Phishing Trilogy Part 2: A multi-layered defence

By Emily Wang

This is Part Two of the Phishing Trilogy, read Part One here

We can see how modifying habits can help to combat phishing attacks from the part 1 of this trilogy: “From awareness to habits”. However, it is unrealistic to expect no-one to click on a malicious link by only changing people’s email behaviour. In fact, some argue that a “Zero Click” goal is harmful (Spitzner, 2017). It doesn’t matter how much training is provided; people will make mistakes.

This is evident from many of our phishing simulation reports, where a few people would ignore the education page after they fell for a simulated phishing email. They realised their mistake as soon as they clicked on the link and would immediately close whatever popped up as a reflex act. This doesn’t in itself show that awareness training is futile; like many other defensive tools, awareness training should be used to reduce risk even though it is not possible to completely eradicate it.

The three pillars

Let us not forget about the three pillars of cybersecurity, namely people, process and technology. Using them together is like building a 3-legged stool. If any of the legs are too short, it will cause an imbalance.

Google recently announced that none of their 85,000+ employees have been phished since early 2017 (Krebs, 2018). What is their secret? Google requires all staff to use security keys to log in. This security key is an inexpensive USB-based device that adds to the two-factor authentication. That is, the user logs in with something they know (their password) and something they have (their security key). This is called “2-factor authentication”. It is a perfect example for aiding a person with technology and process measures, or as the security experts like to call it – defence in depth.

A multi-layered approach

The guidance splits the mitigations into four layers:

  • Layer 1: Make it difficult for attackers to reach your users
  • Layer 2: Help users identify and report suspected phishing emails
  • Layer 3: Protect your organisation from the effects of undetected phishing emails
  • Layer 4: Respond quickly to incidents

Take layer 1 as an example, here is how we can defend ourselves from all three angles:

Many controls can be placed into your organisation at different layers. To holistically implement counter-measurements, we need to consider your organisation’s constraint and what is suitable for your employees. At Datacom, we look at how to help customers reduce risks from all six areas. Importantly though:

Don’t wait until it’s too late and don’t rely on just one defence mechanism.

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

References

Krebs, B. (2018). Google: Security Keys Neutralized Employee Phishing. Retrieved from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

National Cyber Security Centre. (2018). Phishing attacks: defending your organisation. Retrieved from https://www.ncsc.gov.uk/phishing

Spitzner, L. (2017). Why a Phishing Click Rate of 0% is Bad | SANS Security Awareness. Retrieved November 18, 2018, from https://www.sans.org/security-awareness-training/blog/why-phishing-click-rate-0-bad

Being Short-staffed is No Excuse for Mishandling IT Governance and Security

In the 2012 Governance of Enterprise IT (GEIT) Survey by the Information Systems Audit and Control Association (ISACA), organisations in the Asia-Pacific region reported a higher annual incidence of security breaches than the global average and a considerable shortage of IT staff.

The implication apparent to anyone who reads this information is that without enough IT support, organisations can’t get a grip on security. Adopting this mindset that security is only as good as the number of IT staff you have, however, is risky and may give a false sense of security to an organisation. Businesses do not need to pay more IT staff salaries to effectively enforce security across the workplace. Rather, they can approach increasing security awareness from two angles. First, they can develop meaningful business policies all employees are able to embrace and understand to further the cause of improved security. Second, organisations need to be able to leverage the right outside help to consult them on the best security approach to suit their specific business.

Setting effective policies

According to ISACA’s survey, most organisations expect the second most likely network security threat to occur in the next year to be caused by an employee mistake. Yet many of these organisations have no set security policies outlining what exactly employees should or shouldn’t do to avoid comprising security. Changing employees’ behaviour doesn’t begin with hiring more IT staff to enforce security — it begins with enforcing effective user policies across the business.

Organisations can define user policies based on organisation-wide, departmental or individual risk profile to determine who should have access to which data, networks and systems, and what types of web sites and applications can be used on different devices. If you allow BYOD, you should have a list of approved apps. If you use a cloud computing service, you should have a list of who can access it and who can’t. You should also consider providing lists of banned web sites and providing guidance on which corporate data can be accessed via VPN when employees or offsite.

