This week, National Cyber Security Awareness Month (NCSAM) focuses on accountability and responsibility within the information security space: “It’s Everyone’s Job to Ensure Online Safety at Work.” This theme underlines the importance of a communal effort to achieve strong security awareness within an organization – it takes a village.
“We must accept human error as inevitable – and design around that fact.” – Donald Berwick
People are naturally conditioned to be helpful and polite. Unfortunately, this innate characteristic does not play well into established cyber defense strategies, and cybercriminals have gainfully benefitted from it. The majority of executed cyberattacks come from the inside of an organization. Educating employees on how to respond to potential email-based attacks and other social engineering tactics, maintain successful operational security, stay on top of password management and actively use the implemented incident response and escalation plan can radically decrease an organization’s attack surface.
Being a security awareness advocate can occasionally feel like herding cats. You may feel that you are trying to push water uphill when you repeat, “trust, but verify,” but this concept is crucial to keep in mind throughout your daily doings. On the bright side, maintaining a thorough and concise security policy, while avidly reinforcing employee awareness training, can successfully ease the confusion and obscurity of security policies that many professionals face today. Organization-wide security training and compliance can be the differentiator between a secure environment and a breach, data leakage or financial loss.
Mimecast reports that email-based attacks are the number-one vector cybercriminals leverage to deliver phishing attacks, malware and impersonations. Further, almost 90% of organizations have observed an increased or static number of phishing attacks within the last year. Email-based attacks are not a new phenomenon and the ubiquity of such attacks implies that they are not going away any time soon.
The 2018 Phishing Trends and Intelligence Report by PhishLabs suggests that, “users are the most prominent and exploitable vulnerability.” This issue highlights the unfortunate, but true, concept that humans are the weakest link within the information security risk model. It appears that cybercriminals are beginning to shift focus from attacking individuals to attacking entire organizations.
Phishing emails can be delivered to users, imitating a trusted source. For example, an attacker may attempt to send an email from email-google[.]com to trick a user into thinking the email is from Google services. The email may maintain a link to reset a password that was purportedly “compromised.” The link within the email can direct users to email-google[.]com where the victim may be prompted to enter credentials or personally identifiable information. At this point, the attacker has a valid email and password combination that may be useful on other accounts owned by the victim. Further, the number of phishing sites located on HTTPS websites has significantly increased since 2016. Phishers believe that HTTPS sites are more likely to be trusted by users, which can lead to more successful outcomes – unfortunately, they are right on the money.
The best way to avoid phishing attacks is to implement multiple system defenses, and as paramount, strictly follow and enforce established security policies.
Malware, Ransomware and Trojans – oh my!
Over time, malware and ransomware and trojan delivery via phishing emails has increased significantly. Malware is defined as software that is intended to damage or disable computers or computer systems. Ransomware and trojans are subtypes of malware that can masquerade as harmless attachments, but when executed, can deliver malicious code or lock the victim out of their workstation. Emails can be sent with what appears to be an innocent attachment; however, unbeknownst to the user, the attachment is embedded with malware. Users can avoid these nefarious traps by disabling automatic attachment downloads and using an up-to-date antivirus software to scan attachments prior to download.
In our latest whitepaper, Pst! Cybercriminals on the Outlook for Your Emails, we highlight how attackers can use exposed credentials to make illegitimate and malicious requests to colleagues, dig through the victim’s inbox to identify more potential targets or configure rules to silently forward emails to the attacker or delete nefarious emails from the sent box.
Historically, impersonation attacks have mostly targeted individuals within the same company; however, organizations have seen increased impersonation attacks where the attacker acts as a trusted third-party or partner. When it comes to alleviating impersonation attacks, employee education is key. Applying technical controls, improving employee training, and augmenting negligent email practices are imperative to mitigating these attacks.
Social Media Compliance
Top social media security risks include network or data breach, data leakage, loss of customer trust and negative publicity. Attackers can create an illegitimate account, act as a legitimate company support contact and fraudulently direct customers to a phishing page to enter credentials or personally identifiable information. Social media “account hacks” can also pose as an attack vector; bad actors may successfully gain access to an organization’s social media page and begin posting malicious or defamatory content. Unfortunately, this issue does not stop with corporate social media accounts. As an individual, employees can be misled in releasing confidential information to “trusted sources” via social engineering attacks. Malicious actors can create spoof profiles to act under a different persona and reach out to potential targets, which may appear to be a friend, colleague or third-party vendor.
To mitigate these potential threats, make a point to understand the potential risks and how your organization may be targeted. Collaborate and build a plan to maintain a safe and secure environment while propagating an effective social media presence for business needs. Further, make employees aware of the risks they may experience and how to avoid social media attacks. This can be accomplished by periodically assessing potential vulnerabilities within the company and teaching personnel to be critical when accepting connection requests, clicking on links or identifying spam.
Clean Desk Policy
Implementing a clean desk policy reinforces security awareness among employees and elevates the necessity of protecting sensitive information. The SANS Clean Desk Policy report suggests that, “a Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy control.” Employees should securely stow sensitive or critical information to avoid data, information or financial loss. Further, when users are not directly in control of their workstation, it is imperative to lock their machine to avoid potential bad actors (colleagues or other) from accessing sensitive data or maliciously acting on the user’s behalf.
Implementing a password policy and using a credible password manager is essential in maintaining account security. For best password practice, it is safest to create a new password for each account. We are all human, so remembering these passwords can be tough, but this is where a password manager becomes a very handy tool. Check out our previous blog on Credential Hygiene for recommendations on password length, re-use and multi-factor authentication (MFA).
Security Awareness and Training
The 2018 SANS Security Awareness Report recommends that maintaining qualified and dedicated cyber security awareness staff is essential. Finance and operations departments are reportedly the largest road block for security awareness teams. Transparent communication about the value and benefits of a successful security awareness program, from a business perspective, can minimize gaps in understanding and emphasize effectiveness.
Gartner suggests that ineffective security policies are too long and obtuse, do not address business concerns, are not tailored to specific organizations and are too technical for non-technical personnel within an organization. It is essential for companies to create a concise security policy that is easily understandable and easily applicable to all individuals, professions and ranks within an organization; thoroughness and simplicity is key. Templating a generic security policy can be detrimental to an organization’s risk; creating a security policy based off an organization’s perceived and potential risks is more suitable and valuable. It is important that we do not make security policy compliance an afterthought – build a security awareness culture where employees can understand and carry out established plans and incident response procedures accordingly.
In the end, security awareness and compliance are everyone’s job. After all, we are all in this together.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.