threat, but so is just clicking the wrong thing on the internet and ending up with malware. Network setups are an easy blanket protection for multiple types of attacks.

尽管网络级别的设置没有针对网络钓鱼的根本原因，但它仍然是第一步，因为它往往是最容易设置和实施的，它不仅阻止了网络钓鱼。 对于几乎所有站点来说，这都是很好的安全措施。 网络钓鱼是一个巨大的威胁，但是点击互联网上的错误信息并最终导致恶意软件也是如此。 网络设置可以轻松保护各种攻击。

电子邮件等级 (Email Level)

A user can’t click a link if they never see it. Spam filters like Vipre Email or Spam Assassin help cut down on what users see in the first place. Not all phishing attempts come from email (spear phishing may use USB keys in a parking lot), but the vast majority do. A good email filter should be at the core of your phishing prevention efforts. The network level solutions are easier to implement, but only prevent the symptoms (user clicking the link) of a malicious phishing attempt rather than the cause (user seeing the link).

如果用户从未看到链接，则无法单击它。 Vipre Email或Spam Assassin等垃圾邮件过滤器可帮助减少用户最初看到的内容。 并非所有的网络钓鱼尝试都来自电子邮件(鱼叉式网络钓鱼可能会在停车场中使用USB密钥)，但绝大多数情况都是这样。 高质量的电子邮件过滤器应该是网络钓鱼预防工作的核心。 网络级解决方案更易于实现，但是只能防止恶意网络钓鱼尝试的症状(用户单击链接)，而不是原因(用户可以看到链接)。

A properly tuned spam filter is going to block roughly 95–98% of the spam. The remaining 2–5% should be caught by a mix of other technical solutions and user training. Spam filters do require tuning and testing to make sure they work. A poorly configured email level solution can prevent a business from functioning if it latches onto the wrong address (like invoices@ourimportantfinancialcompany.com) or targets the wrong kind of email (noreply@our2fa.com, noreply@ourbank2fa.com, etc.).

经过适当调整的垃圾邮件过滤器将拦截大约95–98％的垃圾邮件。 剩下的2–5％应该结合其他技术解决方案和用户培训来解决。 垃圾邮件过滤器确实需要进行调整和测试以确保其正常工作。 配置错误的电子邮件级别解决方案如果锁定到错误的地址(例如invoices@ourimportantfinancialcompany.com)或定位到错误的电子邮件类型(noreply @ our2fa.com，noreply @ ourbank2fa.com等)，则可能会阻止企业运作。 。

Spam filters and other email level solutions are not just a set it and forget it solution. They need to be constantly tuned, and there needs to be a way to exclude certain emails. A solution which does not provide a whitelist and blacklist is completely useless for a modern business. The site most likely also needs an employee which can access the quarantine for the spam filter and training on how to use it. Without access, a client has to rely on you for every false positive.

垃圾邮件过滤器和其他电子邮件级别的解决方案不仅是解决方案，而且会忘记它。 他们需要不断调整，并且需要一种排除某些电子邮件的方法。 不提供白名单和黑名单的解决方案对于现代企业来说完全没有用。 该站点很可能还需要一名可以访问隔离区的员工，以隔离垃圾邮件过滤器并进行使用培训。 没有访问权，客户必须依靠您的任何误报。

端点等级 (Endpoint Level)

No matter how good your solutions are above the endpoint level, some amount of garbage is going to get through. It might be run of the mill questionable enlargement pill ads, and it might be a fake bank warning. The individual endpoint needs some kind of protection. While deploying antivirus solutions and similar are best practice anyway, one which is often overlooked is pushing an adblocker to a user’s browser.

无论您的解决方案在端点级别以上多么出色，都会产生大量垃圾。 它可能是在工厂中投放可疑的扩大药丸广告，也可能是虚假的银行警告。 各个端点需要某种保护。 无论如何，部署防病毒解决方案和类似方法都是最佳做法，但经常被忽视的一种方法是将adblocker推送到用户的浏览器。

A properly setup adblocker can help prevent some phishing domains from working (most offer a malicious domain list). It can also prevent questionable iframes and Javascript tricks from populating correctly. While it’s obviously not going to stop everything, it will stop some things in a way other solutions won’t. Ublock Origin ended up being the silver bullet to stop a client from complaining about phishing on their terminal server. It also freed up resources.

