Why are we still getting caught by the ‘Phisher’men?

Posted on : 26-09-2019 | By : kerry.housley | In : Cyber Security, data security, Finance, Innovation

Tags: , , , , , , ,

0

Phishing attacks have been on the increase and have overtaken malware as the most popular cyber attack method. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look like ones commonly used in the organisation.

Criminal scammers are using increasingly sophisticated methods by employing more complex phishing site infrastructures that can be made to look more legitimate to the target. These include the use of well-known cloud hosting and document sharing services, established brand names which users believe are secure simply due to name recognition. For example, Microsoft, Amazon and Facebook are top of the hackers list. Gone are the days when phishing simply involved the scammer sending a rogue email and tricking the user into clicking on a link!

And while we mostly associate phishing with email, attackers are taking advantage of a wide variety of attack methods to trick their victims. Increasingly, employees are being subjected to targeted phishing attacks directly in their browser with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps

HTML phishing is a particularly effective means of attack where it can be delivered straight into browsers and apps, bypassing secure email gateways, next-generation antivirus endpoint security systems and advanced endpoint protections. These surreptitious methods are capable of evading URL inspections and domain reputation checking.

To make matters worse, the lifespan of a phishing URL has decreased significantly in recent years. To evade detection, phishing gangs can often gather valuable personal information in around 45 minutes. The bad guys know how current technologies are trying to catch them, so they have devised imaginative new strategies to evade detection. For instance, they can change domains and URLs fast enough so the blacklist-based engines cannot keep up. In other cases, malicious URLs might be hosted on compromised sites that have good domain reputations. Once people click on those sites, the attackers have already collected all the data they need within a few minutes and moved on.

Only the largest firms have automated their detection systems to spot potential cyberattacks. Smaller firms are generally relying on manual processes – or no processes at all. This basic lack of protection is a big reason why phishing for data has become the first choice for the bad actors, who are becoming much more sophisticated. In most cases, employees can’t even spot the fakes, and traditional defences that rely on domain reputation and blacklists are not enough.

By the time the security teams have caught up, those attacks are long gone and hosted somewhere else. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages. Due to the fast-paced urgency of this threat, financial institutions should adopt a more modern approach to defend their data. This involves protections that can immediately determine the threat level in real-time and block the phishing hook before they draw out valuable information..

  • Always check the spelling of the URLs in email links before you click or enter sensitive information
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

We have started to work with Ironscales, a company which provides protection utilising machine learning to understand normal behaviours of users email interactions. It highlights (and can automatically remove) emails from the user’s inbox before they have time to open them. They cross reference this information with a multiple of other sources and the actions of their other client’s SOC analysts. This massively reduces the overhead in dealing with phishing or potential phishing emails and ensures that users are aware of the risks. Some great day to day examples include the ability to identify that an email has come from a slightly different email address or IP source. The product is being further developed to identify changes in grammar and language to highlight where a legitimate email address from a known person may have been compromised. We really like the ease of use of the technology and the time saved on investigation & resolution.

If you would like to try Ironscales out, then please let us know?

 

Phishing criminals will continue to devise creative new ways of attacking your networks and your employees. Protecting against such attacks means safeguarding those assets with equal amounts of creativity.

The CIO Guide to a successful Information Security Practice

Posted on : 30-06-2015 | By : jo.rose | In : Cyber Security

Tags: , , , , , ,

1

Our colleagues at Corix Partners have recently published on their blog a series of articles highlighting the eight key management rules CIOs and CISOs should follow to build and deliver a successful Information Security practice. We publish below a summary of the series which deconstructs in-depth eight views commonly held by Information Security practitioners and explores the Governance and Leadership dynamics which surround Information Security.

1. Think of Information Security as a Control function and not as a Support function

Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.

2. Create a sense of reality around the threats and do not focus only on IT aspects

A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.

3. Focus resources on the proper implementation of key Controls and sell success

It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.

4. Pin tactical initiatives against a long-term Information Security roadmap

Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.

5. Assign Information Security Responsibilities and Accountabilities

Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).

6. Operate Information Security as a cross-silo practice and not just as a technical discipline

Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.

7. Operate Information Security as an ongoing structured practice and not just a series of technical projects

Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.

8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products

In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.

Thanks to JC Gaillard and Neil Cordell for this contribution. The full series, ‘The CIO Guide to Information Security Practice: 8 Key Management Pitfalls to Avoid’ can be found on the Corix Partners’ blog.