Threat Lab

Reading Time: ~ 3 min.

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan. 

Appropriate privilege

When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.

If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.

Listen to the podcast: Episode 6 | Shoring Up Your Network Security with Strong Policies to learn more about implementing the Principle of Least Privilege and other network security best practices.

Navigating the difficult conversations around access control

It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.

Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.

Firewalls and antivirus aren’t enough 

There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.

Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.

Cyberattacks like phishing, ransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.

Tips to achieve least privilege

When it comes to implementing POLP in your business, here are some tips for getting started:

• Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
• Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
• Create separate admin accounts that limit access. 
  • Superuser accounts should be used for administration or specialized IT employees who need unlimited system access. 
  • Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
• Implement expiring privileges and one-time-use credentials.
• Create a guest network leveraging a VPN for employees and guests.
• Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
• Regularly review updated employee access controls, permissions, and privileges.
• Upgrade your firewalls and ensure they are configured correctly.
• Add other forms of network monitoring, like automated detection and response.

The post Shoring Up Your Network and Security Policies: Least Privilege Models appeared first on Webroot Blog.

Reading Time: ~ 5 min.

“Phishing” may have been a relatively obscure term, but pretty much everyone has heard of it by now. In fact, recent statistics indicate a high likelihood that you—or someone you know—have been the victim of a phishing attack at least once. 

Now, if you remember the classic Nigerian Prince scams from back in the day, you might be asking yourself how the stats could be so high. After all, it seems pretty unlikely that an otherwise cautious person would fall for something like that, right? And in today’s cyber-climate, where the news is filled with headlines about major hacks and malware infections that spread like wildfire, why would anyone click on links from unknown senders or hand over their sensitive, personal information (think SSNs, etc.) without verifying the authenticity of the request? It turns out, there are a lot of subconscious influences at play, and the thing that makes phishing attacks so successful is the way they take advantage of our trust, curiosity, fear, greed, and even desire to do a good job at work.

Understanding the factors that drive a successful phishing attack is fundamental to preventing them in the future. That’s why Webroot partnered with Dr. Cleotilde Gonzalez, research professor at Carnegie Mellon University, to take a deep dive into the psychology of phishing. 

Read our full report, Hook, Line, and Sinker: Why Phishing Attacks Work, for more information on the psychology behind phishing attacks.

Tip #1: Maintain strong, unique passwords. Using individual passwords for each of your accounts will help prevent fraud, identity theft, and other malicious activity. Consider using a secure password manager, and enable two-factor authentication wherever possible.

What kind of person clicks a phishing link, anyway?

The truth? We all do it. While 86% of Americans believe they can distinguish a phishing message from a genuine one, 62% have had their personal information compromised as part of a breach. So what’s the deal here?

“People are generally overconfident about their ability to spot the fakes. Overconfidence is a big problem in many human actions. In this case, this probably happens because the ratio of phishing emails to regular emails feels low, so our mind underestimates the probability of receiving a phishing email, and in turn, overestimates our ability to identify one if we do.” – Cleotilde Gonzalez, Ph. D.

Tip #2: Stay on your toes. The more overconfident and complacent you are about your security, the easier it is for you to be phished. Don’t play into a cybercriminal’s hands. Maintaining a healthy level of suspicion about all links and attachments in messages may make all the difference during an attempted breach.

How are phishers using psychology against us?

By tapping into our own personal sense of urgency, cybercriminals are able to manipulate us in subtle ways that we may not realize until it is too late. Hackers often use cleverly disguised email handles and targeted messaging, known as “spear phishing,” to create a sense of trust and familiarity. This makes links appear more legitimate, and makes us perceive the click as less risky.

“Ultimately, urgency, familiarity, and context have a strong impact on decision making. If you already expect to receive emails from your boss at your office (context and familiarity), and you are accustomed to messages that request quick action (urgency), then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.” – Cleotilde Gonzalez, Ph. D.

What are the most convincing ways for a phisher to tap into your sense of urgency to get you to open their email? 

• 65% of Americans prioritize emails from their boss 
• 54% prioritize emails from family or friends 
• 33% prioritize emails to confirm bank transactions 

That means you shouldn’t feel weird or guilty for verifying odd requests from bosses, family, or friends. If your boss sends you an email asking for out-of-the-ordinary action, don’t hesitate to call them up and ask them for details. (Do this instead of replying to the email.) Same with links, downloads, and requests for information from family and friends. It never hurts to double-check.

