You’ve almost certainly heard of ransomware, phishing, and business
email compromise as they are all over the news today. You probably have a general idea of what they
are – enough to be worried -- but how well do you understand the risks they
create and how to protect your organization?
Attackers are looking for the biggest payouts for the lowest
effort and risk, and this drives the ever-changing prevalence of threats. Ransomware is a dominant threat today because
it's easier for attackers to commercialize compared to phishing. Business email compromise is increasing because
it can yield bigger payouts for attackers.
This post will discuss the threats of ransomware, phishing, business
email compromise, and another one you may not have heard of, a server-side
attack. We'll then dig into what you can
do about them.
Four threats
Let's start with the simplest threat, phishing to steal
credentials. Phishing is mostly
delivered through email – but there are subtypes for SMS, etc. – and this type
of phishing generally aims to fool the recipient into giving up their account
credentials – userid and password -- using a fake login page for a cloud
service. Using the stolen credentials, the attacker can obviously perform an account
takeover of the cloud service account in question, but they will also
likely be able to use credential stuffing to take over other accounts
owned by that userid. Credential
stuffing means trying the userid/password combination on hundreds of different
cloud services, and it works because most people use the same password for many
of their accounts. In other words, most
users don't use a unique password per account, as they should.
Once the attacker takes over one or more accounts, they can
make money by many different means, including stealing data from the accounts
then reselling the data (e.g., for credit card data) or threatening its disclosure. (By the way, if personal information is
accessed in any way, in most jurisdictions this is a privacy data breach
and must be reported to the privacy authority.)
There is a related threat, a server-side attack, that
involves an attacker stealing credentials from the cloud service itself
instead of its users. The attacker will break
into a cloud service and steal the "passwords file", which contains
the userid and the associated, obfuscated (salted and hashed) password for each
of the cloud service's users. The
attacker will then perform a cracking operation to de-obfuscate the passwords,
and will generally be successful for those users that haven't used a strong
password.
What makes a password "strong"? It's sufficient length, sufficient randomness,
and sufficient character types complexity (the mix of uppercase, lowercase,
digits, and symbols). "Sufficient"
is a fuzzy and moving target, but if a password isn't a bare minimum of 12
characters long, doesn't look random, or doesn't use at least three types
of characters, it may not be strong enough to resist cracking. Once passwords are cracked, there are same
risks as for phishing, such as account takeover and credential stuffing.
Business email compromise (BEC) requires the most
effort for the attacker. In a typical
compromise, the attacker will get access (through one of a variety of means) to
an email account for an organization head or financial head and will monitor
the email traffic for a while. Once the
attacker understands the organization's financial processes and which employees
are involve with financial transfers, they will send a fake email (from
a fake account, often with a similar-looking domain name) to an employee
requesting a wire transfer to some outside destination. If the deception is not detected in time, the
attacker will receive the transfer.
The last, and probably most important, threat we'll discuss
is ransomware. This is a type of malware
usually delivered through phishing emails (but not the credentials-stealing
kind), and it is rapidly surpassing other types of malware and phishing because
of its ease of monetization.
For email-based ransomware (and other malware), a user will
typically be fooled into executing a file attached to an email or to clicking
on a link in an email and downloading a file, resulting in a compromise of
their device by the attacker's malware (i.e., malicious software). Ransomware encrypts the infected computer's
files in place and then demands a ransom payment to provide the
decryption key; and the ransomware will typically try to spread to other
computers in the organization. If the organization
decides to pay the ransom (it's a complex decision) and is very lucky, the key will
work; otherwise the data is irretrievably destroyed.
Increasingly, though, ransomware does more than encryption:
it will send a copy of the victim's data to the attacker's server before
encrypting it, and the attacker will additionally (and maybe on more than one
occasion) threaten to publicly release the data if the ransom is not
paid. Whereas a data backup is a good recovery
mechanism for ransomware's encryption, there really is no way to mitigate a public
release of data, which makes victims more willing to pay. (Note that both cases would generally be
considered privacy data breaches if personal data is involved.)
Mitigations
If we analyze the
four threats in detail and look at how to mitigate the resulting risks – i.e.,
prevent them, reduce their effect, or recover from them -- it turns out that we
need two different sets of mitigations, aka security controls:
- controls that address the primary risks of account takeover and credential stuffing, and financial loss for BEC – let's call this Type 1; and
- controls that address the primary risks of device compromise (by malware) and destruction of data – we'll call this Type 2.
Mapping these risks to the four threats above:
- Type 1 controls are for credentials-stealing phishing, business email compromise, and credentials-stealing server-side attacks; and
- Type 2 controls are for malware and ransomware.
Both types are also mitigating a variety of secondary risks,
including financial loss and theft or exposure of data.
The controls
So what are these two amazing sets of security controls? They are for the most part the basic set of
security controls that security professionals call "security hygiene"
– fundamental security controls that every organization should implement as a
matter of course before getting into anything fancier.
The Type 1 controls are focused mainly on protecting credentials:
- user security awareness training;
- the proper use of passwords: mainly ensuring they are strong and unique;
- the use of a password manager: as the best way of properly managing passwords;
- the proper use of the password manager, including using it to autofill login pages: whereas a user can be phished by a fake login page, a password manager will notice the fake page's incorrect domain name and will refuse to autofill the credentials into that page;
- use of two-factor authentication (2FA)/multi-factor authentication (MFA): as a second line of defense on an account in case the account's password is compromised; and
- for BEC in particular, setting up a proper verification process for financial transactions, such as through the use of out-of-band verification like a phone call or walking over to talk to the sender: to catch fraudulent requests.
The Type 2 controls are targeted mainly at spam and malware:
- user security awareness training;
- the use of an email anti-spam/malware filter: to stop phishing emails before they reach users; and
- security hardening of devices, especially computers, by locking down operating system (OS) security-related settings and the use of antimalware ("antivirus") and anti-ransomware software or, for larger organizations, endpoint protection software/services: to prevent malware from successfully running if a user falls for it;
- the use of data backup, to a cloud backup service or a local backup drive, or ideally to both: to recover from the destruction of data by ransomware.
User security awareness training is listed first for
both type of controls because it's usually the most important control that
organizations can put in place. Properly
trained employees could forestall many risks even in the absence of many technical
security controls (such as password managers, 2FA, spam filters, hardening, antimalware,
etc.) – but conversely, the best technical security controls can be bypassed or
rendered ineffective by unaware employees.
All organizations should properly train their employees on security
(and privacy) risks – starting as soon as possible and then at least annually. They should also choose the right mix of
technical security controls to fit their organization, risk tolerance, and
budget. Every single organization,
though, should have all the Type 1 and Type 2 security controls listed above as
a minimum.
For more
This has been only a brief introduction to some common
cybersecurity threats that most organization face, and to how to start
addressing them. If you want to learn
more – and I strongly encourage you to do so – there is no shortage of
information available. Most everything
you might want to know is on the Internet, so you can do a web search for any
of the terms in this post. You can also read
some of my other blog posts; see my blog map for an index of
useful posts.