How to Overcome Your E-mail Insecurity - Part 3 of 3

Phishing

Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust.  The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.  

Some recent attacks actually impersonated domains to try and fool employees at the actual business.  An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m".  Cyrillic alphabet characters have also been used to play tricks on your eyes.

Security Tip:  Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click. 

Ask yourself these questions when you receive an e-mail:

1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
2. Am I expecting this e-mail or any attachments from this sender?

If you answer "No" to either question, it is probably a phishing e-mail. Again, if you do know the sender, pick up the phone and verify that they sent you the e-mail and any attachments. 

So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions.  After all, as discussed in my Part 1 blog post, e-mail is not secure by design.

Be Secure!

@tjmprofessional

Phishing is not a Technology Problem

In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".

While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk.  Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor.  Therefore it is the social engineering aspect that needs to be addressed, but rarely is.  Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.

The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective.  The root cause is still sitting one foot in front of the keyboard.  It is your employees and contracted staff that make phishing attacks possible.  And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.

Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are.  And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative?  Do nothing?  We've seen first-hand with recent data breaches how well that works. 

Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk.  At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.

Be Secure!!!

@TJMProfessional

"Are you still in the office?" - A Phishing Story

The below is based on a true story:

Monday at 5:00 pm - You are just leaving the office.

You happen to have left the office on time today (for once) for your kid's soccer game, a happy hour, a hot date, or whatever.  At 5:35 pm you get an e-mail from your boss.  The subject is "Are you still in the office?".  Of course you open the e-mail.  In the body of the e-mail, your boss says "Hey, are you still there?  I need you to do me a favor that's most urgent."  Naturally you want to please your boss, and be responsive.  You immediately respond; "Sure, what do you need?". You then get a reply back; "Thank you so much.  I have a client that I am going to be meeting tonight, and really wanted to "Wow" them by getting their team some iTunes gift cards.  I totally forgot to get them.  Can you run out to a store and get me four $250 iTunes gift cards.  Once you have them, scratch off the back to reveal the code and kindly send me photos of the codes.  I need them before dinner is over at 8:00 pm tonight."

You make a slight detour on the way to your after-work event to stop by a store and purchase four iTunes gift cards with your corporate card.  You then whip out your phone and send your boss photos of the codes by 6:20 pm, and are still able to make your event.  You saved the day for your boss and helped him/her win over the new clients.  Deep down you are hoping your part in this is remembered when raise/bonus evaluation time comes around.  All is right in the world.

Tuesday Morning at 8:10 am - You are in the office and just grabbed your morning coffee.

The boss walks by your desk and says "Good Morning".  You respond in kind and add, "How did the clients like the gift cards?"  Your boss stops, turns to you and says "What are you talking about?"

It is at this point you find out that the e-mail was not from your boss, but that you were the victim of a spear-phishing e-mail.  The cyber criminal stole a $1,000 which you put on your corporate card and had thought you would be getting reimbursed for.

Does this sound like a far fetched story?  It's not.  It is safe to say that thousands of intelligent people around the world fall for this type of phishing campaign every day.  Per the FBI's 2017 Internet Crime Report*, there were 25,344 reported phishing victims in the US alone in 2017.  Keep in mind, most phishing attacks go unreported due to the victim being embarrassed for having been tricked.  Today's cyber criminals rely on human behavior over technical skill.  They will use fear, greed, people's good nature and helpfulness to try to defraud your employees and your business.  Security awareness training is a very effective defense against phishing attacks and is fairly cheap.  Speaking of awareness, let's get to it.  Below are some tips as to what this employee should have done to prevent being a victim:

Tips:

1.)  If you are getting an e-mail from someone (such as your boss), and the request is unusual (ie. not something they have ever asked you to do before.), pick up the phone and call them on a number you know is valid.  Also, if the e-mail is from the CEO or CFO and they most likely don't even know your name, they probably aren't asking you for a favor.  This is when it is good to forward it to your boss with your suspicions, and ask him/her to look into it.  Communicate outside the e-mail thread and use the chain of command to authenticate odd e-mail requests.

