Tis the season to be crafty! Just as Amicus ITS was reaping the results of its own competition for staff to design a winning Christmas e-card for 2018 incentivised with online gift card vouchers for prizes, came the news report issued last Monday by security firm Barracuda Networks that Santa’s gone a bit phishy in a Gremlins kind of way in the run up to Christmas.
The increasing sophistication of social engineering has created a new cyber security workplace scam targeting receptionists, office managers and executive assistants. The report states: “These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals”.
Here, hackers will pretend to be the CEO or senior managers, using tactics like implied urgency and directed emails asking specifically say, for Google Play gift cards. Phishing emails can also include a ‘signature’ implying it was sent from a mobile device. Alternatively, the scam can be built around a secret ‘reward’ for employees. There are no malicious payload links, or suspicious file attachments and they are often sent from trusted email domains.
Spokesman for Barracuda Networks, Asaf Cidon commented: “When sending social engineering-based attacks, attackers have always used context and timing to their advantage – and the Christmas season has opened the door wide to a lot of cleverly designed executive impersonation”.
What can you do about it?
Organisations should have the relevant anti-malware, spyware and adware in place. Other security tools can include more advanced spybot software and AI-based security solutions to detect anomalies in email addresses that the CEO would not use, or behaviours which would recognised be uncharacteristic. But alongside all of these technical competencies, it comes back to having an educated and informed workforce across the board, vigilant and trained to spot attack efforts and know the right remedial steps to take:
• Use HR to work with IT to help with employee messaging to avoid falling for these scams and to understand what technology is needed to ward off the attacks.
• Awareness spread through the employee network should reduce the time between attack and detection and prevent more extensive damage.
• If a gift card email scam hits your organisation, why not set a procedure in place for employees to be required to gain direct management approval to verify any financial requests.
Have you experienced this type of attack? How did you react. Anyone seeking advice on security measures around their IT systems can contact Sales on 02380 429429.
Ransomware relies on human fallibility crypto-ransomware, malware that extorts money from victims by encrypting their files and systems until they pay a ransom, has been much in the news since WannaCry hobbled IT systems around the world last month. While much was made of the fact that WannaCry spread through networks by exploiting SMBv1 vulnerabilities in unsupported Windows systems (such as Windows XP, Windows 8 and Windows Server 2003), it is unusual for ransomware to self-replicate in the way WannaCry did.
Often, ransomware, in common with most other forms of malware, is spread by drive-by downloads or phishing campaigns, both of which exploit human error. So, even if you use robust anti-virus and anti-malware solutions, conduct regular penetration tests and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to a careless employee.
According to a 2016 report by SentinelOne:
- 39% of organisations in the UK were hit by ransomware in the previous year
- 72% of those infections were attributable to phishing
- 38% were attributable to drive-by downloads from compromised websites
People are frequently acknowledged as the weakest link in any security system. But with better levels of staff knowledge, companies are more secure as you can, in effect, ‘patch’ your employees. Therefore, a best-practice approach to information security such as an ISO 27001 compliant ISMS (Information Security Management System), follows a holistic approach that addresses people as well as processes and technology.
Amicus ITS takes security seriously. “We say security is part of our DNA here” advises JP Norman, Director of Technology, Security & Governance, “and I consistently refer to the importance of “the squishy bits” (ie. the people) in IT management. You can deploy the best systems and infrastructure money can buy – but you have to ensure your people are trained too.”
The Wall Street Journal in the US has reported a significant rise in cyber threats being dealt with in the legal sector. The allure of law firms to criminals is especially attractive given the highly sensitive nature of the data held by them.
But are we just talking about some underworld cyber guys ransoming data? Apparently not – some of the recent targets have also included the suspicion of attempts at insider trading deals (now allegedly the subject of investigations by the FBI).
Phishing attempts in law firms continue to feature highly in the latest reports. Stephen Tester, partner at London law firm CMS which brokers cyber insurance commented to the BBC: “We’ve seen examples of emails [at client law firms] that purport to come from a managing partner to a more junior lawyer directing them to make payments to an account or to send certain information to an address… they can look very much like a regular message.”
However, it’s the accounts of alarmingly insidious new ways that cyber criminals are trying to access systems that should put everybody on their guard. Would you have considered your video-conferencing systems or telephony to be vulnerable? Well apparently so. “There are ways in which people can go into video-based conferencing facilities and literally listen in on meetings” Mr Tester said. Telephone systems these days are delivered via VoIP, in essence translating analogue to digital then back to analogue. Not many organisations even consider this to be another attack surface.”
The rise and variety of attack reflects both the cunning and sheer determination of attackers looking for any infrastructure loopholes and sometimes striking gold through wifi settings and unsecured networks. Ally that to unsuspecting staff (“93% of data protection breaches reported to be caused by human error”) source ICO report 2015 and you have a Tsunami of potential threat on the horizon with today’s cyber vultures circling.
Questions for you
• Can you afford to sit back and either your organisation is not a target?
• Can your company afford to lose trust?
• Can your company afford to pay the financial penalties if you are found to have mishandled EU resident’s data – this could be a fine of up to Euro 20 milllion or 4% of global turnover (EU GDPR).
You have a duty to your employees, customers and shareholders to know that you are can protect the data you are holding.
So what can firms do to avoid having cyber criminals musing over yours or your client’s data for their financial gain? Well certainly an audit with cyber security experts is a good start. Reviewing data security policies is a natural follow on – and identifying and keeping up to date what your plan is in the event of a cyber breach. Finally, with phishing, this is an opportunity for companies to raise everyone up by prioritising education around data security and cyber threats amongst staff. Better to pick over your own bones that have it done to you!
Cyber criminals continue to aggressively targeting SMBs in the hope that their systems will be less robust than larger, enterprise organisations.
Data theft and disruption (digital vandalism) are pure salmon on the menu for hackers, to either steal money from or pass details to other criminals and criminal organisations. The US in 2013 had 28 million SMBs, 66% of which contributed $7.5 trillion to the US economy. 36% of SMBs in the US suffered cyber attack in 2012. The UK in 2014 had an estimated 5.2 million businesses employing 25 million people, with a combined turnover of £3.5 billion.
Common types of attack:
• Phishing – scam email from a familiar looking person or address getting the user to reveal passwords or credit card details.
• Digital vandalism – Denial of Service (DoS), virus attacks or other malware to interrupt a business with damaging cost impact to business.
• Data theft – this can paralyse a smaller organisation – average cost to a US SMB in 2013 was $9,000. Of those attacked it is estimated that 60% go out of business within six months.
Impact on business:
• Business lost during a cyber breach
• Loss of company assets (bank account details, passwords, customer records, company strategy, employee information)
• Damage to reputation – this can go on for years (and hacked websites can be quarantined for long periods by search engines preventing new business in).
• Risk of being sued – failure to protect customer information with reasonable measures could leave an SMB open to litigation.
• Vulnerability of business through lack of firewalls, encryption, virus software and staff monitoring and managing the protection of a company’s digital estate.
Failing to act is no safeguard. Understanding the infrastructure and its weaknesses is a first step to positive preventative action. Pen-testing offers a relatively cheap and often eye-opening analysis of risk and gaps.