Once you’ve established what employees should be able to do and have access to, you can then set the procedures for maintaining security and determining what happens in the event of compromised systems, devices or data. Consistent education for current and new employees will help your newly-defined security policies and procedures become engrained in the culture. Security awareness should be a part of every employee’s induction, where practical examples are used to demonstrate why policy, procedures and good security practices are necessary. Ensuring employees know who or where to access meaningful security advice and guidance is also useful. Security refresher workshops should be conducted annually for all employees and updated to reflect the changing threat landscape.

Enlisting the help of outside experts

It is unlikely you can invest enough money to completely secure yourself if you are connected to the Internet and external networks. So you need to understand how to make sure every dollar spent is spent wisely to get the best value from your security investment. Seek independent advice from a product-neutral expert — even better if it’s a consultant or company that has a background in high-level cyber security in areas such as government.

This advice will help you understand your security posture and keep up-to-date on its evolution completely irrespective of specific security products that might not fully protect your organisation. An independent security review can help organisations deep-dive into their security architecture to get an objective view of their needs and identify gaps. This type of customised, independent advice might also include certain tests, such as vulnerability or penetration testing, to ensure you really are protected from the latest cyber threats.

Remember that no one single person will be able to cover your organisation’s attack surface and the entire threat landscape. Rather than worry that you don’t have enough IT staff in place, draw upon your current department resources to help draft and enforce policy and educate employees. Remember, too, that drawing upon external advice can help your organisation get the overall security picture it needs to prevent future threats.

Guarding Against Cyber Attack: The Priceless Value of Independent Security Advice

Hacking and cyber attack strategies have become increasingly sophisticated due to more cutting-edge approaches to seizing critical data. As a consequence, it has become nearly impossible for companies to spend enough money to properly protect themselves from all cyber attacks.

For instance, NASA spends approximately $58 million for IT security, yet in 2010 and 2011, it reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems. In FY2011, NASA was the victim of 47 APT cyber attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, hacking intruders stole user credentials for more than 150 NASA employees — credentials that could have been used to gain unauthorised access to NASA systems.

It’s clear that throwing money at the problem of enterprise security doesn’t necessarily better protect an organisation from hacking and cyber attacks. What can help is an independent enterprise security evaluation that detects an organisation’s cyber attack vulnerabilities and suggests tailored enterprise security tools, not big-box solutions. Steps in such an evaluation may include the three discussed below:

1. Initial Enterprise Security Posture Snapshot: Enterprise security posture snapshots analyse a company’s cultural, technical and strategic security issues, making it simpler to identify its specific needs and outline an appropriate enterprise security roadmap. The posture also includes an assessment of the organisation’s IT systems in terms of data availability, confidentiality and integrity. Lacking this enterprise security self-awareness has its consequences.

In 2011, website hosting company Distribute.IT’s systems fell victim to hacking, sending 4,800 domains offline and wiping all of the provider’s backup resources. Many of these domains belonged to small retailers, plenty of whom had never assessed their own enterprise security postures and had no foresight as to what could happen should their web hosting service go down completely. 

2. Red- and Blue-Teaming Exercises: In a Red Team, a simulated, external cyber attacks are performed on the client’s systems without prior knowledge of IT administrators. The hacking is done safely, securely and in a controlled manner; its main purpose is to identify how easily the client’s systems can be penetrated. The Blue Team event then looks at cyber attack vulnerabilities from the inside-out, identifying deployed technologies and assessing against known hacking threats. From here, businesses can implement defences that block real hacking and cyber attacks and seal up any points of weakness.

3. Remediation Exercises: During this phase, enterprise security providers will propose tailored services that address a company’s specific security requirements and cyber attack and hacking vulnerabilities. Because hacking continually occurs via new entry points to breach data systems — from mobile devices to credit card machines —, a singular solution is not enough. While it is tempting to take the advice of well-known providers at face value, branded products don’t always equate to comprehensive protection from cyber attacks and hacking. In the world of enterprise security, relying on a custom mix of tools creates a stronger, safer foundation for guarding against hacking and cyber attacks.

In the evolving world of cyber attacks, hacking and advanced persistent threats, the smartest organisations not only understand what threats exist, but also have keen perceptions of their own IT systems and the improvements they need to prevent enterprise security disasters. These organisations understand threats continue to evolve and that enterprise security simply cannot be a set and forget activity. Keeping up with ever-evolving cyber attack and hacking threats is something almost impossible for an organisation to resource internally, as its people are unlikely to be exposed sufficiently to the changing threat landscape. Expert, independent, external advice is a practical and cost-effective mechanism for gaining valuable insight into your organisation’s cyber attack vulnerability.