How to Overcome Your E-mail Insecurity - Part 3 of 3

Phishing

Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust.  The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.  

Some recent attacks actually impersonated domains to try and fool employees at the actual business.  An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m".  Cyrillic alphabet characters have also been used to play tricks on your eyes.

Security Tip:  Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click. 

Ask yourself these questions when you receive an e-mail:

1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
2. Am I expecting this e-mail or any attachments from this sender?

If you answer "No" to either question, it is probably a phishing e-mail. Again, if you do know the sender, pick up the phone and verify that they sent you the e-mail and any attachments. 

So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions.  After all, as discussed in my Part 1 blog post, e-mail is not secure by design.

Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 2 of 3

Business E-mail Compromise (BEC)
For the last two years this has been a growing threat to small businesses.  It is a phishing e-mail, whereby the hacker poses someone of authority, your boss, the CEO, the CFO, the IRS, etc. and asks you to send either your employees HR data, ex. W-2 information, customer information, send money or buy gift cards.  The things to look for in identifying a BEC attempt is:

• Usually sent off hours or right before you are about to leave for the day.
• Has the appearance of being from someone you know, work with, or government agency, but is usually from a g-mail, yahoo, or some other free e-mail domain and not a business domain.
• Has a sense of urgency, and asking you to take immediate action.
• May be written in odd English or European style English.
• The message in the e-mail is usually short and to the point, and may be trying to start a conversation to gain your trust.  E-mail #1 might say "Are you in the office?"  Which will cause you to respond "Yes", then E-mail #2 says "Great, I need you to send (money, gift cards, data) urgently.  More likely than not will have the word "Kindly" as in "Kindly send,,,".
• The e-mail will probably be asking you to do something out of the ordinary. (This is where the red flashing lights should start going off in your head)

Security Tip: Always pick up the phone and call a number (that you already have on file) and verify with the person sending the e-mail is who you think it is and not a hacker.  As for the IRS,,they will never e-mail you asking for anything.  They used certified/registered mail for official business.

A good rule of thumb is, if an e-mail seems strange, or is requesting something that is not normal procedure, it's probably a scam.


Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 1 of 3

As a small business owner you probably have a lot of things keeping you up at night.  Your use of E-mail in doing business probably wasn't one of them, until you read this post.

E-mail was not designed to be secure.  It was created to be a simple electronic messaging platform for trusted networked computers back in the late 1960's, and grew in use during the 1990's.  It eventually replaced both the telephone and the fax machine as the primary communication medium for business in the 2000's.  Its security flaw of being "trusted" remains from its original 1960's design, and is what has also made it the preferred attack vector for cyber criminals to defraud both individuals and businesses.  Rather than dwell on what we can't change, let's focus on what we can.

The E-mail Interloper

Over the last year a very popular type of e-mail hacking has been targeting attorneys, loan officers, and realtors. (Although there have been similar scams with vendor payments and payroll provider settlements)  A hacker compromises one of these party's e-mail accounts.  Rather than make their presence known, they will just sit back and read through the person's e-mails and wait for the right situation to arise, usually a real estate transaction.  Once the hacker knows the particulars of the deal, they wait until the time of closing and then send an e-mail from the compromised party's e-mail account stating to the buyer or the buyer's agent that the wiring instructions for the settlement has changed and to use the new bank routing and account number to transfer the proceeds of the transaction.  The buyer then sends the wire to the hacker's bank, and by the time all the parties figure out what has occurred, the hacker has since moved the money to several other banks and eventually wires the funds to an overseas bank and "poof" hundreds of thousands, potentially millions are gone.  If that wasn't bad enough, now everyone gets lawyer-ed up to try and figure out who is at fault, and the real mess begins.  Regardless of whether you are the buyer, seller, a real estate agent, or attorney, this can be a business nightmare as both the money and the deal are gone.

Security Tip: If you are in the real estate business, or another business where you frequently send wires to different parties, always pick up the phone and call a number (that you already have on file) and verify with the receiving party the wiring instructions before sending the funds.  A simple five minute phone call will defeat an e-mail take over scam, and will also demonstrate to your customers and business partners that you take security and doing business with them seriously.  If your clients are the ones sending funds, remind them to do this one simple thing to protect themselves, and your commission.

Be Secure!

@tjmprofessional

Phishing is not a Technology Problem

In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".

While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk.  Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor.  Therefore it is the social engineering aspect that needs to be addressed, but rarely is.  Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.

