by Doug Kreitzberg | Nov 12, 2021 | Uncategorized
Earlier this week, the trading app Robinhood announced a data breach in which a mixture of email addresses and full names of 7 million of their users were stolen. It is still unclear what impact this may have for Robinhood’s entire userbase. However, at the very least, this breach could provide attackers with enough information to carry out phishing and other social engineering attacks against those whose data was stolen. While on the face of it, this may appear to be your standard data breach, a closer look reveals how human factors lead to the breach.
While we don’t have all the details yet, according to Robinhood’s statement, the attack was carried out after someone called the company’s customer support line and tricked an employee into handing over access to “certain customer support systems.” From there, the attack was likely able to access customer information or gain additional access to other parts of Robinhood’s network. This form of attack is commonly known as a “vishing” attack, in which the attacker impersonates someone over the phone rather than through a traditional phishing email.
This form of attack is not uncommon and highlights a number of key questions that business leads need to consider when it comes to digital risk. First, it’s important to take a broad view of all the different avenues attackers could use to gain access to your systems. While your customer support channels may not come first to mind, any outward-facing platforms can pose a risk. Second, business leaders and their employees need to start thinking about how their own digital behaviors can be leveraged against you. Traditional security awareness programs do a good job at explaining issues and in some cases testing for the presence of negative digital behaviors. But, to start to see real change, security awareness training needs to focus on designing for the positive, more secure behaviors that are strong enough to override the bad online habits we develop.
Any way you cut it, the Robinhood data breach is yet another example that highlights the vital importance of taking a human-factored approach to cybersecurity. Business leaders need to actively invest in not just security tools, but also in training and controls that help employees understand human factors threats and what they need to do to ensure they don’t fall for social engineering scams.
by Doug Kreitzberg | Oct 26, 2021 | Cyber Awareness, Human Factor
In many cases, our employees are our first line of defense against cyber-attack. However, for employees to start developing habits that are in line with cybersecurity practices, it’s essential business leaders need to understand effective strategies for getting these habits to stick. One of the main tenants of behavioral science is that the new habit you want to see needs to be easy to accomplish.
Ideally, you and your IT team can put in place effective cybersecurity controls that make developing secure habits easier for your employees. But what happens when these security features make it more difficult for users to perform the positive and secure behaviors you want to see?
This is the topic of new research on cybersecurity risk management and behavior design. In “Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviors,” researchers Simon Parkin and Yi Ting Chua highlight the importance of making sure that cybersecurity controls that limit malicious or negative behaviors don’t also restrict the positive behaviors your employees are trying to accomplish. For example, it’s common practice for companies to require their employees to change their passwords every few months. However, not only does this put the burden on employees for keeping their accounts secure, research has shown that users who are required to create new passwords frequently tend to use less and less secure passwords over time. While you may think having employees change their passwords will help keep your network more secure, doing so might actually have the opposite effect.
To ensure security controls aren’t restricting users from engaging in positive behaviors, Parkin and Chua emphasize the need to more precisely target malicious behaviors. To do so, they outline three steps business leaders and IT teams should take to more precisely define their cybersecurity controls.
1. Create a system to identify positive behaviors
To ensure you are preserving the positive behaviors your employees are doing, you first have to figure out how to track those behaviors. Unfortunately, it can be a lot easier to identify behaviors you don’t want to see, than those you do want to see. An employee clicking a malicious link in an email address, for example, can be identified. But, how do you identify when an employee doesn’t click the link in a phishing email? One solution is to give users access to a phish reporting button direct within their email client.
Whatever you decide, it’s essential to both identify the positive behaviors you want to see and create a system to track when those behaviors are used by employees.
2. Find linkages between negative and positive behaviors
Now that you can track both positive and negative behaviors, the next step is to look at your security controls and identify possible linkages between the negative behavior the control is defined to restrict and positive behaviors you want employees to engage in. If a control affects both positive and negative behaviors, there is a linkage the control is creating — a linkage you want to break.
3. Better define controls to prevent negative behaviors and promote positive behaviors.
Once you’ve identified linkages between positive and negative behaviors, the next step is to find ways to ensure your controls are only affecting the negative behaviors. For example, instead of requiring users to create new passwords every few months, system monitoring tools can be used to detect suspicious activity and block access to a user’s account without the user having to do anything.
