0

Over the years, I found myself constantly pointing out to organizations that emails containing links with 3rd party domain names that are relatively unknown are problematic. That's how social engineering occurs. For example, surveymonkey is well-known, but survey.alchemer-ca.com not so much.

I'm beginning to wonder how realistic this is. If it's just noise, then there are negative repercussions for being the lone wolf baying at the moon. Organizations typically have more demand than their IT/security staff can service. Requiring that links point to the organization's domain for redirection to a 3rd party service is not feasible in most cases.

A further complication is that it adds yet more process, compromising the agility with which staff achieve outcomes, e.g., conduct polls, surveys, and organize events.

Finally, even if such a process was put into place, unless there is constant reminder of its necessity, it is easy for staff to forget, to make "exceptions", or for new staff to not be indoctrinated into its use.

In view of the challenges, what is a feasible way to avoid the vulnerability to social engineering posed by 3rd party links in emails?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user2153235
  • 105
  • 6

1 Answers1

1

It is far more nuanced than you have described. And you need to provide more clarity for people on what "less known" means.

The feasibility of this process will depend on the company and industry. In some regulated industries, places have Allowlists on their firewalls and email filters to only allow links from the Alexa Top X plus known partners. Or just known partners. In other places, such a process would simply not work.

I regularly advocate for firewalls/filters to block "new" sites, where the domain is less than a month old. This is one form of defining "less known" domains.

So, whether your suggestion makes sense depends on the risk profile of the organisation and the impact of doing what you suggest versus the impact of something going wrong if they don't. Just offering vague blanket advice to all parties equally is where you are going to have trouble.

Define the risks and tailor the risk response to the organisation. Ultimately, that's what is going to be feasible.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks, I added an example of well-known vs. not-so-much. I don't think I can provide a hard definition because it is a gray zone that depends on the individual. Most of the time, I am exhorting organizations on a business-personal relationship, so internal measures like white/black lists don't apply (or if they do, I'm not aware of how, though I am not in the security industry). The risk is only indirectly to the organization, as it is the individuals that get nailed in the case of social engineering. The organization most recently in mind is quasi-affiliated with government. – user2153235 Mar 08 '21 at 15:48
  • You are trying to mitigate the risk of a malicious domain by applying a discretionary mitigation against all "unknown" domains. That's not feasible. It will help in some cases, sure. But if you can define the problem better, you will get better solutions. – schroeder Mar 08 '21 at 16:47
  • What if the problem is framed not as a corporate one, but what individuals receive (personal email or business-personal email)? Is there a recommended practice for links to unrecognized domain names? There is no rule for identifying potentially malicious domains other than personal discretion. – user2153235 Mar 08 '21 at 18:03
  • Reaching out to the organization for confirmation is one course of action, but if the sender is an organization, then it's not practical for them to respond to many individuals. Plus, the individual sometimes never hears back, or does so after much elapsed time. Wondering also if a common best practice applies across emails from organizations and personal connections. I guess one rather hands-off approach may be SpyBot S&D's browser immunization. – user2153235 Mar 08 '21 at 18:03
  • There are ways to identify potentially malicious domains: there are scripts that can identify DGA domains, domain age, and domain reputation as an automated check. If you want to know what to *tell* people to do on their own, then you have to make up whatever discretionary process that works *for them*. – schroeder Mar 08 '21 at 18:23
  • Putting measures in place to protect against malicious links is always a good thing to consider. Security is about layers: detect, identify, respond, recover. You need something in each layer. No general advice is going to work as the only layer you use. – schroeder Mar 08 '21 at 18:24
  • It sounds like best practice is hard to come by because it is situation-specific. For the everyday user receiving email outside of an organization, it's user beware. – user2153235 Mar 08 '21 at 19:40
  • Of course. There is no simple, cookie-cutter answer to Complex problems. – schroeder Mar 08 '21 at 20:23
  • Notwithstanding the inescapable reality that you describe, the situation is really not ideal. There are charitable organizations that can't be expected to have high power IT departments, and they are soliciting donator feedback on how they conduct certain operations. The collect the feedback using survey services offered by little-known 3rd parties. Sigh. – user2153235 Mar 28 '21 at 00:03