By Russell Gower-Leech, Technical Solutions Architect |
Published 19 Oct 2020
I was talking with a colleague the other day about
security breaches and in particular business email compromises. Just to set the
scene, a business email compromise is where a criminal (or threat actor as
they’re called in the infosec world) gets in the middle of a chain of email
communications to divert funds. There are several ways this can happen and I’ll
cover those as we go, but in this instance a user had received an email
notifying them of a change of bank details so they could pay an outstanding
invoice. The email came from a known contact and followed an existing thread.
The comment my colleague made was, “you can’t
blame the user…”. To be clear, assigning blame wasn’t his point, but it
was the use of the word ‘blame’ that got me thinking. It’s a very British thing
(and I’m sure true of other nations too), that when things go wrong, we default
to complaining and finger-pointing. We see it all the time in the media when a
big firm has an incident. We are looking out for someone dropping the ball on a
setup or not green-lighting the spend on upgrades, etc.
I always feel that this culture comes from people
either being un-clear about who has what responsibilities or feeling that they
are not able to take responsibility. Cyber security is a very good example of
this. As technology is involved, those who are not technical in their role or
who wouldn’t deem themselves as ‘IT Literate’ feel that the responsibility
shouldn’t include them and obviously fall to their IT team/chap/provider.
To be clear, the only person to BLAME is the criminal,
BUT we are ALL RESPONSIBLE for security – cyber or otherwise, personal or as
part of the business we work for.
Don’t agree? Well, “Let’s Play The Blame Game” (if you too have an 80s jingle and game show host voice in your head now, you’re welcome 😊) and see if I can convince you otherwise.
How can end users take responsibility for their cyber security?
Taking our earlier example of an attacker providing false banking/payment information via an e-mail, let us start with the user. Either their mailbox or the sender’s has been compromised. The most likely causes of this are:
Weak password – passwords which are not long enough and do not meet a good level of complexity can be cracked, sprayed or brute forced (this is effectively where common or default passwords are used by the user) fairly easily.
No Multi Factor Authentication (MFA) enabled – I won’t bang on about MFA (again), we have a few blogs on the subject, but just know that MFA is the nearest thing to a silver bullet in account security that can drastically reduce the likelihood of an account being compromised even if the user has a weak or re-used password (and no that is not consent to keep terrible or re-used password(s) if you have them) and should be a staple of everyone’s day to day lives.
Not checking the change of account details – business e-mail compromise has become such a common thing that a lot of businesses implement follow-up policies where they contact the sender via telephone or seek approval from a senior member of staff before accepting/updating banking and payment details. Assuming the business has such policies and the staff have been made aware the user not observing this process puts them at fault.
What can businesses do to better to counter cyber security breaches?
Does the business have a change control policy? – Changing of customer details, specifically financial, are routinely subject to a change control process to mitigate issues of fraud. If the business did have such a policy, it needed to ensure that this was documented and imparted to the staff and engrained into their daily processes. Depending on the systems involved, check points or reminders can be automated to assist in ensuring these policies are enforced.
Has the Business Implemented A Cyber Security Awareness Scheme? – Phishing is responsible for over 90% of all recorded breaches, which is pretty staggering when the IT spend on security increases year on year. This is because the spend is predominantly on technology, whilst phishing is a psychology-based attack. Yes technology is involved, but the key operators involve convincing humans to take action: ‘update these details’, ‘click this link’, etc. So even with the best security products, these attacks are still effective because they are triggered by your users who have trusted access to perform their job roles. Has the business in this case got a scheme in place or did they dismiss recommendations from their IT team/partner due to costs?
Does the business have a password policy? – Good password hygiene is a staple preaching point for anyone in security and ‘hopefully’ all businesses recognise how important it is for their staff to use unique, long, complex passwords or pass-phrases for their accounts and that this policy is well communicated and understood by the work force. There’s more info on why this is important here, but essentially strong, long and complex passwords are harder to guess or crack. In a lot of cases stolen credentials are in their encrypted form and will take both time and resource for threat actors to decode.
Does the business have a policy to enforce MFA? As we’ve already covered, MFA is a fantastic and simple security measure to bolster any business, it’s pretty hard to find an application or service these days which doesn’t support MFA (and 9 times out of 10 it’s free), but there is an alarming amount that do not enforce its use and an even more alarming amount of businesses that haven’t investigated the MFA options for their tools or not promoted and enabled MFA for their staff.