2.) Any e-mail asking you to buy something (typically iTunes, gift cards, or prepaid debit cards), transfer customer/employee data, or transfer funds (sending a wire, ACH, Western Union, Money Gram, etc.) needs to be independently verified by picking up the phone and calling the person on a number you know is valid (don't use any contact info in the e-mail that was sent to you).

3.) Cyber criminals know what your office hours are.  So look for "Urgent" requests after hours as highly suspicious.

4.) As with #3 above, the cyber criminals know you most likely will be checking your work e-mail after-hours with a mobile device.  Most mobile phones only show the display name, not the actual e-mail address, so they can send an e-mail from a gmail account with your boss, CEO, or CFO's name displayed and it will appear on your phone or tablet as the display name, not the actual e-mail address.  Click on the display name to show the actual e-mail address.  Even if it looks legit, still call.  No one ever got fired or in trouble for verifying e-mail instructions that seem odd.

5.) Look for very short e-mail messages (with no details).  Also bad grammar/spelling are common signs.  In addition, look for non-American style English being used  "I have a most urgent request" or "Kindly send me the gift card codes."  Does your boss or CEO talk like that? 

6.) Let's say you fell for it, and realize it afterwards.   Report it!  You can still save the day.  In this case, the employee should have notified his company's security officer or HR so that all the other employees could be notified of the scam to prevent additional victims at your organization.  Secondly, he/she should contact Apple and had the codes deactivated.  It wouldn't get the money back, but it would stop the criminals from getting it.  When criminals see a good target, they will keep coming back.  Try to ensure that their attack on you isn't profitable.  This way they will seek an easier target next time and leave you alone.  

Be Secure!

Link to the 2017 FBI Internet Crime Report

* https://pdf.ic3.gov/2017_IC3Report.pdf

Gone Phishing

Phishing, or the act of trying to deceive folks into thinking you are someone else in the hopes of scamming either user credentials, data, or money out of them, is occurring at an alarming rate.  This is also becoming a delivery mechanism for ransomware.


Some popular ones over that last few weeks to be aware of:

DocuSign Document is waiting for you

UPS Quantum Shipment - About a recent attempt to deliver a package to your address.

accounting@<yourcompany>com - An invoice or statement from a vendor that was sent to your company's accounting department.

"You have a fax message from RingCentral"

USPS HoldMail - The email is letting you know that your mail is on hold.

E-mails from your social media contacts whom you don't usually get emails from.

AppleID - A supposed receipt from Apple about some recent purchases you didn't make.

LinkedIn Connection Requests from fake LinkedIn profiles posing as if they worked at the same company as you at some point.   The tells are a low number of connections (under 50) and usually no profile photo.  Best practice is if you don't know them, don't connect with them.


Remember, if you are not expecting an e-mail, don't open it, and always be suspicious of attachments or links.  If you are not sure if it is legit or a scam, call the company from a verifiable phone number, don't click on anything in the e-mail.

Be secure!

You are Only as Secure as Your Service Provider

Many businesses recognize the need to handle sensitive customer and employee information in a secure manner.  They may be using encryption on their hard drives, masking data fields like credit card numbers and social security numbers, and using secure methods to send data to their service providers for processing.  Where most organizations fall short is their lack of due diligence in finding out if their service providers treat their data with the same level of care that they do.

In banking, the federal regulators mandate that banks must perform upfront vendor due diligence before contracting with a vendor who will be handling customer information, specifically NPI, or Non-Public Information.  This is credit/debit card information, social security numbers, dates of birth, drivers license or passport information, bank account information, and user login information such as userids, passwords, security questions, or PINs in combination with identifiable information such as customer name, address or phone number.

The bank regulations also require that the banks perform ongoing vendor monitoring, even to the extent of sub-contractors who may have access to the banks sensitive data.