正确设置的adblocker可以帮助阻止某些网络钓鱼域正常工作(大多数提供恶意域列表)。 它还可以阻止可疑的iframe和Javascript技巧正确填充。 虽然显然不会阻止所有事情，但是它将以其他解决方案无法阻止的方式阻止某些事情。 Ublock Origin最终成为阻止客户抱怨其终端服务器上网络钓鱼的灵丹妙药。 它还释放了资源。

Proper hardening of the individual endpoint can prevent some attacks from working as well. Making sure the system is up to date can help stop things like curveball from being a usable attack vector. Ultimately, the endpoint shouldn’t be doing much for preventing phishing as it is best handled above, but this doesn’t mean that the endpoint can’t contribute to overall security against phishing.

对各个端点进行适当的加固也可以阻止某些攻击的发生。 确保系统是最新的可以帮助阻止诸如曲线球之类的事情成为可用的攻击手段。 归根结底，如上文所述，端点不应在防止网络钓鱼方面做很多事情，但这并不意味着该端点不能为网络钓鱼的总体安全性做出贡献。

人类解决方案 (Human Solutions)

Technical solutions can whittle away 95–98% of 95–98%, but with the sheer volume of phishing emails, something will eventually reach a user. Training is the only way to further whittle down on the attacks technology can’t get (yet). Not every user can wrap their head around technical training, so there is training to help with common sense to stop phishing, and technical training for more advanced users.

技术解决方案可以减少95-98％中的95-98％，但是随着网络钓鱼电子邮件的数量巨大，最终将有一些东西到达用户手中。 培训是对攻击技术的进一步削减的唯一途径不能得到( 还 )。 并非每个用户都可以全神贯注于技术培训，因此提供了一些常识来帮助您阻止网络钓鱼的培训，以及针对更高级用户的技术培训。

培训以发现网络钓鱼企图 (Training to Spot a Phishing Attempt)

If you don’t use Bank of America and you get an email saying your Bank of America card is compromised, what should you do? Many users will click and go through the verification (including putting in their social security number) even though they don’t use Bank of America (let alone “Bank of Amreica”). Train your users to ignore services they don’t use at all, or at least verify by calling a known branch or known, verifiable contact method.

如果您不使用美国银行，并且收到一封电子邮件，指出您的美国银行卡已被盗用，您应该怎么办？ 即使他们不使用美国银行(更不用说“美国银行”)，许多用户也会单击并通过验证(包括输入其社会保险号)。 训练您的用户忽略他们根本不使用的服务，或者至少通过调用已知的分支机构或已知的，可验证的联系方法进行验证。

Look for obvious typos in the email as well. A professional email is probably not going to be littered with emojis and misspellings, but a lot of phishing emails are not written by native speakers. Some even intentionally use bad spelling and grammar to catch the most gullible people. Train users to forward it to their IT department if they are suspicious rather than risking a click. Make this a painless process for them and something which does not impact their job. Kyle may send an email or ten every day, but at least he’s not putting the company at risk anymore.

还要在电子邮件中查找明显的错别字。 专业的电子邮件可能不会充满表情符号和拼写错误，但很多网络钓鱼电子邮件并非由母语人士撰写。 有些人甚至故意使用不良的拼写和语法来抓住最容易受骗的人。 培训用户将其转发给其可疑的IT部门，而不是冒险单击。 这对他们来说是一个轻松的过程，并且不会影响他们的工作。 凯尔(Kyle)可能每天发送一封电子邮件或十封电子邮件，但至少他不再给公司带来风险。

The next piece of training is to make sure users are familiar that most services won’t just reach out to them without verification. If you get an “important notification” from the bank, go to the bank website you know, log in, and check and see if the message is there. If it isn’t, there’s a good chance it’s a phishing attempt. Train your users to follow a specific process for interacting with financial institutes rather than just clicking links in an email. Check the URL for links and make sure it makes sense. Your bank isn’t going to link to “legitbank.[dynamic DNS host of choice].hk” for their “innvoice”.

