The Bad Guys are Getting Smarter. Time for Improved Security Measures.
The security landscape is getting more dangerous. The days of poorly worded emails from a fictitious Nigerian prince who wants to send you ten million dollars are long gone. No more bad grammar. No more fuzzy images. The phishing is getting better and better. It’s fooling even savvy users, and organizations are ending up with ransomware in their systems, leading to huge losses, and severe business disruption. What should we do about it?
First, understand that the most effective attacks are behavioral, not technical. The goal is to fool someone into doing something they shouldn’t. Spear phishing, fraudulent phone calls, sham faxes, and specious texts are all effective. It is less likely that criminals are going to hack your firewall than they are to get an employee to give up their credentials or other personal information. Even worse, you may not know you have been compromised for a long time – when it is too late to stop the damage. Ransomware criminals have a very effective business model: encrypt the systems, get paid a huge ransom, unlock the systems. They even have a help desk available to get assistance in paying the ransom. It is hugely successful business for bad actors!
The threats are coming fast and are ever more sophisticated.
Here are two real-life examples of spear phishing. In the first, an executive received an email from one of their professional contacts. The contact was a valued colleague and a member of the same professional organization. The friendly email contained personal information about the executive’s family, job, leisure activities, and past jobs. It was a reminder from a friend to get onto the professional organization’s web site and sign up for the upcoming conference. The executive clicked the link. In this case, the security systems of the organization blocked access to the fraudulent website and no harm was done. How did the fraudster know all of this personal information? All of the information in this fictitious email was on found LinkedIn. It was simple for the bad guy to create an email account and launch a spear phishing attack.
In the second case, a payroll clerk received a fax from an employee’s requesting a change to their direct payroll deposit. There was a signed organizational form attached with all the relevant information and new account numbers (an old form, but still one from that organization). The clerk was fooled and started the process. An out-of-band organizational control regarding changes to payroll data kept the change from happening. It was a close call. How did this bad guy find this information and this form? It is all on the organization’s website. Easy.
A second effective step is to harden passwords. Stop using variations of the same password for all of your accounts. Stop using common words as part of your passwords. Microsoft and some other vendors can implement password policies that enforce strong passwords that don’t have common words, any part of the user’s name, and demand complexity. Nobody likes hard-to-remember passwords, but they are required to provide security. Have a different password for every account and not simply a variation of the same password. Use a password manager to keep track.
Third, don’t believe what you see and hear. Don’t click on links in email unless you are expecting such links. That’s one reason I haven’t included any links in this post. Don’t believe people are who they say they are when they call you if they don’t show up on your caller ID as a known contact. It can get tricky. My car was recently involved in an accident. The insurance company – at least that’s who they said they were – called me. The first thing they wanted to do was verify my identity by asking for SSN, birthdate, and other personal information. I refused. I asked how they intended to prove to me that they were who they claimed to be. The caller offered a phone number I could call. Again, I refused. It was frustrating and took some web searching in order for me to confirm that this was not a scam. It was a hassle. I’d do it again.
Fourth, consider multi-factor authentication even when users are on-site and NOT just when working remotely. I like the USB keys. There are many vendors who sell this kind of technology. In every large organization, somebody’s credentials will get compromised. It has happened. It will happen. If 100% of all logins require multi-factor authentication, organizations are much safer. If you think that the cost of the technology is too high, consider the cost of being held hostage by ransomware.
The threats are coming fast and are ever more sophisticated. Phishing emails are harder to detect. What we’ve counted on in the past isn’t enough. We need to have ever more sophisticated defenses. We all need heightened vigilance. The last line of defense is not falling for behavioral hacks.
by Bruce Elkington, Senior Strategic Advisor