Practicing phishing mindfulness, even when clicking links from seemingly trustworthy sources, cuts down significantly of the efficacy of spear phishing attacks. Pay close attention to sender addresses and handles, as well as signatures. If you get an email from your bank, financial institution, or even a regular website for which you have a login, navigate to their official website independently instead of clicking through on that potentially risky email.

Tip #3: Back everything up and do it regularly. All of your important data and files should be regularly backed up to a secure hard drive or cloud storage. When using a physical hard drive, only connect it while backing up. This will help prevent the drive from being affected by an infection.

Why are we still clicking?

Here’s the thing: 76% of Americans know they have received a phishing email, and yet still 56% of people would feel comfortable clicking on a link or attachment from an unknown source on their personal devices. So why are so many of us still willing to jeopardize our safety for an unknown link?

“Risk and under-weighed probability are linked. Risks sometimes come with rewards, right? So if the risk seems low and the reward seems high, you’ll make riskier decisions. It’s like gambling; our minds explore different gain/loss experiences, then respond with risk-taking or risk-averse actions.” – Cleotilde Gonzalez, Ph. D.

Tip #4: Always keep your software up-to-date. Hackers are known to regularly exploit security holes in outdated software and operating systems. By installing software updates when prompted, you can stop many cybercriminals in their tracks. 

What if you’ve been phished? Now what?

With 62% of those surveyed reporting some type of data breach, it’s important to know what to do in the event of a breach that can help keep the damage to a minimum. George Anderson, Product Marketing Director at Webroot, recommends the following steps:

1. Change your account passwords immediately! That includes accounts you don’t believe were breached, but are using the same or a similar password.
2. Set up alerts with your credit agency. 
3. Void existing credit cards and order new ones. 
4. Engage a credit security service. 
5. Notify law enforcement or the appropriate government agency. 

While some of these steps may seem obvious to you, they clearly need to be repeated; of people whose information was stolen or exposed, a baffling 32% didn’t bother to change their account passwords afterward. 

Dr. Gonzales shared her thoughts on what can be done to combat this type of complacency.

“These findings illuminate the fact that what we really need here is a mindset makeover,” she says. “The longer-term reward of security needs to be highlighted, front and center, not placed on the backburner. To do that, we’re going to have to shift the way that people think about security and prioritize their responsibilities. We have to allow the time and brain space for security-related considerations.”

What can we all do going forward?

You can nurture the type of security mindset shift Dr. Gonzalez references by taking small steps. First, you know those software and security updates you (like many people) are probably putting off? Just do them. Enable two-factor authentication wherever possible, especially on important online accounts like your banking and credit institution websites. 

You may even find that your heightened security practices influence those around you to make stronger choices. After all, seeing a person you know being on top of their game can be very motivating to start making personal changes! 

Remember, the most important thing you can do is avoid overconfidence. Don’t underestimate the risk of a phishing attack. Doing that is exactly what will make you a prime target for criminals.

“It’s a classic case of underweighting probabilities, but explicit numbers speak for themselves. Providing this information might help people calibrate the risk and confidence more accurately.” – Cleotilde Gonzalez, Ph. D.

The post The Truth about Phishing & the Psychology of Why We Click appeared first on Webroot Blog.

Reading Time: ~ 2 min.

MedusaLocker Ransomware Spotted Worldwide

While it’s still unclear how MedusaLocker is spreading, the victims have been confirmed around the world in just the last month. By starting with a preparation phase, this variant can ensure that local networking functionality is active and maintain access to network drives. After shutting down security software and deleting Shadow Volume copies, it begins encrypting files while setting up self-preservation tasks.

Bargain Website Server Exposes Customer Data

Several websites used by UK customers to find bargains have left a database filled with customer data belonging to nearly 3.5 million users completely unprotected and connected to the internet. Along with the names and addresses of customers, the database also included banking details and other sensitive information that could be used to commit identity fraud. The researchers who initially discovered the breach notified the site owners, but received no response or any indication the leak would be resolved until nearly six weeks after the database was left exposed.

Arrests Made Following Major BEC Scam

At least three individuals have been arrested in Spain for their connection to a business email compromise (BEC) scam that netted over 10 million euros and affected 12 companies across 10 countries. It appears the operation began in 2016 and involved the cooperation of multiple law enforcement agencies. By creating a web of fake companies and bank accounts, the group was able to successfully launder money into various investments, including real estate, in an attempt to remain undetected.