At the end of the day, if the habits you want your employees to form aren’t easy to accomplish, it’s not going to happen. And it’s definitely not going to happen if your security controls are actively making things harder for your employees. It’s essential for you and your IT team to take the time to review your current controls and actively identify ways to maintain your security without affecting your employee’s ability to form secure habits at work.
by Doug Kreitzberg | Oct 12, 2021 | Phishing
Spotting phish is not always easy. Sure, there are some phish you get that are easy to spot, but over the years scammers have worked hard to create more convincing emails. By more convincingly spoofing common emails we see every day in our inbox and by leveraging cognitive biases we all have, more sophisticated phishing emails can be pretty difficult to catch. In a recently published research paper, Rick Walsh, professor of Media and Information at Michigan State University, takes a closer look at how IT experts spot the phish they get and highlights the ways even the experts can fall prey to sophisticated phishing campaigns.
How Experts Spot Phish
Interviewing 21 IT experts, Walsh found 3 common steps they use to spot phish that come into their inbox.
Step 1: Sense Making
First, experts simply try to understand why they are receiving this email and how it relates to other things in their life. They look for things that seem to be off about the email, noting discrepancies like typos or things they know to be untrue. They also try to understand what the email is trying to get them to do. If they see a lot of discrepancies and are being urged to take quick action, they move on to the next step.
Step 2: Suspicion
In this step, the experts move away from trying to make sense of the email and starting asking themselves if this email is legitimate or not. To determine this, they start looking for evidence, like hovering over the link to see where it directs them and checking the sender’s name and address. After collecting evidence, they move to the final step.
Step 3: Decision
By this step, the experts have concluded whether or not the email is legit or not. If they believe it’s a phish, they now take some form of action. In some cases, they simply deleted the email, others however took proactive steps like reporting the phish or alerting other employees of the potential scam.
Even The Experts Can Fail
After discussing the ways experts typically spot phish, Walsh highlights a number of ways even the experts could mess up when spotting phish. Here are 3 of the most important failures Walsh highlights.
1. Automation Failure
Automation failure happens when we’re not engaging in enough sense making. We all get a lot of emails every day, so sometimes we go into auto-pilot as we go through our inbox. However, this means we’re not engaging in enough sensemaking. It’s therefore essential to take a moment to pause before opening our email and make sure we are in acting with awareness.
2. Accumulation Failure
Accumulation failure refers to the process of identifying discrepancies in emails but only looking at them one by one instead of as a whole. It can be easy to find any number of explanations for a discrepancy we see, so if you’re only thinking about each of these discrepancies in isolation, you may not become suspicious. However, if you start to add up all the issues your seeing in the email, it becomes a lot easier to tell when you need to be suspicious of what you’re seeing.
3. Evidence Failure
Lastly, evidence failure means when you make the wrong judgment on the evidence you see in an email. If, for example, you hover over the link in the email and it shows you a spoofed link that looks similar to a common website you use, you may not realize the link is bad.
What’s important about this research is, when it comes to social engineering, even the experts can get tripped up. It’s therefore vital that security awareness training goes beyond simply teaching you what to look for in an email. Awareness training should also teach you how to spot who an email plays on your own cognitive bias and the ways we sometimes fail to take account of important information when we look at our inbox.
by Doug Kreitzberg | Sep 28, 2021 | ransomware
The debate over whether or not to pay the ransomware demand has gone on for a while now. The FBI has long urged businesses to refuse all demands for a ransom payment. And while most businesses aren’t exactly excited to shell out a ton of money to criminals, if their backups are corrupted or they are facing extended downtime, paying the ransom may start to feel like the only option. Adding to the debate, last week the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released updated ransomware guidelines, reinforcing the FBI’s stance and possibly opening the door to imposing fines on organizations that pay up.
In the updated guidelines, the OFAC states that the U.S. government “strongly discourages businesses from paying ransom demands, arguing these payments may help fund future attacks against the U.S. The OFAC also makes the point that paying the ransom in no way guarantees you will ever see your data again or that the attackers didn’t make a copy of your sensitive information to use against you later.
However, the OFAC is doing more than strongly discouraging payments, they may also start imposing civil fines on those who do pay. “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially
Designated Nationals and Blocked Persons List (SND list).” And just last month the OFAC added SUEX, a cryptocurrency exchange service, to that list. According to OFAC, over 40% of transactions on SUEX are more illegal purposes, include ransomware payments.
