It's hard not to get worn down on the constant bombardment of new cyber breach after cyber breach. Every day more victims are coming forward or being exposed on public forums. Personally, it's always better to admit the issue yourself then be outed to the public by a security researcher or hacker but that isn't always an option especially if you don't know that it's occurred in the first instance. I don't want to paint a completely bleak view here though as people are doing some great things that are helping to reduce the issues that we are seeing in the security trenches daily which is good news.
The human side of security is copping a hammering at the moment and is getting a bit of a bad name which I don't think is entirely fair to those users who are being tarnished with that negative brush. I think it is on us, the security folk, who are here trying to protect them and their systems. We have a bit of a reputation that depicts us as the "no" people, the party poopers who lock down our systems and don't let us have all of the new technologies that would help them do a better job. We need to change that opinion and be the "yes" people.
I know I am a little off-topic and I haven't even talked about the article topic yet but I just wanted to put it out there that we need to become more approachable in our respective organisations, to the community or anyone else we help to keep protected, That way when people have concerns or see something that they think isn't right they will come to us about it for help.
This type of openness will make our lives as the protectors much easier because we won't be those painful "no" people anymore and it will reduce the shadow IT problem as well. If we help them get what they need there will be no need to try and circumvent us to get what they need to do their jobs well. It seems like a no brainer right, we help them get what they want, and then they involve us in getting new systems which help us do our job better.
Now once we have built this relationship with our users/people we protect we need to do more by helping them understand how attacks come through and how they can better protect themselves and the organisation. Teach them with user awareness training and map out threats for them so they understand. Not just be aware of the threat but understand how an attack will take place. Lay it out for them so they know what to expect.
Let me run through a scenario to show you what I mean. How about one of those financial scams that we are all seeing getting around via email:
- A malicious actor finds a target company and employee usually the accounts person. They could have obtained the person's info via a previously breached company that this person deals with (happens with a lot of office 365 and Google mail accounts), they get access to an account and then go after all of your contacts. It's a successful technique.
- They would likely send an email from either a breached account or a newly created account with say the target companies CEO as the email address or CFO like CFOName@gmail.com or something like that. The email would sometimes start with a general statement that they are out of the office and don't have access to work email and would like to know how long it would take to do a money transfer to such and such country.
- Other times the malicious actor may redirect the email from a victim’s inbox and then modify payment details on an invoice, then drop the modified invoice in the inbox again. Many organisations don’t validate these requests and will just update the account info before paying the invoices. They may even add a note that the bank account has been changed just to make it look more valid.
- A few weeks later the company will follow up with you about payment and you will indicate that you have already made payment. This will go back and forth for a few days maybe until one of you realise that you have paid the invoice into the wrong account and they had never actually changed the bank account. You have just realised that you have been scammed.
In this type of scenario, we could have done a lot of things to prevent it from taking place. I will list a couple now:
- Multifactor authentication would certainly have helped protect the email account from the malicious actor gaining access but that wouldn’t help if they were using a generic impersonation email address but good to think about anyway.
- Policies, procedures…. Make sure you have them and follow specific verification procedures before any account details are changed for payments. Call known contacts and verify that the request is valid, have a second person validate the request with you if possible.
- Training, training and discussions. What I mean is let's teach our users what to look out for not just once off training but regularly, have them send suspicious items through to you to look at. A few minutes checking an email is nothing to help protect your systems. Give praise to people who do this, make it a positive thing in your organisation, help them learn and know they can come to your team for help anytime that they aren't an inconvenience. They might be the key to saving you at that critical moment that could prevent a breach or financial scam like this from occurring.
Pull up your socks and get ready to prepare to do the hard yards to help your humans do better at protecting the company and themselves in their daily lives it will be a benefit to everyone. Oh and don’t forget your technical people, they may be better at seeing these scams but we can all fall victim to a scam in the right scenario. So let’s educate everyone and don’t be judgemental it achieves nothing for no one.
Till next time…