Has the business invested in monitoring the Dark Web? – As we’ve touched on when talking about passwords, password re-use is common and a big problem. What a lot of businesses are unaware of is that the public data breaches we hear about in the news could impact their users. Our e-mail addresses are our identity online and we tend to use the same e-mail address with multiple platforms. Naturally, we also use the same passwords as it makes it easier for us to remember. All sounds pretty logical? Well, the problem here is that our login details have a monetary value. The public breaches we see in the media typically involve harvesting credentials which are decoded/cracked and then sold on the dark web. Slightly more worrying, these credentials also end up on the dark web for free further down the line. Dark web monitoring services actively scan the dark web to locate any credentials linked to your email address. This can give businesses early warning that user credentials have been leaked and can also highlight poor password practices among staff so they can be educated on better password hygiene.
Dark Web Monitoring
With our Dark Web Monitoring solution, we keep a close eye on whether your business data is available on the Dark Web and we provide you with daily updates of any accounts that are exposed so you can take immediate action averting any threat.
Has the IT Team established a cyber security awareness training scheme? – IT departments have a responsibility to keep abreast of security trends and to bring concerns, mitigations and training to the business’ stake holders. Behind the scenes stuff such as ensuring the health of business assets, patching, and so on should already be in place, but need to be joined up with keeping the user base aware of these programs, common best practices and why this is pertinent to their job role.
Has the IT Team established mailbox monitoring policies? – As email needs to be highly available and accessible it is an obvious and possibly soft target. In common business email Compromises, threat actors typically add rules to a compromised mailbox to forward copies of all emails sent and received. This allows them visibility into the user’s communications even if their password changes or as MFA is rolled out. They can then spoof an email at the right time using the right language and context to convince a user to send funds to the wrong account. Some very simple policies which create alerts when rules are created on mailboxes or add a banner to emails highlighting that they are from an external source can create an early warning to these attacks.
Has the IT Team enforced a password policy? – Most tools and services allow password policies to be enforced, stopping users setting passwords which are too short, not complex enough or re-using an old password. Better yet you can actually lock accounts out after a certain number of failed logins. This latter step isn’t too popular as it has a productivity impact and can lead to higher calls on the service desk but really should be investigated for high-value accounts and active alerts enabled.
Has the IT Team investigated and enforced an MFA within the business tools? – As I’ve mentioned, most tools and services have MFA baked in for free, others support it being bolted on, but it is typically expected to be the responsibility of the IT team to investigate the availability of MFA within the business and to push these out to users.
What have we learned?
we can see there is plenty of ‘blame’ to go around, but what have we achieved
in this exercise? Well, we’ve alienated and undermined our co-workers, business
partners and friends. Pat on the back 👍.
But we haven’t fixed the actual issue. This security incident still occurred
and we have certainly made preventing it in the future that much harder as
nobody is talking to anybody anymore.
we’ve also highlighted here is that the same topics come up across all three parties,
so we’ve confirmed my assertion that security is everyone’s responsibility and
everyone has a valuable part to play.
we play “The Blame Game”, everyone involved is a loser.
What should we be doing?
we should take onboard that these issues/incidents are happening to others and
before they happen to us, start conversations with team leaders, business
heads, IT and HR to establish what simple changes can be made to mitigate them.
There are always tweaks we can make and buying technology isn’t always the
answer. Changes will likely include technology, process changes and training
(forewarned is for armed!) and they are most effective when they are all used
together and the people involved feel involved.
I have to point out things will never be perfect and even with every piece of
tech and process in place you can still suffer an incident, but it would take
considerable time and effort on the part of the criminal to get past everything
so it’s very unlikely.
With all this in mind take note of these Below is a summary of things which should be considered and discussed within your business
Password policies – Ensure that users are aware of why good passwords are so important, have business policies in place which are supported/enforced within the IT wherever possible.
MFA – Ensure that users are aware of why MFA is so important and have business policies in place stipulating its use. Ensure these policies are supported/enforced within the IT wherever possible and most importantly take consideration of the user experience and ensure you have the minimum number of MFA solutions/services and that their use is quick and simple for staff.
Email banners – Implement coloured banners within emails which highlight the fact they have come from outside the business and remind staff to be vigilant when responding or clicking links. Remember, emails from your internal staff will never be tagged, so if you are getting requests from accounts or business directors which are flagged with the banner, raise the alarm.
Forwarding alerts – Enable mailbox monitoring to create alerts as forwarding rules are created. These should go to the business’ Data Protection Officer (DPO) or someone similarly senior so they can check with the staff involved that these rules are genuine or flag them to IT for further investigation.
Phishing awareness training – Implement a Phishing awareness training scheme. It may sound odd, but actively phishing your staff with safe links that direct them to corrective training material raises awareness so the staff can avoid real threats and also identify possible training opportunities within the business.
Dark web monitoring – Setup a dark web monitoring program to actively seek out leaked credentials. This can provide an invaluable early warning system to protect the business and your staff as individuals.
Change control processes – Wherever required (typically where money and valuable info is involved), establish a change control process and make sure staff are informed. It is very simple, low-tech, but can thwart most business email compromises.