The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective.  The root cause is still sitting one foot in front of the keyboard.  It is your employees and contracted staff that make phishing attacks possible.  And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.

Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are.  And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative?  Do nothing?  We've seen first-hand with recent data breaches how well that works. 

Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk.  At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.

Be Secure!!!

@TJMProfessional

"Are you still in the office?" - A Phishing Story

The below is based on a true story:

Monday at 5:00 pm - You are just leaving the office.

You happen to have left the office on time today (for once) for your kid's soccer game, a happy hour, a hot date, or whatever.  At 5:35 pm you get an e-mail from your boss.  The subject is "Are you still in the office?".  Of course you open the e-mail.  In the body of the e-mail, your boss says "Hey, are you still there?  I need you to do me a favor that's most urgent."  Naturally you want to please your boss, and be responsive.  You immediately respond; "Sure, what do you need?". You then get a reply back; "Thank you so much.  I have a client that I am going to be meeting tonight, and really wanted to "Wow" them by getting their team some iTunes gift cards.  I totally forgot to get them.  Can you run out to a store and get me four $250 iTunes gift cards.  Once you have them, scratch off the back to reveal the code and kindly send me photos of the codes.  I need them before dinner is over at 8:00 pm tonight."

You make a slight detour on the way to your after-work event to stop by a store and purchase four iTunes gift cards with your corporate card.  You then whip out your phone and send your boss photos of the codes by 6:20 pm, and are still able to make your event.  You saved the day for your boss and helped him/her win over the new clients.  Deep down you are hoping your part in this is remembered when raise/bonus evaluation time comes around.  All is right in the world.

Tuesday Morning at 8:10 am - You are in the office and just grabbed your morning coffee.

The boss walks by your desk and says "Good Morning".  You respond in kind and add, "How did the clients like the gift cards?"  Your boss stops, turns to you and says "What are you talking about?"

It is at this point you find out that the e-mail was not from your boss, but that you were the victim of a spear-phishing e-mail.  The cyber criminal stole a $1,000 which you put on your corporate card and had thought you would be getting reimbursed for.

Does this sound like a far fetched story?  It's not.  It is safe to say that thousands of intelligent people around the world fall for this type of phishing campaign every day.  Per the FBI's 2017 Internet Crime Report*, there were 25,344 reported phishing victims in the US alone in 2017.  Keep in mind, most phishing attacks go unreported due to the victim being embarrassed for having been tricked.  Today's cyber criminals rely on human behavior over technical skill.  They will use fear, greed, people's good nature and helpfulness to try to defraud your employees and your business.  Security awareness training is a very effective defense against phishing attacks and is fairly cheap.  Speaking of awareness, let's get to it.  Below are some tips as to what this employee should have done to prevent being a victim:

Tips:

1.)  If you are getting an e-mail from someone (such as your boss), and the request is unusual (ie. not something they have ever asked you to do before.), pick up the phone and call them on a number you know is valid.  Also, if the e-mail is from the CEO or CFO and they most likely don't even know your name, they probably aren't asking you for a favor.  This is when it is good to forward it to your boss with your suspicions, and ask him/her to look into it.  Communicate outside the e-mail thread and use the chain of command to authenticate odd e-mail requests.

2.) Any e-mail asking you to buy something (typically iTunes, gift cards, or prepaid debit cards), transfer customer/employee data, or transfer funds (sending a wire, ACH, Western Union, Money Gram, etc.) needs to be independently verified by picking up the phone and calling the person on a number you know is valid (don't use any contact info in the e-mail that was sent to you).

3.) Cyber criminals know what your office hours are.  So look for "Urgent" requests after hours as highly suspicious.

4.) As with #3 above, the cyber criminals know you most likely will be checking your work e-mail after-hours with a mobile device.  Most mobile phones only show the display name, not the actual e-mail address, so they can send an e-mail from a gmail account with your boss, CEO, or CFO's name displayed and it will appear on your phone or tablet as the display name, not the actual e-mail address.  Click on the display name to show the actual e-mail address.  Even if it looks legit, still call.  No one ever got fired or in trouble for verifying e-mail instructions that seem odd.

5.) Look for very short e-mail messages (with no details).  Also bad grammar/spelling are common signs.  In addition, look for non-American style English being used  "I have a most urgent request" or "Kindly send me the gift card codes."  Does your boss or CEO talk like that? 

