Category Archives: Security

Strengthening the Weakest Link – The Ultimate Spear Phishing Defense

Not convinced your employees need the training?

Late in 2012 Trend Micro reported that 91% of targeted online attacks involved spear phishing, making this the most favored type of APT (Advanced Persistent Threat) attack. When spear phishing, attackers make use of information about prospective victims to increase their credibility, and the likelihood that recipients will “bite” (click a URL) in an e-mail or social media post. That’s why spear phishing attacks yield a 70% open rate because people extend trust to the putative source, if not to the actual attacker. Because of the portability and ease of spear phishing, its popularity will only continue to grow. Traditional methods don’t stop spear phishing because individual employees and customers open the doors to attackers. In these circumstances, the employee/victim becomes the weak link in IT security.

Today’s employees need next-generation security awareness training on a regular basis to keep them informed and your network protected.

“A staggering 91 percent of targeted attacks begin with a spear phishing email”

 

Introduction

Spear phishing is a CSO’s worst nightmare because it is the most di cult attack to protect against. The use of targeted social engineering, practically undetectable malware and zero-day exploits are just some of the reasons why this is so. Clever hackers use legitimate-looking emails from organizations like the IRS, local banks, or Internet portals, targeted directly at CEO’s and other executives and employees.

One such incident occurred in 2012 when business executives received personalized emails informing them that their company was under investigation for criminal fraud. The email looked like a legitimate email from the IRS, and the link in that email directed the recipient to a website that looked exactly like an IRS webpage. But when the target clicked on a link, a Trojan was loaded into their computer which would steal everything interactive in the person’s email account before it could be securely encrypted. The result of such attacks is that customers are 42% less likely to do business with a company that has fallen victim to spear phishing and a resulting data breach. Even worse, phishing costs brands and corporations more than 98 billion dollars a year.

A Sorry Security Situation

CSOs are responsible for a company’s entire security. As such they oversee network security and are the first person everyone turns to whenever there is a breach. People expect CSOs to protect the company and prevent such breaches, but spear phishing makes even a CSO more likely to be blindsided. Once a breach occurs it is up to CSOs to act quickly and protect the company before any damage is done. Hackers count on this and act quickly to get every ounce of information they can before a breach is closed. Those who don’t understand how spear phishing works may blame the CSO or the security software in use. However, even the best CSO and best security software on the planet can’t stop an intelligent and motivated hacker.

If CSOs are to do their jobs well, then not only must they have the best security hardware and software, they also need the support of well-educated staff, and the ability to test their staff and find any weak links in need of strengthening. With all possible ‘defense-in-depth’ components properly in place, an organization becomes a very hard target, causing hackers to move on to pursue easier game.

The Missing Link

Several missing components can prevent employees from unwittingly opening the door to hackers:

How do you make sure your employees are getting the best education?

How do you make sure after your employees are educated that they don’t make security mistakes anyway?

If you could find out if they might be vulnerable to spear phishing, how can you enlighten them?

If existing methods for educating employees were effective, then spear phishing wouldn’t remain problematic for so many companies. Thus, it is obvious that a different approach is called for.

Hackers aren’t just looking to get at a company’s financial records and information. They are also after source code and intellectual property. In fact, they are literally trying to steal the future of your company. Years of work in your R & D department could end up in the hands of a Chinese competitor thanks to a single click of a mouse from an untrained employee.

Spearphishing has become so endemic in corporate and government networks that there is a joint government operation in effect to counteract it. Per the FBI: “Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, [or] order merchandise from the same website. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive…

Law enforcement takes this kind of crime seriously, and we in the FBI work cyber investigations with our partners, including the U.S. Secret Service and investigative agencies within the Department of Defense.”

During a recent Microsoft TechEd conference, held in June 2012, Proofpoint surveyed 339 IT professionals about their concerns regarding targeted phishing attacks and enterprise data loss risks. Half of all respondents (51%) believed that their organization were targeted by a phishing email in the past year designed specially to compromise their users.

Dramatic examples of recent spear phishing attacks include:

The White House – China-based hackers breached a network used by the White House Military Office. According to their website, this office provides military support for White House functions, including food service, presidential transportation, medical support and hospitality services. There is no clear report on what the hackers were trying to access. An Obama administration national security official simply said: “This was a spearphishing attack against an unclassified network.”

Google, Inc. – A US official says that the same group that attacked the White House also broke into Google. Among those targeted were people who work at the White House. It is presumed that they were hoping these people would discuss secure information or conduct administrative business using their personal Gmail accounts.

South Carolina Department of Revenue – According to an official report, “A malicious email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.” These attackers then gained access to “millions of Social Security numbers, bank account information and thousands of credit and debit card numbers” SearchSecurity’s coverage notes that, “In addition to the 3.8 million people whose data were exposed, the breach included information on 1.9 million dependents. It also included data on 699,900 businesses. Information on 3.3 million bank accounts were also stolen.”