LA Court System Hacked

The perpetrator of a 2017 spear phishing attack on the LA court system was sentenced to 145 months in prison following convictions on charges of wire fraud, unauthorized access to a computer, and identity theft. The individual was able to compromise employee email accounts and use them to launch a malspam campaign that distributed over 2 million emails.

Pennsylvania School District Hacked

Multiple students are being questioned after school district officials noticed unauthorized access to the student assistance site Naviance, a hack which appears to have been an attempt “to gain a competitive edge in a high-stakes water gun fight.” Access to the site would have also given them access to other student’s personal data, though no financial or social security information is stored on the site. District officials determined the security practices for the site lacking but have not currently released plans for improvement.

The post Cyber News Rundown: MedusaLocker Ransomware appeared first on Webroot Blog.

Reading Time: ~ 3 min.

First and foremost, endpoint protection must be effective. Short of that, MSPs won’t succeed in protecting their clients and, more than likely, won’t remain in business for very long. But beyond the general ability to stop threats and protect users, which characteristics of an endpoint solution best set its administrators for success?

Get the 2019 PassMark Report: See how 9 endpoint protection products perform against 15 efficiency benchmarks.

Consider the world of the MSP: margins can be thin, competition tight, and time quite literally money. Any additional time spent managing endpoint security, beyond installing and overseeing it, is time not spent on other key business areas. Performance issues stemming from excess CPU or memory usage can invite added support tickets, which require more time and attention from MSPs. 

So, even when an endpoint solution is effective the majority of the time (a tall order in its own right), other factors can still raise the total cost of ownership for MSPs. Here are some metrics to consider when evaluating endpoint solutions, and how they can contribute to the overall health of a business. 

1. Installation Time

We’ve written recently about the trauma “rip and replace” can cause MSPs. It often means significant after-hours work uninstalling and reinstalling one endpoint solution in favor of another. While MSPs can’t do much about the uninstall time of the product they’ve chosen to abandon, shopping around for a replacement with a speedy install time will drastically reduce the time it takes to make the switch. 

Quick installs often also make a good impression on clients, too, who are likely having their first experience with the new software. Finally, it helps if the endpoint solution doesn’t conflict with other AVs.  

2. Installation Size

Few things are more annoying to users and admins than bulky, cumbersome endpoint protection, even when it’s effective. But cybersecurity is an arms race, and new threats often require new features and capabilities. 

So if an endpoint solution is still storing known-bad signatures on the device itself, this can quickly lead to bloated agent with an adverse effect on overall device performance. Cloud-based solutions, on the other hand, tend to be lighter on the device and less noticeable to users.

3. CPU Usage During a Scan

Many of us will remember the early days of antivirus scans when considering this stat. Pioneering AVs tended to render their host devices nearly useless when scanning for viruses and, unfortunately, some are still close to doing so today. 

Some endpoint solutions are able to scan for viruses silently in the background, while others commandeer almost 100 percent of a device’s CPU to hunt for viruses. This can lead to excruciatingly slow performance and even to devices overheating. With such high CPU demand, scans must often be scheduled for off-hours to limit the productivity hit they induce. 

4. Memory Usage During a Scheduled Scan 

Similar to CPU use during a scan, RAM use during a scheduled scan can have a significant effect on device performance, which in turn has a bearing on client satisfaction. Again older, so-called legacy antiviruses will hog significantly more RAM during a scheduled scan than their next-gen predecessors. 

While under 100 MB is generally a low amount of RAM for a scheduled scan, some solutions on the market today can require over 700 MB to perform the function. To keep memory use from quickly becoming an issue on the endpoints you manage, ensure your chosen AV falls on the low end of the RAM use spectrum. 

5. Browse Time

So many of today’s threats target your clients by way of their internet browsers. So it’s essential that endpoint security solutions are able to spot viruses and other malware before it’s downloaded from the web. This can lead to slower browsing and frustrate users into logging support tickets. It’s typically measured as an average of the time a web browser loads a given site, with variables like network connection speed controlled for. 

Effectiveness is essential, but it’s far from the only relevant metric when evaluating new endpoint security. Consider all the above factors to ensure you and your clients get the highest possible level of satisfaction from your chosen solution.

The post 5 Key Benchmarks for Choosing Efficient Endpoint Security appeared first on Webroot Blog.