In 2019, more than 50% of all data breaches in Australian organisations were caused by Business Email Compromise (BEC) whereby malicious cyber actors used social engineering to exploit our emotions, business relationships and trust, to give them front-door access to private information. In the last 18 months, attackers have come to realise the convenience in hijacking a corporate email. What does BEC mean to an attacker?
- There is no need in developing a complex ransomware attack
- No actual network infiltration or hacking is required
- An attacker can imitate an employee for an extended period of time
- Complete and unhindered access to all areas that the compromised user is privileged to
- An attacker may even be an individual with no technical skill
In the current Coronavirus pandemic where many organisations are now relying on technology for workers to work from home to maintain business continuity, there have been a significant increase in COVID-19/ Coronavirus related email scams and cyber incidents reported around the world.
- Analysis by Barracuda Networks revealed that phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic.
- On March 27, the Australian Cyber Security Centre issued a formal threat update relating to COVID-19 malicious cyber activity that included:
- SMS phishing campaigns
- Phishing campaigns impersonating Australia Post to steal personal information
- Phishing campaigns pretending to be international health organisations
- COVID-19 phishing emails containing malicious attachments
- COVID-19 relief payment scams
The bottom line, malicious cyber actors are now more active than ever, using well-known attack techniques such as social engineering and spear-phishing scams to exploit the emotions and vulnerabilities of people working from home, who may be preoccupied by COVID-19 and more prone to click on a COVID-19 related email.
Following on from our four simple steps for keeping devices secure when working from home, there is one part of the work routine that is so crucial that it deserves its own list of tips and strategies. Safe email practice is fundamental in staying a step ahead of potential hackers.
Considering the current environment, we’ve put together seven strategies to help stay vigilant in the fight against BEC.
1. Enhance Staff Awareness
People are an essential element of an organisation’s ‘front line’ information security framework for protecting against phishing, malware and social engineering attacks and reporting incidents in a timely manner. Staff at all levels must be informed of their responsibilities both when they join an organisation and as processes and systems changes. At minimum:
- Deliver effective induction training for new employees surrounding information handling and sensitivity.
- Ensure staff receive regular cyber security awareness training. Staff should know how to identify a phishing email and what to do if they accidentally click on a link in the email.
- Conduct regular cyber security awareness communication campaigns to all staff and increase communication campaigns during high risk periods, like during the current coronavirus pandemic.
2. Identifying Phishing Attacks
Phishing attacks (also known as junk mail) are emails designed to fraudulently mimic a known sender to have the receiver act on a request or link allowing the attacker to steal credentials, identities or access a device. One of the most common Phishing attacks for 2019 and 2020 was and is the PayPal verification email. This email requests a user to verify their identity by clicking a link and logging in to their account. The social engineering behind this attack and many others successfully tricks spam/junk filters. Worse still, attackers are now using more complex techniques such as email trails to trick users into a false sense of security by believing an email trail is legitimate as it already contains a history of trusted user interactions. Our tips to spot a phishing email or message:
- Attacks can be received via social media, SMS or Phone Calls – be extra cautious when you receive a message from an unidentified number
- Look at the sender’s name, email address and message subject very carefully
- Read the message itself, look for anything that is unusual like an unusual request, unfamiliar URLs, unusual attachments, poor grammar etc
- Do not contact the phone number or email address contained in the message
- Run a google search on the senders email and the organisations contact details
- If the person or organisation is known to you, but the request seems unusual, call the organisation on their official number
- If you use a mouse, remember to hover over links or type them in manually to your browser
3. Isolation of Corporate and Private Email
Similar to isolating a device for work purposes, email should be treated in a very similar manner. This not only refers to the sending and receiving of email, but most importantly, the sending and receiving of files. In respect of privacy, security and just safe work practice, corporate and private email should not be crossed wires. The complacency we have with private email, should not be practiced while using a work email address, and so, neither should our willingness to carelessly send and receive content or files. The key to drawing the line:
- Avoid sending emails between a corporate and private account
- Never send or attach corporate files to a private email address
- Do not use private email, social media or credentials on a corporate or authorised device
- Avoid adding private contacts (such as family) to a corporate contact list. Your contacts should only be those authorised to view work-related information
- Always remember, if it is highly confidential, it probably should not be emailed
4. Implement Multi Factor Authentication