接下来的培训是确保用户熟悉大多数服务，而无需验证就不会接触他们。 如果您从银行收到“重要通知”，请访问您知道的银行网站，登录并查看消息是否存在。 如果不是，则很有可能是网络钓鱼尝试。 训练您的用户遵循与金融机构进行交互的特定过程，而不仅仅是单击电子邮件中的链接。 检查URL的链接，并确保它有意义。 您的银行不会链接到“ legitbank。[动态DNS选择主机] .hk”作为“发票”。

技术培训 (Technical Training)

Common sense training will get you far, but there are still phishing attempts which will beat common sense if they make it through the technical barriers. Make sure there are at least some users trained to know how to inspect a certificate chain for a website, and how to look at email headers. These are highly technical tasks for the average person, but showing your client how will show them that you are knowledgeable about the subject, and enable them to prevent issues themselves.

常识培训可以使您走得更远，但是仍然存在网络钓鱼尝试，如果它们突破了技术障碍，就会击败常识。 确保至少有一些经过培训的用户知道如何检查网站的证书链以及如何查看电子邮件标题。 对于普通人来说，这些都是技术性很高的任务，但向您的客户展示了如何向他们展示您对这一主题的知识，并使他们能够自己解决问题。

This type of training is going to be useless for the vast majority of users, but if they even learn a little, they can weed out some of the better attacks. The other effect I have seen from this type of training is that even if the user retains nothing about the technical work itself, they learn that “just because it looks legitimate does not mean it is.” This shift in mentality can make the difference between getting got and skirting by without incident.

对于大多数用户而言，这种类型的培训将毫无用处，但是，即使他们学到一点，他们也可以淘汰一些更好的攻击方法。 我从这种培训中看到的另一个效果是，即使用户对技术工作本身一无所知，他们也会学到“仅仅因为它看起来合法并不意味着它是合法的”。 这种思想上的转变可以使获得和跳过事件之间有所不同。

结论 (Conclusion)

Phishing is prevalent and getting smarter. Combine technology with training to prevent it from being effective. Phishing relies on people seeing it and then falling for it. By using technology, you reduce the first, and by training, you reduce the second.

网络钓鱼盛行，并且变得越来越聪明。 将技术与培训相结合以防止其有效。 网络钓鱼依赖于人们看到它然后陷入困境。 通过使用技术，您可以减少第一笔，而通过培训，您可以减少第二笔。

Institute a technical stack from the network level and down to prevent spam and phishing emails from functioning. The network level prevents malicious links from working, the email level prevents spam and phishing emails from showing up, and the endpoint level can reduce the chance of an attack being successful. These also add security overall.

从网络级别开始向下研究技术堆栈，以防止垃圾邮件和网络钓鱼电子邮件起作用。 网络级别可防止恶意链接起作用，电子邮件级别可防止显示垃圾邮件和网络钓鱼电子邮件，端点级别可以减少攻击成功的机会。 这些也整体上增加了安全性。

Training prevents the attack from being able to leverage the human element. It doesn’t matter if the phishing attempt from “Bank of America” gets through if the user knows they only have Wells Fargo. Use technical training to help show users that an email isn’t just what it appears to be. Even if the technical training doesn’t take, the mindset may.

训练会使攻击无法利用人为因素。 如果用户知道他们只有富国银行，那么“美国银行”的网络钓鱼尝试是否成功也没关系。 使用技术培训可帮助向用户显示电子邮件不只是它的外观。 即使不接受技术培训，也可能会有这种想法。

By combining these factors, you make your users more secure and prevent liability if something goes wrong. Audit and secure their site and you prevent more than just phishing. Train them and you reduce the chance for incident. Even if the company doesn’t sue you in the event they get phished, they may go under costing you income. Securing them secures you.

通过综合考虑这些因素，可以使用户更加安全，并在出现问题时避免承担责任。 审核并保护他们的网站，不仅可以防止网络钓鱼。 培训他们，可以减少发生事故的机会。 即使公司不起诉您，如果他们被骗了，他们也可能会蒙受您的损失。 保护它们可以保护您的安全。

Originally published at https://somedudesays.com.

最初在 https://somedudesays.com上 发布 。