PC PORTAL

Experienced. Trusted. Solutions.

Security Awareness

By

From the BH Consulting archives: fake invoicing scams are a constant security risk

Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later.

Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like a fake invoice scam we’ve seen with other clients”. The same post also referred to Ryanair, which was duped around the same time and reportedly lost around €4.5 million.

The impersonation game

Scams like this have many names, like CEO fraud, invoice redirection fraud, or business email compromise. Preventing them from being successful is about knowing how they work and spotting potential red flags. Brian blogged about this in December 2015, detailing scammers’ steps when executing CEO fraud and fake invoicing tricks.

“The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO.”

Next, criminals send an email seeming to come from the CEO to a staff member with access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under the criminals’ control. Alternatively, the email may claim the banking details for an existing supplier have changed and will request payments into a new bank account under the criminals’ control.

Video to beat the scam

In February 2017, we blogged about an educational video that Barclays Bank developed to raise awareness of fake invoicing and similar online scams.

 

Later that same year, we covered the issue again, twice in quick succession. The first of these posts, in August 2017, noted how legitimate email senders do themselves no favours by composing messages that “practically begged to be treated” as fakes. A genuine email from a large insurer was so poorly composed that it would have raised suspicion with anyone who’d been paying attention during security awareness training.

The process problem

Now we’re getting to the heart of the problem. Call it what you want, but this scam is a people and process failure. That was our conclusion from another post in August 2017, after news emerged of yet another victim in Ireland. “The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.”

In the same blog, we noted how the FBI has been tracking this scam since 2013. The agency put collective losses between then and August 2017 at an eye-watering $5 billion. As we blogged then, ways to fix this issue don’t necessarily need to involve technical controls. For example, companies could make it compulsory to have a second signatory whenever they need to make payments over the value of a certain amount.

The risk of these frauds goes beyond just commercial businesses. As we noted in a blog from October 2017, local public sector authorities are also potential victims. The post referred to Meath County Council, which had €4.3 million stolen from it in a dummy invoicefraud.

Staying ahead of the fraudsters

Our August blog included FBI special agent Martin Licciardo’s very practical advice: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”

This brings us neatly back to 2015, where we provided similar advice to avoid falling victim to fake invoice scams. The steps include:

  • Ensure staff use secure and unique passwords for accessing their email
  • Ensure staff regularly change their passwords for their email accounts
  • Where possible, implement two factor authentication to access email accounts, particularly when accessing web-based email accounts
  • Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to trusted numbers, to confirm any requests received via email
  • Be suspicious of any emails requesting payments urgently or requiring secrecy
  • Implement technical controls to detect and block email phishing, spam, or spoofed emails
  • Update computers, smartphones, and tablets with the latest software and install up-to-date and effective anti-virus software. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts
  • Provide effective security awareness training for staff.

The post From the BH Consulting archives: fake invoicing scams are a constant security risk appeared first on BH Consulting.

By

Security awareness training: a constant in a changing world

There are two schools of thought when it comes to users and cybersecurity. Some people working in the industry think of users as the weakest link. We prefer to see them as the first line of defence. Cybersecurity training programmes can address staff shortcomings in knowledge, promote positive behaviour and equip non-experts with enough information to be able to spot potential threats or scams.

In our previous post, we looked back through the BH Consulting blog archives to trace the evolution of ransomware. This time, we’ve gone digging for a less technical threat. Instead, it’s a constant challenge for any infosec professional: security awareness.

Training shortfall

Back in April 2014, we reported on a survey which found that just 44 per cent of employees received cybersecurity training. David Monahan, research director with Enterprise Management Associates, summed up the issue perfectly:

“Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realise what they are doing is wrong until a third-party makes them aware of it. In reality, organisations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”

One year later, little had changed. In a post from April 2015, Lee Munson covered a survey by SpectorSoft of 772 IT security professionals. “Not only do many firms have staff who lack even a basic level of security awareness they often, as the report concludes, have poorly trained staff too, with many of the survey respondents citing a lack of expertise as being a significant problem in terms of defending against insider threats.”

Accidents will happen

At least the post acknowledged that damage can sometimes be the result of accidental actions. Too often, security vendors throw around phrases like ‘insider threat’ that, intentionally or not, tar all user actions as malicious.

But could it be that some people are just naturally more susceptible to spilling the beans? Another post from April 2015 reported on a study from Iowa State University that claimed to spot which people are likely to fall for social engineering tricks that cybercriminals often use. It did this by analysing brainwaves. People with low levels of self control were more likely to reveal confidential information like company secrets, the researcher observed.

That’s not, admittedly, an approach many companies could take in practice, but it couldn’t hurt to ask some targeted questions at interview stage.

In June of that year, a UK Government survey found that the number of breaches had increased year on year. The findings also showed that more businesses large and small were providing ongoing security awareness training to their staff compared to the previous year. Despite that, many of the organisations surveyed also saw an increase in staff-related security breaches during the same period.

Must try harder

As Lee Munson wrote: “While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programmes are known to be effective but many companies do not appear to have leveraged them to their full potential.”

Another post put the need for cybersecurity training and awareness squarely into perspective. Security company Proofpoint showed the extent to which attackers aim for an organisation’s human resources rather than its technical defences. Its report found that people still click on 4 per cent of malicious links they find in emails. BH Consulting’s regular blogger Lee Munson found this to be a surprisingly high figure. “Attackers employ psychology to improve the chances of their attacks succeeding,” he wrote.

And if at first you don’t succeed? A post from early in 2016 suggested a radical approach to poor security behaviour: disciplinary measures. The blog quoted a survey by Nuix which determined that human behaviour was the biggest threat to an organisation’s security. It said corporations would tolerate risky behaviour less, and would likely penalise staff who “invite a data breach”. That’s one way to “encourage” people to show better security behaviour.

Communication breakdown

Lee rightly raised the question of whether companies have sufficiently communicated their security policies and procedures in the first place. “So, if companies (including yours) are going to penalise employees for not being up to date on all of their security policies, who is going to police the writing and dissemination of those documents in the first place?”.

The message is that security policies need to be clear, so that even a non-technical member of staff can:

  • Understand them
  • Act on them
  • Remember them.

Taken as a whole, the blogs show that while cybersecurity training is a valuable exercise, it’s got to be delivered in a way that the intended audience will understand.

The post Security awareness training: a constant in a changing world appeared first on BH Consulting.

By

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.

By

That’s classified! Our top secret guide to helping people protect information

As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.

Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.

In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.

De do do do, de da da da

Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.

Message in a bottle

The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.

We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?

In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.

Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.

You don’t have to put on the red light

So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.

Photo by Harshal Desai on Unsplash

This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).

Once we know what we’re protecting, we get to the how.

  • If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
  • If the mark or sticker is amber, the person holding it must lock it away overnight.
  • Any document with a green mark doesn’t have to be locked away.

Every breath you take

You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.

It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.

Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.

So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.

Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.

The post That’s classified! Our top secret guide to helping people protect information appeared first on BH Consulting.

By

Password-less future moves closer as Google takes FIDO2 for a walk

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ the phone – rather than ‘something they know’ the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”  

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha. 

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.