6.) Let's say you fell for it, and realize it afterwards.   Report it!  You can still save the day.  In this case, the employee should have notified his company's security officer or HR so that all the other employees could be notified of the scam to prevent additional victims at your organization.  Secondly, he/she should contact Apple and had the codes deactivated.  It wouldn't get the money back, but it would stop the criminals from getting it.  When criminals see a good target, they will keep coming back.  Try to ensure that their attack on you isn't profitable.  This way they will seek an easier target next time and leave you alone.  

Be Secure!

Link to the 2017 FBI Internet Crime Report

* https://pdf.ic3.gov/2017_IC3Report.pdf

The Password Game

With all the focus on phishing and ransomware (which yes, you need to be protecting your organization from), don't lose sight of the importance of good password management.  You hear security folks talking about strong passwords, or complex passwords, but what does it mean?  and better yet, why is it important?

Answer to the question: "What is a Strong password?"
Strong passwords are by nature harder to compromise by a hacker due to having all of the following characteristics:

• They are complex passwords (made up of alpha, lower case, upper case, numeric, and special characters such as @#$%&?!).
• They are not dictionary words or proper nouns.
• They are long in length (8 is usually recommended, but 10 or more is better)
• They are changed with frequency (45 days is recommended, but 30 days is better)
• They are not recycled (also known as password history, usually recommended that the setting be the last 12 passwords, but a good practice is to never reuse a previous password.)

So to answer the question "Why is it important?", let's go through each of the above points to demonstrate this:

1. Complex Passwords: The reason you don't want to just use alpha and numeric characters is due to the advances in password cracking tools.  Should your password file on your computer or a single password going across the web be captured by a hacker, they will perform what is called a Brute Force attack on the password hash (encoded / encrypted password).  The tools in use will take one character at a time and try to guess what the character is.  If you just use lower case alphabetical characters, then he tool just has to try 26 times on each of your password's characters to figure it out (password would be cracked in milliseconds).  Add different cases, numbers, and special characters, as well as having a long password increases the amount of time it takes a tool to decipher your password.  This is important when we discuss change frequency.
2. Dictionary Words / Proper Nouns -  In the early 2000's someone came up with a tool called Rainbow Crack and created a number of data sets (lists) of dictionary words, first names of people and names of places as well as their corresponding password hash using various encryption ciphers.  In essence, Rainbow crack predetermined what a dictionary word looks like encrypted, and if a password file or hash was captured, this tool using the Rainbow tables turns cracking the password into a database lookup which would instantly give you the full password.  So don't use dictionary words or names.  In fact it is better to not use pass-"words", but a phrase instead.  An example would be something that means something to you only and easy to remember.  Let's say your daughter's name is Sara, she was born in 2008, and you drive a Chevy Cruz.  Your passphrase could be $ar@08CrUzing.
3. Password Length - As mentioned in #1 above, the longer the complex password, the more time it will take to crack if the hash is compromised.  So think like this is a game you are playing, the more complex and longer the password, the more you are increasing your odds of protecting it and decreasing the hackers odds of cracking it before you change it.  Which leads us to the next point,,,,
4. Password Change Frequency - In one of my posts from last year, I applied a Benjamin Franklin quote to changing passwords.  "“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”  So the whole point of coming up with a complex password, that is long, and doesn't have any dictionary words, is to increase the time it takes to crack a password to beyond the point where you change your password.  So if you never change your password, eventually a hacker can crack it.  Therefore, you should change your passwords every 30-45 days.  In theory, by the time a hacker gets your password hash and cracks it, you would have already changed it and the cracked password is now useless.
5. Password History - For the same reason in #4 above, don't reuse an old password, at least not for several change cycles.  The reason being, if you change your password every 30 days, and it takes a hacker 60 days to crack your password, and you reuse the original password, then you defeated the purpose of changing it.

So as demonstrated in the above 5 points, all of these characteristics work together not to prevent a hacker from getting your password, but to prevent a hacker from getting a password that works.  It is a game you are playing, and your goal is to run the clock down on the hacker while you are ahead.

Be Secure!

No Silver Bullet for the Cyber-wolves

The majority of individuals and businesses are sold a bag of goods regarding cyber security.  They hear marketing pitches for security software, appliances, and managed services, and are told that "this product" or "that service" will secure your business or secure your home computer, and at the end of the day, it is giving them a false sense of security.