These new guidelines, therefore, give the U.S. government to fine businesses who decide to pay the ransom. However, Treasury Department is careful to clarify that other, preventative measures businesses take against ransomware may save businesses from dealing with public civil fines. Such mitigating measures include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
Incident response plans are essential for mitigating the effect of any form of cyber attack. A good plan involves not only having a detailed roadmap for how to respond to various cyber attacks but also includes bringing in a team of employees how are responsible for carrying out different parts of the plan, running test scenarios with that team, then making any necessary adjustments from what didn’t work during the tests. When it comes to incident response, a quick, competent, and efficient response is essential to mitigating risk and limiting damage.
Backups are also critical for dealing with a ransomware attack, potentially allowing you to get your data back without ever having to deal with the attackers. And because these backups are so important, it’s essential to be smart about how you do it. First, use the 3-2-1 approach to backups. You want to have 3 backups on hand so you have multiple options in case one gets corrupted. 2 backups should be kept on-site for easy access, but 1 should be stored off-site and offline, to ensure the attackers can’t get a hold of that too. And because ransomware attackers often steal administrative credentials, you should use separate passwords for your backups.
by Doug Kreitzberg | Sep 17, 2021 | ransomware
Summer is barely over, but given the myriad of highly publicized ransomware attacks that have taken place this year alone, it’s probably pretty likely business leaders everywhere are desperately trying to ensure that no ransomware attackers can get into their systems. And while it’s great that more organizations are starting to take cybersecurity more seriously, if you are placing all your emphasis on defending against outside threats you’re ignoring the very important question: what happens if attackers do make it inside? Then what? You may think that if hackers make it into your system it’s already too late, but that is far from the truth. Between gaining access and executing the ransomware, there is a middle phase to the attack in which attackers move around networks, gain access to administrative credentials, and locate the data they are going to encrypt and/or steal. Attackers can spend months moving throughout a network before actually launching the attack. Defending the middle is therefore essential to protect against suffering a ransomware attack.
In fact, according to a recent report by Coveware, it may be a lot more important to focus on defending the middle than just trying to keep the bad guys out. After analyzing data from multiple ransomware attacks, Coveware discovered that while attackers use a variety of means to gain access to a victim’s system, what the hackers do once they are inside is always the same. “As our data shows, 100% of the cases where we were able to collect triage observations found privilege escalation and lateral movement tactics employed.” And the tactics used in the middle phases are actually pretty limited. Once inside, if only one of the attacker’s tactics fails, it becomes a lot more difficult to pull off the attack. According to Coveware, “inhibiting a threat actor from escalating privilege or moving laterally is equally if not more important than preventing initial [entry].”
Because the tactics used to move around a victim’s network are pretty limited, that also means just a few protective measures could be the thing that stops the hackers from launching their ransomware. Here are 3 things businesses can do right now to defend the middle:
Multi-Factor Authentication For Domain Controller
A system’s domain controller is the part of your network that allows or denies access requests to your network. It’s essentially the seat of your access controls. That means if hackers gain access to your domain controller they can give themselves access to pretty much anything they want. To prevent this, it’s essential to set up multi-factor authentication for your domain controller. What’s more, it’s vital to use a mobile authentication code-based MFA rather than on hard MFA tokens. According to Coveware, “100% of ransomware attack victims LACK true multi-factor authentication for the domain administrator accounts.” So setting up MFA for your domain controller could be the thing that saves you from a ransomware attack.
Disable the Command Line
The command line is a back-end tool that allows IT administrators to build scripts that run automatically and perform complex tasks on a system’s network. It’s also an essential part of how ransomware attackers make changes to your system and move around your network. Coveware found that ransomware hackers rely heavily on the use of command lines to automate various parts of the ransomware attack. Disabling command line and scripting capabilities means hackers can’t rely on automatic processes to carry out their attack, making their efforts that much more time-consuming and costly.
Network Segmentation
Imagine taking everything you have and putting it in a single locked room. If someone breaks in, everything you have is now gone. That’s exactly like what having an unsegmented network is like. In order to make things harder for the bad guys and keep your data as safe as possible, it’s essential to separate different parts of your network from each other. That way, even if an attacker gains access to one part of your network, they aren’t able to get anywhere else.
In the past few years, new approaches to cybersecurity such as defense-in-depth and cyber resilience are becoming increasingly popular among cyber experts. In essence, both of these approaches argue that just protecting your systems from the outside is not enough. It’s vital to not just hope no one breaches your defenses, but that you have protections and plans in place for when someone does make it inside. Defending the middle is one strategy for taking on a defense-in-depth approach to cybersecurity, and it could be the thing that stands between you and a full-blown ransomware attack.
