Cybersecurity depends on many factors, not the least of which is people writes Javier Brias, Marketing & PR Manager, Secon Cyber Security
In 1993, when Sir Tim Berners-Lee invented the World Wide Web and proposed the creation of an Information Superhighway, the promise of a brave new world unfolded before us – a platform from which to freely and openly share information; its impact would transform the world.
The internet, and the world, have indeed transformed since those early days, and not always for the better. The good part is that we now have more information available to us than has ever been available at any time in all of human history. The bad part is the internet has also spawned a proliferation of malicious software that, in many cases, have outwitted even the best protection software.
Today, malware is a business – big business. Over the three-year period from 2013 to 2015, it is estimated that cyber criminals made off with US$ 3 billion from 22,000 victims in 79 countries from Business Email Compromise (BEC) attacks, according to Trend Micro’s own findings from its Smart Protection Network.
Business email compromise (BEC), or phishing as it is more commonly known, seeks to trick the recipient (the victim) into transferring large amounts of money into 3rd party bank accounts (the attacker) at the behest of a company executive whose email account has been hacked or spoofed.
Make no mistake, this type of attack takes a lot of planning and the payoff is much greater than ransomware attacks. The difference is that ransomware uses a ‘shotgun’ effect whereas BEC is highly targeted. Both are about extracting money from the victim, but both use different paths to get there. The FBI estimates that in 2016 alone, ransomware loses topped the US $1 billion mark. Such figures are difficult to confirm because many companies choose not to divulge information about breaches.
For the uninitiated, a ransomware attack usually occurs as a result of an unsuspecting victim clicking on an email attachment they shouldn’t have. There are other delivery methods, but email attachments or links are the most common. Once clicked, the attacker has control of the victim’s device and proceeds to encrypt all the files. A payment, or ransom, is then solicited by the attacker to release the code that will unlock the encryption. Payment is made in units or fractions of Bitcoin.
Ransomware kits can be readily purchased on the dark web and are easy to use and deploy; no special technical skills are required. Malware-as-a-service, botnet rentals by the hour, zero-day exploits, tech support...there’s a whole market for these services on the dark web. It’s no surprise, then, that students, housewives and people from all walks of life are turning to malware to augment their incomes.
This type of attack will increase in the coming years because of its ease of use. In fact, new delivery and payment methods have emerged. One of the more unusual demanded no ransom payment but asked infected victims to spread the malware to 2 other victims as a condition for retrieving the decryption code.
Business Email Compromise
BEC is much more sophisticated in that attackers will spend approximately three months (sometimes longer) researching their target. They start by infecting a large company with a ‘listening’ malware that just sits in the target’s servers. It causes no harm but is constantly monitoring and gathering information...and it is thorough.
By the time they are ready to launch their phishing emails, the attackers know everything about the company’s business processes – who their customers are, who makes the money transfers, to whom they delegate responsibilities, their job titles, their routines, even the language and tone of the emails. They leave nothing to chance.
In large companies, not everyone knows all the employees, so it is not unusual for a controller to get an email from a ‘superior’ asking for a transfer of funds. Ordinarily, these requests will have a tone of urgency - the director of finance is on holiday, it’s a Friday afternoon and a transfer needs to be done before end-of-day for goods that are desperately needed, and you’ve been instructed to ‘do it.’
Under such circumstances there’s really no time to verify these payment requests. If the person doesn’t do as instructed, his or her job is on the line. Who’s going to question ‘the boss,’ anyway? But therein lies the deceit. The boss didn’t send that email, the attacker did.
Just recently, a man from Lithuania was arrested for phishing two major US technology companies of more than US$ 100 million. In another case, the CEO of a company supplying parts to Boeing and Airbus was fired because he got tricked into wiring €52.8 million to hackers.
Education is the answer
As a cybersecurity technology company, we at Secon Cyber Security specialise in mitigating and eliminating cyberthreats in corporate environments by offering an integrated approach to security services and technology. We are at the forefront in the fight against hackers, data breaches and compromised emails. However, regardless of the state of the art in hardware and software development, one thing is certain: when it comes to security, people are the weakest link. In its 2016 Data Breach report, Verizon found that 90% of security incidents can be attributed to people. The only answer is education and information
Employees must be informed of the latest threats and how to avoid them. Additionally, they must be constantly trained on best practises when dealing with emails, social media, malicious websites and dubious requests. They should be trained to look for the tell-tale signs of scam websites and fake emails. And they should be allowed to question ‘requests’ from the boss that are questionable.
Does the website have a security certificate (the URL will start with ‘https’ and the name will be in green, or does it have an unrecognisable extension (.co.ua instead of .co.uk)? Is a government office informing you have a refund? Is a bank asking you to give them your account and PIN number? Is that email from mark.jones or rnark.jones?
Secon Cyber Security offers best-of-breed hardware and software solutions that mitigate ransomware and phishing attacks. However, the most important aspect of cybersecurity is the need to build a human firewall. And this can only be achieved through constant awareness training of the latest threats being released and how to counteract them. We not only train professionals, but also carry this message across to children as well through our involvement with organisations like BITC.
This becomes even more important with the onset of the General Data Protection Regulation (GDPR) next year. GDPR compliance with respect to data security is a game changer for the penalties and fines it may impose for loss or breach of personal identifiable information (PII).
Hence, when it comes to data protection, we must think of mitigation techniques from two perspectives: corporate and individual.
Four steps towards corporate data protection
Robust email and web gateways:
1. Look for solutions that offer malware scanning and file risk assessment, sandbox malware analysis, document exploit analysis, and web reputation. At the web level, you’ll need real-time web reputation, sandbox analysis and the ability to scan for zero day and browser exploits
2. Endpoint security should monitor for suspicious behaviour, enforce application whitelists and feature vulnerability shielding to protect against unpatched security holes. Ensure all devices are patched and updated.
3. Malware may also infiltrate the organisation through network protocols and unprotected ports. The network should have advanced detection capabilities (IDS/IPS) across all traffic, ports and protocols to stop malware.
4. The servers are where most of the organisation’s critical data reside, so it’s important to ensure unpatched vulnerabilities are protected via virtual patching. Select a solution that can monitor for lateral movement and file integrity. Regularly schedule backup during offline hours, if possible. Otherwise, backups should be done in phases.
Five easy security to-dos individuals should follow
1. Think before clicking. It may sound simplistic but it works. Be especially wary of macro-enabled attachments or links, and don’t fall for easy come-ons.
2. Ensure your device is protected, patched and updated with the latest security advisories.
3. On social media, tighten up your privacy settings: don’t share everything with everybody and never divulge personal information.
4. Uninstall web browser plug-ins that are unnecessary.
5. Backup, backup, backup. Make it a habit to regularly backup your important files, documents, videos, and photos.
For more information, visit Secon Cyber Security.