The goal of National Cyber Security Awareness Month (October) was to educate individuals and organizations on how to detect and avoid cyberattacks. Lastline has been pleased to contribute our expertise to accomplish this very important goal.
The Lastline Daily Dose delivered a specific piece of advice every business day throughout October, drawn from our extensive experience in detecting malware and network breaches. Every Daily Dose is captured below, along with weekly videos. We hope you have benefited from our advice.
If you’d like to know more about Lastline advanced malware detection and breach protection, please contact us.
51% of data breaches are caused by malware, and 66% of malware is installed via email attachments. So, email is an attack vector that must be secured.
The best and most efficient way of detecting malicious emails is to implement technology that analyzes each email and attachment to identify any suspicious or potentially malicious behavior. For example, there’s no reason why a benign attachment to an email would be programmed to change security settings or try to avoid being detected.
This article describes ten specific malicious email threats to help you understand how criminals are using email, and therefore what you need to do to defend yourself.
This adds another level of security to yesterday’s tip about avoiding weak passwords. Two factor authentication is a method of computer or account access control in which a user is granted access only after successfully presenting a second piece of evidence to confirm their identity, and has been demonstrated to decrease the risk of a system or personal account being compromised.
A password typically is the first factor, and the second factor is something the user knows (e.g. answer a question about where you were born), something they have (e.g. provide a code texted to your smartphone or a code generated by a token), or something they are (e.g. biometric identity such as a fingerprint or voice scan).
If you’re curious about what companies support 2FA, twofactorauth.org maintains a list online.
It only takes one password, particularly if it belongs to a privileged user, to start an attack sequence that can lead to the capture of thousands or even millions of user accounts and records.
The list of the most popular passwords hasn’t changed much over the past 5 years, with “123456” (and similar number sequences), “password” and “qwerty” still at the top. Criminals know this, and they use these to compromise accounts. And people often reuse passwords, so compromising a less sensitive account, such as an online meeting service, could lead to compromising a bank account.
Password managers can automatically generate unique, strong passwords without requiring the user to remember each one.
In the Business Email Compromise (BEC) scam, criminals spoof the email of an executive to instruct someone lower in the organization to do something that benefits the criminal, like wire funds to their account. The emails typically have a similar tone, urging secrecy and expedience. So, flagging key words, such as “payment”, “urgent”, “sensitive”, or “secret” can detect this scam.
The scam also depends on spoofing the executive’s email address, typically with a domain name that is very similar to the real one, for example “123abccompany.com” instead of “123abc-company.com”, or “abccornpany.com” instead of “abccompany.com’ (can you spot the difference? – using “rn” instead of “m”). Simply double checking with the executive who is making the request, by typing their email address, not replying to the original email, is the best way to foil this scheme.
Learn more about the BEC scan and how to detect it.
Criminal can demand ransoms because victims are worried about losing their data. But if you have your information backed up, then the criminals lose their leverage.
What makes this a bit tricky is that some of your files may already have been encrypted by the ransomware and then backed up, so if you simply restore everything from your most recent backup, some files will still be encrypted. Versioning enables you to restore earlier versions of your data, before anything was encrypted.
Many organizations that experience a breach won’t learn about it for months, or even years. During that time, today’s fast-paced cyberattacks can cause significant damage to a company and its customers.
Staying up to date on the latest attack schemes and techniques, and leveraging readily available threat intelligence are among our advice for improving breach detection. Our recent blog post explores these further and offers five more tips to help enterprises quickly detect a pending or actual data breach before it causes widespread harm.
The WannaCry attack earlier this year is a particularly visible example of the importance of patching. It exploited a vulnerability in the Windows SMB service, which had been patched, but many companies did not install the patch. And the list of additional vulnerabilities is seemingly endless – and these are just the known vulnerabilities.
Given the number of systems and applications that IT departments manage, keeping everything patched is understandably a challenge. Using Patch Management software can ease the burden. TechTargets recent article is helpful for understanding how these work and selecting the version that fits your needs. If you’re a Gartner client, they also published a helpful report on patch management solutions.
In a large-scale study by Verizon, 23 percent of recipients immediately opened phishing messages, and 11 percent of them went on to click on a link or open an attachment. You can be sure that all of those people have been warned about phishing.
Just as interesting, and worrisome, is that it happens fast. It takes an average of only 82 seconds from the time an attacker launches a phishing campaign, until the first victim takes the bait and clicks a malicious link. And the users are completely unaware that anything bad is taking place. This isn’t just occurring with personal accounts. It also takes place at businesses and government agencies where the consequences can be dire.