Businesses of all sizes need to hold their vendors accountable just as the large banks do.  As a small business you of course do not have the time or resources that a bank has to do vendor risk management to the same level.  But at a minimum, the following are some quick and easy tips to give you some comfort that your service provider is employing reasonable security measures regarding your data:

1. Ask for and read their Information Security Policy.  (And yes, you should have one too.)
2. Ask for and read their Data Backup Process as well as their Business Continuity Plan (BCP).  Make sure their backups are encrypted.  Is their BCP tested at least annually?  Can you get a progress report on the issues noted during the last BCP test.  If they don't have a BCP, then you need to make sure you can switch to a secondary provider in the event this vendor can't service your needs due to a business disruption.
3. Do they have either an employee, or a contractor that is responsible for Information Security?  You should have a brief conversation with them to see if they are a knowledgeable security professional, or just a management person that got a title CISO because someone need to be listed to make it look good.  (Yes, this does happen more than you know.)
4. Does the vendor have a network penetration test performed (at least annually), by an independent Ethical Hack firm?  They may not want to provide you with the entire report, and that is fine, but they should be able to give you the Executive Summary, and a progress report on resolving any issues noted during the exercise that could affect the security of your data.
5. Insurance coverage (E&O and general liability)  Make sure you get an Evidence of Insurance certificate.  And ensure that the coverage amount is adequate given your business and your data.
6. Make sure there is contract language that holds the vendor responsible for maintaining reasonable security practices regarding the storage, processing, and transmission of your data.  If possible, spell out what your definition of "reasonable" includes.*
7. Does the vendor have any type of third party controls review performed, ex. SOC1, SOC2, SOC3 or PCI?  If so ask for a copy of the report and read it.
8. Does the vendor use encryption for the transmission and storage of your data?
9. Are user account entitlement reviews performed quarterly?
10. Do they have a Security Awareness Program in place to train their employees about good security practices?
11. Do they perform quarterly vulnerability scans of their computer environment?
12. How are you sharing data with the provider?  Is it a secure method?


*For item #6, this is a requirement by the Maryland Personal Information Protection Act.  So if you have any customers or employees that are Maryland residents, this new law (effective 1/1/18) mandates that you have security language in your service provider contracts if you are sharing customer or employee NPI.

For more details visit:
http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx



Be Secure!

How long it takes a Hacker to notice your website?

Like most small business owners, I did all of the SEO things one does when they have a new business website up and get noticed by search engines and clients.  I set up my descriptions, keywords, signed up for Google My Business, and created a profile on Manta.  With my website up for only 1 day, per Google Analytics I got my first visitor.  Can you guess from where?  You guessed it, Russia.  Not really part of my geographic profile, but what the heck, a website visitor, is a website visitor.  The individual had spent about a minute on each of my pages.  That’s great, I’m getting noticed the first day my website is up. 

And then on day 2, it happened.  I had an e-mail in my Spam folder.  I looked at the subject line, and sure enough, it was a phishing e-mail.  The e-mail was in the name of an individual and the subject line read “Your Monthly Statement document is ready for review”   Keep in mind, my website had been up for only 2 days.  My website and the listing websites were the only places my newly created company e-mail was posted.  And when I hovered my cursor above the displayed e-mail address, yes you guessed it, it had a .ru domain. 

A week later I got my first spear phishing attempt.  This e-mail was also displaying the name of an individual and the subject line read; “Please DocuSign: Order Form for tjmprofessional.com” and the body stated; “ accounting@tjmprofessional.com has sent you a document to review and sign. “.  Ironically, I don’t have a separate generic e-mail address called “accounting”.  But to give credit to the hacker, it did look more enticing and believable.  And yes, again the e-mail had a Russian domain.

So if you are wondering if your a 6 month old startup, or your 50 year old family business is at risk for a cyber attack?  The answer is most definitely "Yes!".  My business was found, researched, and attacked within 2 days of its online existence. 

Now if only my clients could develop these hacker skills, and find my website as easily.  Who would need to pay for Google AdWords?   J

Something smells Phishy

My alternative title for this post was " The IRS, a Nigerian Prince, and your CEO walk into a bar."