The New York Times – The same China-based hackers who have wreaked havoc on the White House, Google, and others have been named as the responsible parties for this breach, too. In this particular case, the newspaper blames Symantec’s antivirus software for not foiling a malware installation.

Attacks against Google, Adobe and at least a dozen other advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing emails. By itself, software alone is not a completely effective defense.

SC Magazine reports:

“Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails. The HLP files are embedded in attachments that appear to users to be ZIP files. Once the ZIP files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users’ passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.”

Strengthening the Weakest Link

There is an important conclusion to be drawn from all this recent news. Security products continue to become more advanced and sophisticated, and that will certainly help. But to cope with the current situation and future attacks, end-users must be educated and informed. The more knowledge they possess, and the better informed those users are about attacks, the less likely they are to fall prey to scammers, online or off.

We are also starting to see an increase of social engineering over the phone. Hapless users are being called on behalf of ‘Microsoft’ or well-known security software companies and directed to allow access to their computers. Educated end-users do not fall prey to such scams.

But how do you train jaded users? Users who think they know everything. Users who have heard it all and are more sophisticated than average users. It’s not good enough that the trainer is a highly regarded security expert. You need that training to come from someone who understands hacker culture and how hackers think.

Contact us to learn how you can protect yourself from these types of phishing scams. Call 920-885-0141.

Your Bank Emails

Your bank emailed you…  or did they?

What does an email from a cybercriminal look like compared to your bank?  For example, Bank of America…

The email above LOOKS so authentic…

What is RIGHT?

– Bank of America logo looks real.

– Color and style of email is similar to Bank of America’s customer emails.

– Return email address is one of those used by Bank of America.

– Website appears to be a Bank of America website.

What is WRONG?  (You need to watch for this information.)

– The formatting of the email is not correct.

– The typeface of the P.S. is different.

– The signature is BOA Member Services Team, which is not used today.

– The copyright is BOA LLC, not Bank of America.

The more sophisticated thieves direct you to a website that looks like your bank.  See the example below.  Do you know how to recognize it is a hoax designed to capture some of your private information?

One way / ANSWER:  ALWAYS look at the domain name address.  Make certain you are confident it is correct.  If it appears to be suspicious, then do not proceed.

All of the other aspects explained below about email phishing also apply to a website.  These are relatively simple ways to confirm what you click on is safe.

In general, phishing emails include:

Ways to identify phishing and spoofing emails include:

1. Links that appear to be from your bank… but are NOT – Test any link by placing your cursor it, but do not click.  Your email program should display the destination URL.  Does it match the correct web address to your bank?  If not, you can search past emails you have to see if it is another domain name used by your bank.

2. Urgent requests – Banks do not threaten to close your account if you fail to respond to an email.

3. Warnings about system and security updates – Banks may inform you of pending system upgrades and/or security updates, but they do not require any personal information from you to complete these changes.

4. Requests for personal information – No reputable bank ever asks or demands that you reply via email with your personal information, such as your driver’s license #, Social Security #, ATM or credit card #, PIN #…

5. Do NOT fall for “the deal” – Banks are not hucksters.  They do not push you to ask you to do something and in return you get a huge payoff.  They do not pay you to complete surveys.  They do not ask you to do anything that requires you to enter your account number, PIN…

6. Obvious typos, grammar, and formatting errors – As mentioned above, although cyber thieves are smart they still seem to make mistakes in their email requests.  However, be warned:  Today, the mistakes they make are rare.  The phishing emails and websites now online posing as your bank can be very convincing.  You may have to choose safety over timeliness.

7. Someone once said, “Assumptions are the mother of all mistakes.” Do not assume your computers, mobile devices, and networks are secure from phishing, ransomware, and other cyber theft attempts.  Confirm

Business Needs:  If you are concerned about these risks for your business or nonprofit, then don’t wait.  Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers.  She can schedule a free, no obligation conversation about your situation.  She can help you assess your risk, and for a limited time, even provide a free network security assessment if you like.

Personal Needs:  As an individual concerned about an email you received you visit, a good approach is to call your bank to confirm if they sent the email or directed you to a website.

THE GOOD NEWS

You can avoid most phishing scams and other hacker attacks, including ransomware.  The only solution is to fully protect every computer, mobile device, and network of your organization with the latest anti-virus, firewall, and other applicable security tool.

The most cost effective way to do this is to have your systems kept secure daily by a professional I.T. security firm, such as Inter-Quest, highly qualified, diverse, 20-year-old I.T. services team with offices in Beaver Dam and Madison, Wisconsin.  Their team of computer experts provide IT security and managed services to businesses, government, and nonprofits.

Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter to confirm your employees and sensitive company data are safe from cyber criminals.