Keeping employees, and therefore your company, safe involves carrots and sticks. Here are 11 suggestions for how to prevent a successful phishing attack.
It’s not enough for senior management to merely accept investments in security, they need to demand highly effective security. In order for them to do that, they must understand the risks, such as tarnished brand, financial loss, and customer churn, but they also need to understand the business benefits, the ROI on their investment. These can include competitive advantage that increases revenue as you pick up clients who abandon competitors after their data breach is exposed.
You might be interested in our recent blog post about the progress that is being made, admittedly slowly, toward board room awareness and support for security investment.
Our adversary is formidable, supported by organized crime and state sponsored crime rings. Crimeware is evolving at an astonishing speed. It’s just not possible to defeat tomorrow’s threats using yesterday’s technologies. It’s surprising how many corporations are using decades old security technologies.
There is no shortcut when it comes to cyber security. Too many organizations approach it as a checklist item they have to hurry through, resulting in half-baked policies and plans. Bad plans lead to bad results.
Here are some additional roadblocks to adequate, effective security that many enterprises face.
As you migrate more business functions to the cloud, understand that cloud providers are not security experts. Yes, they provide some level of security, but you have to plan with the expectation that what they’re doing will be inadequate against todays skilled cybercriminals. To emphasize the point, this InfoWorld article highlights 12 specific security risks associated with using cloud-based applications.
The simple truth is that your data is now outside your corporate perimeter, so you have lost some control over how it is secured. Understand your cloud providers security capabilities and know what you need to do to supplement it. Or press the providers to fill the gaps in their security architecture, either on their own or by partnering with and integrating security technologies.
As criminals continue to increase the sophistication and pervasiveness of attacks, your ability to respond – quickly and effectively – becomes critical for mitigating potential loss and avoiding brand-damaging public exposure of a data breach. When you’re attacked, it’s essential to have the right skills immediately available, which is not always an option with in-house staff. As a result, many large organizations are now outsourcing Incident Response.
IR specialists, like MSSPs, have the right tools, they have more awareness of current techniques due to their supporting multiple companies, and they have the deep expertise often required. A skilled IR team will ensure you’re prepared for an attack.
This Forbes article recommends 5 security functions to outsource, including Incident Response.
Smart phone operating system developers are doing what they can to ensure the security of their devices, but given the volume of apps available on their platforms, they simply can’t vet everything. They need to rely on the app developers to secure the connections and data each manages.
Despite developers’ best efforts, we anticipate that the risks presented by mobile devices will get worse before they get better given users’ increasing reliance on them for an ever-increasing range of activities and engagement. They simply are too attractive of a target for criminals, inviting their utmost creativity and innovation. Recently a scheme has been discovered where criminals release apps that initially are benign, and then once they get traction and adoption increases, they turn on the malicious capabilities or add them via upgrades.
Most malware detection and prevention technologies work by examining files such as downloads or attachments. However, browser-based threats don’t necessarily use files, so conventional security controls have nothing to analyze. Unless organizations implement advanced tools that don’t rely on analyzing files, browser-based attacks will likely go undetected.
Learn more in our recently authored article on this topic.
Many smartphone users are still getting accustomed to the fact that their phone is now a computer, connected to the Internet, and therefore vulnerable to malware. Now apply that concept to the exponentially larger number of IoT devices.
Unsecured IoT devices – webcams, Web-connected music players like the Amazon Echo, even e-thermostats – present the risk of the device being use to spread malware and infect other devices or launch a DDoS attack. If consumers are paying ransoms now to free their encrypted files, what will they pay when a pacemaker or self-driving car is taken over?
Manufacturers need to improve the security of their devices, and users – businesses and consumers – need to understand the risk and secure their IoT devices.
What better way to make this point than with personal stories. We asked our own Brian Laing, who has enjoyed a long a fruitful career in security, about his experiences.
Tell us about your travels as a security pro.
Working in security has allowed me to not only travel the world, but I also had the opportunity to live in London for 4 years. While there I was able to visit many countries through out Europe, but I also got to fly to Saudi Arabi for incident response work with very little notice, which is a trick if you’ve ever needed a visa for that country.
Who was one of the more interesting people you met?
When I was a security consultant in the late 90’s I did an engagement at Skywalker Ranch while Star Wars Episode 1 was being worked on. This was an awesome experience where I was able to spend two weeks on site. The ranch itself was phenomenal and getting up close with film memorabilia such as the Idol from Indian Jones and Luke’s original lightsaber were some cool highlights!