As you may have guessed, my last blog post of 2017 is about phishing.  We have all received these e-mails.  Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets.  In most cases, the average person can spot them pretty quickly and don’t fall for them.  Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic.  Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework.  They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short. 

Spear phishing, or targeted phishing, is where the criminals attempt to learn as much as possible about you online in order to gain your confidence.  While this is used against individuals, it is more commonly used against businesses, schools, churches, and other not for profits.  The reasons are many.  First off, businesses and not for profit organizations have more money than the average individual, so it is more profitable to target an organization.  Secondly, businesses and not for profits tend to be very verbose online about their organization, events, officers, employees, board members, what software they use, etc., so the attackers can quickly accumulate a lot of intelligence on their target with a few Google, LinkedIn, and Facebook searches.  Thirdly, let’s face it, human nature is that we all want to be seen at work as cooperative and helpful to our executives.  This plays into the social engineering aspect of phishing.  An additional factor is that very few small to medium sized organizations provide their employees with security awareness training, mock phishing exercises, or have procedures in place to counter phishing attempts.  Given these reasons, small businesses and not for profits are becoming the target of choice by cyber criminals.

So how has this occurred historically?  Below is an actual scenario that I observed (the names have been changed for privacy purposes):

The CEO and his/her spouse goes to Europe for a 2 week vacation.  While there, the CEO checks in on Facebook at various tourist attractions, and posts photos every night of the places they visited that day.  Meanwhile, early in the month the company issued a press release about a new location that they will be breaking ground in the coming month to expand their customer footprint.  Details include the name of the general contractor, and specifics about the square footage of the office space and amount the company is investing in the building.  And the final piece to the puzzle, Mary the controller is very descriptive of her cash management duties for the company on her public LinkedIn profile.

The attacker spoofs the CEO’s e-mail (this is where BEC plays it's part), and sends Mary an e-mail stating:

========================================================================

TO: Mary@VictimCorp.com

From: CEO@VictimCorp.com

Subject: Need to Wire Construction Deposit ASAP!

Hi Mary,

I need you to do me a favor while I’m on vacation.  I just got a call from <name of general contractor firm>, they need us to wire a deposit to XYZ Co. so they can order the HVAC equipment now to ensure there will be no delays in the construction of our new Pine St. office.  Please wire $50,000 to ABC Bank, <routing number>, and <account #> for the benefit of XYZ Co.  Please send ASAP!

Thanks,

CEO 

PS:  We are having a great time in Paris.

========================================================================

So do you want Vegas odds on whether or not Mary quickly wires the money without calling the CEO to verify the transaction?

Every day, small businesses and not for profits are being spear phished in a manner similar to the above scenario.  And every day, a number of these organizations are robbed of millions of dollars.

Do you think your organization could fall for this? 

Are your employees trained in how to spot these? 

Do you have procedures in place to verify any unusual banking transactions?

This is why security awareness training needs to be a key part your overall information security program.  A cyber criminal can steal thousands, possibly millions, or get your customer and employee data without ever having to crack a password, infect your systems with a virus, or bypass your firewalls.  They can get your own employees to send them money or data using low tech methods that I regret to say, have been very effective during 2017.

Be Secure in the new Year!

The Center of Your Online Life is Not Social Media

While I might have an entire generation of Millennials that disagrees with this statement.  E-mail is the hub in which all other online activities revolve around.  To prove this point, take a look at the last 30 e-mails you have in your Inbox (disregarding any spam).  You probably have an e-mail or two from your financial institutions (banks, loan company, insurance, and brokerage), e-mails from online eCommerce sites that you frequent, e-mails from all of your social media sites, your mobile phone provider, and possibly your utilities as well.  Also, if you think about it, every website that you are registered on does password resets via e-mail.   While some may also have SMS text as an option, or as an additional factor, the majority still just use your e-mail to reset your password.  And that is what makes e-mail a huge cyber risk area.  Should your e-mail be compromised by a hacker, while yes,  they can read your e-mail or send e-mail on your behalf, the worst part is that they can quickly inventory every website and bank that you do business with.  This combined with the ability to reset your online passwords through your e-mail makes for a dangerous combination.  And once they have access to your e-mail, they can intercept and delete any alert e-mails you get from your banking and eCommerce websites of transactions, address changes (for shipping credit/debit cards or merchandise paid for with your account), or other suspicious activity.  