WannaCry Ransomware Released Today

Major news outlets announced a sleeper malware named WannaCry, hit this morning in 99 countries including China and Russia.  Do you have threats lurking your laptop, desktop, servers, and/or mobile devices?

According to the BBC, WannaCry’s massive cyber-attack is based on tools believed to have been stolen from the US National Security Agency (NSA) and cyber-security firm Avast said it had already seen 75,000 cases of the ransomware.

Apparently the malware leveraged a Microsoft Windows operating system vulnerability that was patched in the March timeframe.  Who is updating the software and security patches on your technology?  Without the update, your systems and networks are at risk.

WannaCry and its variants leverage that exposure to enter networks and begin encrypting files which are then held ransom for payments between $350 and $500.

News.com.au reported a 22-year old researcher identified a flaw in the malware’s code and slowed its progress substantially by buying a domain name, and redirecting the virus back to its source.

As of this morning, Inter-Quest has not received reports or seen any indications of this variant of ransomware in our Client environments.  Inter-Quest is constantly updating the software and security patches throughout our Client systems to make certain our managed services Clients’ systems are fully technology protected based on industry best practices.

Here are some security steps you can assess at your company.  Contact Inter-Quest if you identify any potential gaps, have questions, or would like a free network security assessment to confirm your sensitive data and technology operations meet industry standard protocols:

  • User-Training: First and foremost, you have to train and retrain all employees on risks associated with opening files and clicking unknown links, as most malware is initiated by user action.  A starting point is to have your people review this brief article from Cisco, discuss them, develop a training regimen, and hold people accountable to good decisions.
  • Windows Updates: Do not assume your systems are automatically updating with feature and security updates.  Many critical updates require manual initiation by users, or the people managing the systems.  Inter-Quest combines automated updates with manual oversight to confirm your systems have the most recent updates and security patches from all covered software and operating system vendors.

 

The patch to block the WannaCry ransomware has been on our Clients’ systems since March when it became available.  Are you absolutely certain ALL of your systems and networks are fully secure?

  • Backup: The best defense against ransomware is automated backups to all of your systems.  Daily is best.  Inter-Quest’s managed services Client systems are not only backed-up, but our sophisticated solution also constantly monitors the quality of data backed-up so when there are issues there is remediation and testing within one business day.  We also regularly test backups to confirm data is restored accurately and quickly.  When is the last time you tested data on your backup system?
  • Antivirus/malware: Inter-Quest manages industry best-in-class anti-virus/malware solutions on all supported Client systems – including servers, workstations and laptops.  It automatically updates as new malware is introduced daily.  Are you certain your anti-virus/malware software is comprehensive enough to stop the WannaCry and other new attacks?
  • OpenDNS: Many Inter-Quest Clients utilize OpenDNS, also known as “Cisco Umbrella,” on their workstations, laptops and servers.  OpenDNS has proven to effectively block many variants of ransomware, including WannaCry.  Contact Inter-Quest if you to consider the pros and cons of OpenDNS

 

It may sound obvious, but your people may have ransomware on their system if they cannot open files.  CNN quotes Mikko Hypponen, chief research officer at cybersecurity company F-Secure in Helsinki, Finland, as calling this “the biggest ransomware outbreak in history…”  And many experts say the impact of WannaCry is just beginning.

If you see any evidence of ransomware or other suspicious activity in your technology environment, contact Inter-Quest immediately via email or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers.  She will help you avoid damage and work delays due to ransomware and other I.T. security threats.

Public Wi-Fi Done Right

We love public Wi-Fi, particularly in certain coffee shops where we can sit there for a couple of hours and not worry about our access timing out.

The problem is every day public Wi-Fi gets more dangerous.

The bottom line:  You need to change the way you use public Wi-Fi now, or suffer the consequences.

There are dozens of YouTube videos supporting this conclusion, and a recent Harvard Business Review titled, Why You Really Need to Sop Using Public Wi-Fi (May 3, 2017).

But… you don’t want to stop using public Wi-Fi, do you?

THE GOOD NEWS

There is a way to use public Wi-Fi safely, but first, let us give you a summary of common attack methods from the HBR article.  Then we will explain what you must do to use public Wi-Fi safely.

First, two of the most popular attack styles are, “Man in the Middle” and “Evil Twin.”  The basic objective of these approaches is the cybercriminal wants to fool you into thinking their computer is the Wi-Fi network of your public space, hotel, airport, or other location.

You mistakenly connect to the Internet through them.  From that point forward they can track everything you do AND retain your usernames, passwords, and other confidential information your system processes to access your sensitive data and financial records.

