Target, Ashley Madison, the DNC, Twitter, LinkedIn, PayPal, multiple healthcare institutions—it seems not a day goes by we’re not hearing about another data breach. Whether it’s a nation-state infiltrating governmental institutions, a breach of usernames and passwords that have numbered into the millions in a single instance, or, the most prevalent of them all, another case of ransomware holding files hostage until a payment is made. It often feels like we’re being inundated to the point of exhaustion and it seems to happen so often that there’s nothing to do to protect ourselves from being the next victim. The ugly truth is that there’s no way of ensuring, beyond any shadow of a doubt, that one will not fall victim themselves. The good news is that there are steps that can be taken to help lower an attack profile, greatly reducing the chances of being victimized.
Security, or data integrity, is not a function of an IT department. Sure, they’ll work to institute controls and governance, oversee the technological aspects, and look for and respond to threats, but the job of securing information is not theirs alone. The first point to acknowledge is that we are all a part of the cybersecurity force that resides within our environment. It’s only by working together that increasing the capability of keeping information, both clients’ and our internal proprietary, as secure as possible. One can never guarantee 100%, but can certainly increase the odds.
In order to do so, one must look at the threat landscape and know where to put forth efforts, resources, and people, in order to output the best opportunity for success. One of the first steps is to look at the threat landscape: what types of vulnerabilities and tactics are the threat actors using the most?; determine which ones are most likely to be used in an attack; and begin to build a security process. The nation-state attempting to infiltrate systems is not likely to be high on that list. So while it may sound like the one that’s the “coolest” to go after, it may not be a good use of the limited amount of resources out there. The most common, threat to one’s security is phishing scams.
Phishing scams come in many different forms. At its most basic and broadest level, it’s an email created to mimic that of a popular service or utility (think Best Buy, PayPal, or iTunes account). An email is crafted by a threat actor to entice the recipient to either click on a link or attachment within the email—doing so allows a malicious program to run. What that program does will vary: it could fake an account reset getting you to supply username and password credentials. Those credentials, now compromised, can be used by the attacker to launch any number of attacks against the organization or individuals’ personal online accounts using credentials the system willingly accepts. The malicious program could install ransomware, which will search through all local and network drives[TP1], encrypting all files it deems important based on the type of file. One will then be locked out of all files until the ransom is paid. The email itself is crafted so that it can be sent to thousands of users, generic in look, form, and function.
Spear Phishing Campaigns
Organizations are more likely to be targeted by a spear phishing campaign. Similar in intent to the basic phishing campaign, a spear phishing attack is crafted to a specific user. Users are referenced by name or department. Information relevant to the individual, all gleamed from social media sites, (LinkedIn is responsible for 88% of the information that will be used in these attack campaigns) will be used to make the email feel more legitimate and personal. These campaigns also consist of attacks that are known as whaling and/or business email compromise. Whaling attacks are used to go after C-level members, who have greater access than general staff, to entice them [TP2] to give up their information or grant malware access to the system. Business email compromise consists of crafting an email so that it appears to be coming from a member of senior leadership; CEO’s or similar positions are most often used. The email is sent to a member of the firm requesting information be sent on to the “CEO.” That information could be all corporate payroll data (which has been a very lucrative enterprise) or the request of a wire transfer. These emails are commonly sent to the COO, head of Human Resources, or a member within their department that is most likely to comply with such a request. After all, no one wants to disappoint their boss.
What to do? There is no silver bullet. No panacea. No one-size-fits-all solution that each and every company can apply to reduce their risk. An internal risk assessment should be conducted.
Questions to be answered:
- How do we operate?
- What vulnerabilities are present in how we conduct business?
- What processes and procedures leave us most vulnerable? Should they be changed, and if not, what steps can we take to increase their security?
- It seems so daunting a task you might ask yourself: where do we even start?
You must have a firewall! At this point in the cybersecurity world, a firewall is the technological equivalent to putting a lock on the door to your home. Yes, it’s simple. Sure, all doors are going to have at least one lock. What fool would put a door on their home without a lock? But it’s really just an initial step. Firewall configuration can be tricky business. The best policy is to start from a strict denial of all transmission and then start opening holes as needed. (Much more difficult to do in an organization that’s been operating for any period of time, yet still the best practice.) However, if you want to get the best bang for your buck—if you really want to take steps against your greatest and most likely threat—you’re going to need to target those phishing attacks, in all their many shapes, sizes, and variations.
Even this doesn’t have a universal solution. There are different methods, tactics, and technology options available, any combination of which will help increase the security of your systems. There are email security providers, such as Mimecast or Postini, now a part of Google Apps, which act as a gateway for all email transmissions headed to your domain. A large number of these false and/or malicious emails will be filtered out at this level, never making it within your environment and certainly never to appear in the inbox of any of your users. For an additional fee per user, they may offer a service that will strip all links and attachments and insert “pointers” that your users will see. If a link claims to be going to paypal.com, but in actuality is going to stealingyourdata.net, the false link is removed. The attachment is never opened in your environment.
Sandboxes are used as a secured space where questionable email links and attachments are opened and their behavior monitored; kind of like setting off a bomb in a secured location to see what it does. If the behavior in the sandbox is safe, the message is passed on. If not, the system kills the email’s delivery and flags the sending user and/or IP address for all future emails. It could even alert your administrator about the event, allowing them to determine if further action is necessary.
Getting back to the people.
Remember, data security is not the realm of IT alone. It is everyone’s responsibility—a corporate culture that must be instituted, nurtured, and enforced on a regular basis. So how does that help with these phishing attacks (phishing attacks account for 91% of infiltrations into systems, of which, 93% are ransomware.)? The payload varies, but nine out of ten times, the delivery method is a phishing email.
Train your users. Train, train, train.
- Use companies such as KnowBe4 and PhishMe, to conduct internal phishing campaigns to see the effectiveness of your training(s), to identify your weak points, and to identify the staff that need to have refresher courses. Even if one of those malicious emails makes it through your technology safeguards, you should be confident that your staff can identify a phishing email, report it to your IT and/or security operations, and not be fooled into clicking on the link.
- Teach them to carefully review the information in the header, that’s who an email is supposedly from. It may have the name John Smith, but the email address is firstname.lastname@example.org.
- Educate them to see that the grammar and word usage in these emails is generally poor.
- Show them how to hover their mouse over links to have the pop-up display where that link is really going to, not just what’s in that bold, blue typeface.
- Explain how attackers use similar domain names; google.ru, not google.com; email@example.com, instead of the proper yahoo.com, or burn.com, instead of bum.com. Creating domain names with slight variations of the original that people don’t notice at an initial glance.
It’s only a start. But it’s a good start. Consistently assessing and informing. That’s how you win the war. And it is a war. There’s an old joke about a man and his son hiking through the mountains. They suddenly come across a mountain lion. Slowly, the father begins to slip off his backpack and tighten his laces. The son says, “Dad, Dad. What are you doing? You know you can’t outrun a mountain lion.” The father looks aside at his son and replies, “No son. I can’t. But I can definitely outrun you.” Turn your organization into one that isn’t an easy target; one that requires far more work than worth the payout for the attackers. Don’t allow yourself to be the low hanging fruit. That is the best way to greatly reduce your risk footprint and increase the security of your data.