Tell us about a particularly high-visibility project that you worked on.
I worked in the UK with the Joint Warrior Interoperability Demonstration (JWID). JWID is a regular exercise where many European country’s military services and agencies engaged in a joint operational exercise to assess their cyber response.
Where are those jobs? We’re hiring!
So far we’ve focused on personal benefits – job security, the opportuity to be the hero, and the chance to continually learn and discover. But some people have more selfless motives, such as helping their company to be successful. Not that there aren’t personal benefits to that, such as the perks that come with working for a growing, successful, profitable company.
Designing, implementing and managing an effective security strategy can protect your company from a damaging and costly data breach. Costs include a tarnished brand, customer churn, lower stock price, lower growth, legal costs, plus the direct costs of investigating and repairing the damage from the attack. Saving your company from these real costs and productivity losses will help your company, and all of its employees, focus on the primary business at hand, resulting in improved growth and profitability.
And there is one more personal benefit that could result. Working in security exposes you to all facets of your company; security is at the intersection of all of the critical aspects of the business. Being able to understand the role security plays in protecting new and existing business functions and initiatives without interfering with the growth of the business is essential. Such exposure and broad understanding is what senior executives look for in rising stars, and is a very realistic path to a C-level position.
One of the challenges of fighting cybercrime is that the bad guys are continually updating and improving their attacks. For security professionals that constant evolution translates into a never-ending opportunity to learn. It’s a constant puzzle to figure out what techniquest are being used against you, how to detect them, and how to prevent the attack from being successful.
Security pros have the opportunity every day to be challenged and learn something new as part of securing critical information, systems, and people. An important and rewarding aspect of that continuous learning is collaborating with peers around the world to share discoveries, insights, strategies and techniques for detecting emerging attacks.
Look around at the industries in which your friends work. Maybe they’re working on technology to help people to watch more TV, or play cooler games. Or perhaps they’re in financial services or the hospitality or entertainment industries. All fine industries, but instead, wouldn’t you want to help save the world from the bad guys? Don’t you want to be the hero?
One of the appealing aspects of a career in cyber security is that, every day, you’re fighting the good fight to protect a company, it’s customers, its employees, and indeed society from highly skilled, professional criminals. That’s something you can feel good about. And, while we are loath to admit it, the bad guys are good at what they do, so there will always be a need for security pros to do battle with them.
If job security is important to you, then there are few fields with more opportunity than cyber security. Everyone agrees that there are not enough candidates with even rudimentary skills to fill the available openings. The only disagreement is how many openings need to be filled – estimates range from 1.8 to 3.5 million by 2020. With that many openings, security professionals can pretty much pick their industry, company, and location. And should one position not work out for whatever reason, there are many, many other openings from which to choose. And salaries easily reach six figures. This recent article in Forbes magazine summarizes the situation well.
If you’re thinking that IT and info security are not particularly flashy or cool, stay tuned for our other reasons throughout this week that may change your mind.
Critical infrastructure at an enterprise level, not a national level, varies by company and by industry. For some, it’s about basic utilities such as power for food processing facilities that must have refrigeration. For others it’s about third-party service providers, such as an online retailer for which it’s critical to have its website running 24 x 7. So, protecting your critical infrastructure starts with identifying what that is for your company, industry, and location.
Once you have identified the critical component or components for your company, you can develop a game plan for protecting them as much as possible, and for what you will do should they be disrupted, disabled, or attacked. For example, you might need to ensure that you have ready access to replacement systems (e.g. network servers), you could set up off-site redundancy, install on-site generators, and develop employee, partner and customer communication plans.
DDoS attacks might be targeted at a national level, but also can cripple infrastructure at the level of an individual company – your company. It is best to prepare in advance and have a plan for how to defend and also how to recover should an attack succeed. It is much harder to plan once an attack is under way. While you can’t prevent DDoS attacks, you can take steps to make it harder for an attacker to render a network unresponsive.
In order to be well prepared should a DDoS attack hit, the Software Engineering Institute at Carnegie Mellon University advises companies to focus on four infrastructure elements: 1) make your architecture resilient; 2) use the right hardware; 3) increase network bandwidth; and 4) engage outsourced infrastructure scaling services.
The US Computer Emergency Readiness Team (CERT) also has developed a DDoS guide that explains different types of attacks and mitigation strategies.