Multi Factor or Two Factor Authentication (MFA) is the usage of an additional form of verification when accessing an account or device. Having typed in your email password, a second method of verification is highly recommended and not only is it free, it is simple to setup. Users of Office 365 are privileged to this feature straight out-of-the-box, no matter the type of licence being used. The most recommended secondary authentication is an SMS to a mobile number. This ensures that the user requires a physical device in possession (similar to a dongle) and can also prevent unauthorised attempts to change an account password. Some sound advice about MFA:
- Never disclose what device or email address is used for MFA
- Security questions do not count as MFA measures
- A recovery email address is different to MFA and should be setup with a private email address in case an organisation domain is compromised
- Never send MFA codes or passes to another individual
- If you haven’t set yours up, now is the time
5. Limit Password Lifecycles
The lifecycle of an account password is too often taken for granted. Just because we are not being reminded to change a password, does not mean we should keep using our trusty old “password123”. No matter how complex our password generating skills may be, changing passwords also prevents an attacker from silently siphoning data from an already compromised account. This technique is a direct defence against the duration of an attack. The less time an attacker spends on a corporate network, the less potential for data loss or financial impact. Our tips to enhance account password governance in an organisation:
- As a standard, passwords should be changed every 3 – 6 months and if automatic password expiry is possible, make sure it is enabled
- F0llow good practice recommendations for enforcing a Strong Password e.g. at least 8 characters in length, contain both upper and lowercase alphabetic characters, at least one numerical character, and at least one special character
- Always verify a user’s identity before resetting a password, including the use of MFA if possible
For the end-user, ensure you reinforce good practice:
- Do not share your password with anyone for any reason
- Change your password upon indication of compromise
- Do not write your password down or store it in an insecure manner
- Avoid reusing a password
- Avoid using the same password for multiple accounts, especially accounts that handle confidential information or financials
- Do not use automatic logon functionality
6. Enable the Auditing Feature
Many organisations utilise a corporate infrastructure that is privileged to an in-built auditing feature. This feature allows all access, sending, receiving and interactions to be monitored. This not only provides a substantial advantage when analysing the aftermath of an attack, it can help to put an end to one that is in progress. A similar approach to lifecycles, the faster a breach is identified, the lesser the damage. A bonus with using auditing is the ability to log the source of a device, giving an organisation the ability to understand the origin of an attack. This may seem useless if an attacker is in another country, however understanding the primary landscape of attacks over time allows an organisation to implement security measures that are focused on targeting that landscape and applying greater vigilance. Auditing also provides greater documentation for regulatory and insurance purposes, especially claiming damages. These are some important considerations about when implementing Auditing:
- Ensure Auditing is backed up and secure/encrypted
- Audit logs should not be accessible by any user or externally (except for Network Admin)
- Audit logging should not hinder the performance of any service or part of the network
- Do not provide Data Logs to another organisation unless authorised
- Do not allow Audit logs to store any credentials, content of interactions or user information
7. Develop Effective Data Policies
Data policies are the procedures or systems that capture the good practice of a user. They are implemented as an automated system or as a set of rules/procedures that manages email being sent or received. There are two types of data policies used to govern potential reputational or financial damage:
- A Data Loss Policy analyses the content of emails for commonly sensitive information such as credit card details, tax file numbers, and even key terms (e.g. “this is my password“). While it may seem intrusive, a data loss policy simply flags sensitive information without actually storing it on the network. This ties in well with another crucial policy known as the data retention policy.
- A Data Retention Policy is commonly mistaken for the storage of information for a duration of time, however data retention stipulates when to dispose of data as well. A data retention policy flags potentially outdated information for deletion, allowing an organisation to stay in control of what is stored on a network. By having a complete understanding of what is stored, the extent of potential losses or damages can be clearly defined and absorbed by a risk appetite statement. Imagine having data stolen from 2007 containing propriety information from a network folder that no one knew still existed.
Ultimately, a safe work practice and increased vigilance are key to protecting our home and the organisation. The last thing we need is an attack that has no healthy resolution timeframe, no help to pull us back, no IT Support to walk through the office door and make a mend.
If you are ever unsure about the security of your device, do not hesitate to contact your employer; many organisations have procedures in place to secure devices or can at least provide the guidance needed to achieve security at home.
How we can review your cyber security posture
InConsult is committed to helping organisations become more resilient. If you feel information security within your organisation may be inadequate, InConsult can provide a cyber risk scanning, testing and scoring service to identify vulnerabilities and provide recommendations. Contact us to discuss your needs.