Also, the common mistake people make is that they use the same password for their e-mail that they use for their other online accounts.  So before a hacker even tries a password reset, which may be noticeable by you, and may send an SMS text alert to your phone, they will first try your e-mail password on your other websites as a one-time attempt.  This way they will not trip the “3 strikes and you’re out” password lockout rules, and will most likely get some hits, preferably on a banking site or eCommerce site that you’ve stored other information on such as your date of birth, social security number, or your masked credit/debit card that shows the last 4 digits.  Although it is PCI compliant to mask all but the last 4 digits of your credit/debit card, it is also another data point that many organizations use to identify you if you call in to their contact center.

To sum it up, your e-mail is used on all your other web/mobile sites.  It is used for identification, for password resets, for communication with you, and contains a history of messages from all websites you have interactions on.  You need to protect your e-mail account.

So how do you do this?  Follow my tips below:

• Don’t use the same password for your e-mail that you use on other websites.  (If your account is compromised on another website, and your e-mail uses the same password, then the Hacker has control of your e-mail)
• Don’t recycle old passwords.
• Change your passwords every 30 – 45 days. (See my blog post on changing passwords frequently)
• Make your password a complex password that can’t be guessed.  Use lower and upper case, numbers, and special characters.  The longer the better (10-14 characters).  Never use dictionary words of names of people.
• Be alert of suspicious activity in your Inbox, such as e-mails that are in a “read” status that you did not read yet, or e-mails that have been moved to Deleted Items, that you did not delete.  Also check your Sent items to see if there is anything in there that you did not draft.
• Be cautious when using public computers (libraries, hotel business center, etc.).  Make sure you totally log out of your e-mail, and it is a good idea to change your password when you get back to home/work and can access a computer that you trust.    

Be secure!
   

Benjamin Franklin’s advice on changing your passwords

If Benjamin Franklin was alive today, what would his advice be on changing your passwords?

I would imagine wise old Ben would say something similar to his quote on politicians:

“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”

Like most people, you have heard that you need to have a complex password, but what you may not be told very often is that you need to change them frequently, preferably every 30 days.  The reasons for this are many.  Most importantly, should your password be captured by a cyber-criminal, more times than not it is captured through the use of an automated tool such as a sniffer or your password hash (your password encrypted) is obtained off of a website that you use that is compromised.  In both cases, there is some time between when the password is in the hands of the hacker, and when it is actually used.  Even if your encrypted password is captured, it can be cracked.  A complex password can be cracked in less than 45 days, hence why you should change it at a minimum every 45 days.  The best security, is security that is constantly changing.  In theory, if your password is captured, and you change it frequently, then it has a very short shelf life and will be of little use to a hacker. 

As always, frequent change is just one piece of the security puzzle.  To extend your password life, use a password that has a minimum length of 10 characters (14+ is preferable), uses upper and lower case alpha, numerical, and special characters (!@#$%&?).  Most importantly, stay away from dictionary words and people’s names.   I recommend using a combination of things in your life to make the password easy to remember by you, but hard to guess and difficult to be cracked be a hacker.  For example, let’s say you drive a BMW 330i (or it’s your dream car), your daughter’s name is Karen, and your wedding anniversary is on June 9^th.  A good password would be K@r3n330!9, whereby you replace vowels with numbers and special characters.  Memorable for only you and harder to crack than a non-complex password.  

A good password checker that runs on your PC (and it's free) is at https://sensepost.com/blogstatic/2010/04/password-strength-checker.html . 

Keep in mind, even my example only rates as “Reasonable”.

Be secure!