Have you heard of wire fraud?  Man in the Middle and Evil Twin are enabling criminals to do more than just access your system.  They stay there.  It is creepy!  Hackers access your business computing device, and then stay on it.  For days, weeks or even months they study the way you communicate.  When they are confident of their ability to communicate on your behalf – talk just like you – then they instruct someone else to wire funds to their foreign account.  Wire fraud is growing astronomically specifically due to this type of theft.

You still do not believe hackers are after you?

Read about “Dark Hotel” in a Wired Magazine article.  Dark Hotel was a sophisticated, 7 year hacking campaign uncovered by Kaspersky Lab in 2014.  It targeted CEOs, government agencies, U.S. executives, NGOs, and other high-value targets while they were in Asia.  The executives connected to their luxury hotel’s Wi-Fi network and downloaded what they thought were regular software updates.  Instead their devices were infected with malware.  This malware could sit inactive and undetected for several months.  Then the hackers would access it remotely to obtain sensitive information on the device.

WHAT CAN YOU DO

If you are a business, then you need to have a proactive I.T. managed service provider responsible for protecting your network and systems.  They should also have security awareness training available for your employees, volunteers, consultants, and others.

Inter-Quest is a highly qualified, diverse, 20-year-old I.T. services team with offices in Beaver Dam and Madison, Wisconsin.  We have protected central Wisconsin businesses, government agencies, and nonprofits from cyber hackers for decades.

Here are some of the key areas where we help Clients implement technology and train their people better public Wi-Fi habits.

Avoid Free Anti-Virus Software

Sensitive data about your personal life and career reside on your computer and possibly mobile devices such as tablets and phones.  Free antivirus software has fewer capabilities than robust antivirus and firewall solutions sold by reputable providers.  The cost of high-quality protection is microscopic compared to the financial loss, time waste, and stress of identity theft, ransomware, and other cybercriminal-induced pain.

Keep Software Updated

At home or work always make certain your software has the latest updates.  A lot of the effort and coding in updates these days involves making certain your software has the best protection against cybercriminals.  Do NOT update your software on public Wi-Fi.

Confirm the Real Network

Ask an employee for the specific name of the retail store’s Wi-Fi network and the password.  Only use networks where you are 110 percent confident it is real.  For instance, “Free Airport WiFi” may be a trap set by hackers and thieves.

Turn-off Sharing

Part of the process to access the public Wi-Fi network involves confirming whether you want to be sharing and seen on the network, or you want to be hidden.  Turn off sharing.  Do not be seen.  Allowing sharing may enable evil people to access your system.

This may be a two-step process:  First, you may need to go into the settings of your system to turn-off File Sharing.  Second, as part of the public Wi-Fi network connection you may be asked if you want to be seen, or share while using the network.  Always say “no” / be hidden.

Use a VPN

A VPN is a virtual private network.  Private WiFi did a recent survey where 79 percent of respondents do not use a VPN, even though they should.  The major benefit of a personal VPN is that it encrypts your data so even if any of your data gets into the hands of nefarious characters they cannot use it.  There are a variety of VPN options available at a reasonable cost.  Again, we advise against a free version.  Get real protection, or don’t.

Avoid Sensitive Information

Do not access any online account unless you absolutely have to, and if you do, only accounts with two factor authentication.

If you are not familiar with two factor authentication, it is a two-step process to confirm who you are rather than simply entering your password (a one step process).  Typically the second step is you either are texted a code, which when you see it on your phone can be entered into the website; or you are required use of tools such as Google Authenticator or Microsoft Authenticator to access a code that you enter into the website.

Look for a Secure Connection

Check the web address of the sites you are visiting, particularly if you feel you need to do some transactions, to confirm the beginning of the address is “https” rather than simply “http.”  This indicates the site has a secure, encrypted connection.

Turn It Off

Turn-off the public Wi-Fi connection on your computer or mobile device when you are done.  Do not leave a gate in your fortress open for the enemy to attack.

After you turn it off, forget the network on your system.  The process varies based on your computer or mobile device.  On a Windows system you can do this in Network Settings, which can be accessed from the network icon in the lower right of your bottom task bar.  In iOS go to Settings, select Wi-Fi, find the network, and select Forget this Network.

WHAT TO DO NOW

Take inventory of what technology you have in place to stop cyber thieves on your computers, mobile devices, storage, and networks.  Also consider what training you are doing to educate your people how to avoid cyber risk, particularly on public Wi-Fi.

For a limited time you can schedule a no cost, no obligation full network security assessment that includes an assessment of each computer, mobile device, and most of your connected equipment from Inter-Quest.

It is better to assess your security BEFORE there is a loss you have to explain to a boss, board of directors, shareholders, or the public.

It is kind of ironic.  An employee may cause the theft of digital assets from your company by accessing a public Wi-Fi network, and one of your greatest concerns is the public finds out about it.

Inter-Quest does the work so the assessment does not interrupt your schedule.

Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers.  She will help you get your complimentary network security assessment scheduled quickly.