While these products and services can help reduce your risk of a cyber incident, they are only a small piece of your overall security program.  There is no silver bullet that can keep hackers at bay.  To do this, you need to employ a Defense in Depth security program.  While this sounds like a daunting and expensive task, it can actually be done very inexpensively and with a few simple steps.

Risk Assessment - "If You Can't Measure It, You Can't Improve It." - Peter Drucker
The first step is to have a security risk assessment performed.  This informs you where your information security risks are, what controls you have in place, and what control gaps/weaknesses you need to shore up.

Polices, Plans & Procedures - "Those that fail to plan, plan to fail."  - Alan Lakein

• Information Security Policy - This should cover, at a minimum, access control/user management, anti-virus, patching, password management, data classification and handling, use of encryption, remote access, change/configuration management, software acquisition/licensing, logging, and use policy.
• Incident Response Plan - You need to have this before you have an incident.  Don't worry about trying to identify every single type of incident to deal with, just get it down to high level impact, ex. network outage, server outage, application outage, security breach, malware infection, etc.  Have written procedures on how our staff should respond to each of these types of incidents. 
• Business Continuity Plan - If there is an electrical outage, fire, or natural disaster you need to have a plan of action on how and where you will resume your business.  Also have all your employees, contractors, and vendor contact information in the plan.  Keep the plan in multiple locations, including a hard copy at your home.  If there is no power, your cloud or PC may not not be accessible.  Do not get hung up on the type of disaster, focus on the fact that your office in not accessible, and the plan needs to answer the question "What do I do now to stay in business?".  Do a paper walk-through with your management team at least twice a year and update contact info.

Anti-Malware (Anti-Virus, End Point Control, Patching)
Having anti-virus and end point protection is not optional.  Make sure they are actively running, updated daily, scans are daily (off hours), and that only an Admin can disable or change the settings.  Also, no user on your business network should have Local Admin, and the IT guys should have an Admin account for doing things that require Admin access, and a non-Admin (normal user) account to surf the web and check e-mail.  Malware is most dangerous if it can execute using Admin privileges, and whoever clicks on it,,,executes it.   Patching needs to be done timely on operating systems, database management systems (MS SQL, MySQL, Oracle), and application software (Apache, Adobe, Office, etc.)

PC & Server Hardened Standard Image
Your PCs and servers require certain services to operate.  Over time, as you add software, more and more services are activated, and usually set to run at startup (when most do not need to).  Besides slowing down the machine and providing a poor user experience (takes forever to start up and to shutdown), having unnecessary services running is increasing the attack surface for a hacker or malware.  You should have a standard image for your organizations PCs and servers in which you deactivate all non-essential services (daemons if in the Unix/Linux world).  Also, remove all no-essential user accounts.  Most operating systems and applications come with Test or Guest accounts.  Either remove them or disable them.  If you have to keep any default accounts, then change the passwords and make them complex (10-14 characters, alpha-numeric, caps, and special symbols).  this is called hardening.  Once you have a hardened image, copy it, and that is what every machine in your organization gets as a baseline.  And as you are not letting your users have Local Admin, they will not be able to install software which will ensure that only approved, malware free, and licensed software is running on your network.

Network Security
You should have multiple layers of firewalls/routers/switches.  Keep these patched timely too, and all default accounts and passwords need to be changed.  You should have some type of Intrusion Detection or reporting system in place to sift through the firewall logs and report the critical alerts so you know if you are under attack, and can follow your Incident Response Plan as noted above to prevent or stop an attack.

Security Awareness Training
While listed last in this post, it is by far the most important low cost security measure you can do.  Cyber Criminals have figured out that it requires a lot of skill and hard work to hack your network.  It is much easier to trick your employees into giving them a userid and password, your customer/employee data, or wiring money out of you business bank account.  Your awareness program is not a once a year video or PowerPoint slide deck.  It needs to be ongoing and use a number of mechanisms to stay at the top of mind of your employees.  Monthly security tip e-mails, security posters in the break room, mock phishing exercises, having a security expert come in quarterly for live or web based training, having your IT or security team do monthly brown-bag lunch presentations will have a big impact on your employees' security awareness.

To sum it up, there is no silver bullet, and information security is not a menu to choose from.  You have to do all of these things, and more to have a defense in depth security architecture.    You need to put up enough barriers to frustrate them which will encourage them to leave your organization alone and go hack someone else...(hopefully your competitors who don't take my advice).