The state of cyber security – and the writing on the wallThe 2016 Democratic National Committee email leak was a fundamental shift – a game-changer, wreaking havoc across the US political landscape, reminding people of the criticality of data stored in our inboxes and the large-scale impact of a possible breach.
For organizations, businesses, and individuals using email for high-value conversations/transactions, email security has never been so important.
Interestingly, intrinsic human curiosity remains a crippling factor. A study asked participants if they were aware of mails eliciting personal data; 78% said YES. Yet 45% clicked the mock spam message presented, while a large segment (nearly 80%) chose not to report their error.
To these common user slip-ups, add budgetary/fiscal constraints, and even past victims would tend to think twice before investing in protection. Over half of the organizations who dealt with attacks in 2016 said they expected cyber security budgets to stay the same (or even decrease) in the following year.
In the wake of Equifax’s large-scale attack that left thousands of entities (both firms and people) exposed and unprotected last year, it’s essential to know what lies ahead.
Is 2018, then, the watershed when it all turns around?
1. Be secure against Ransomware attacks
Usually delivered via email, these applications will encrypt user data and demand a ransom to recover it. They often pose as harmless, even necessary software updates, like NotPetya which began as an update for a Ukrainian tax software. While they could be delivered across other channels (flash drives, for instance) email remains the most popular.
Between 2015 and 2016, the number of ransomware attacks spiked by a staggering 6000% and the virulent pace carried into 2017 – in Q3 of last year, 64% of all malicious emails contained ransomware.
During this period, NotPetya cost pharmaceutical giant Merck over USD 300 million in ransom.
Unfortunately, companies are forced to absorb these costs, in the absence of rigorous security, and the need to protect irreplaceable and vital data.
2. Keep an eye out for Phishing mails
Emails can carry links to malicious websites, and phishing takes this rudimentary form to a more sophisticated level – using psychological manipulation and mimicking respondents the user knows and trusts. They could contain embedded links, or even carry attachments that redirect to phishing sites.
Users are ‘baited’ to divulge sensitive information like login details or credit & debit card data. What’s most risky, here, is that the mails can expertly recreate the look and feel of a familiar sender. In January 2018, several Netflix customers received a mail, allegedly from the global streaming service provider with whom they have legitimate subscriptions.
The mail used Netflix’s logo and color palette, asking users to reauthenticate their payment details. Once these were entered into the fraudulent website’s database (to be sold later), the mail redirected to the original Netflix site.
Companies with a sizable customer base continue to be at risk, making it imperative to strengthen networks, and for individuals to be increasingly vigilant about mail origins.
3. Prepare for Man-in-the-Middle (MiTM) threats
Cybercriminals can ‘insert’ themselves between the user and the application, browser, or service in use. This lets the perpetrator impersonate the victim, receive mails on his behalf, manipulate interactions, and potentially capture personal data.
While this sounds complex on paper, the on-ground reality is far simpler – and worrisome. Hacker communities (ethical or otherwise) regularly release ready-to-use tools that make MiTM attacks easy to execute, like Archimedes published in May 2017.
These applications use existing vulnerabilities to compromise networks.Last year, an attack exploited the simple fact that an organization hadn’t changed their DNS settings and password since 2013.
The safeguards went into action relatively early, limiting the attack to a mere 10 hours and 24 minutes. But decentralized distribution on the internet meant the breach wasn’t entirely contained – the specifics of the mails intercepted in the period, could not be identified.
4. Warn stakeholders against Business Email Compromise (BEC), or ‘Whaling’
Technically a kind of phishing, BEC threats generally seek the ‘big fish’ (or whale) in the organization– CEO, COO, or other white-collar executives, managers in strategic positions, or senior employees with access to critical, all-important details.
This makes whaling attacks even more severe – attackers know all about the victim, have insights into the company, and know exactly how to implement the pernicious plan. The CFO of Leoni AG, Europe’s biggest wires and electrical cables manufacturer, fell prey to a BEC mail in 2016.
The company lost USD 44.6 million as a result, and share value witnessed a 5-7% dip after the attack went public.
Clearly, the power of targeted whaling can’t be ignored – and executives relying on traditional SPAM filters make matters worse. In this case, the mail factored in internal protocols for money transfer at Leoni and hit the only factory authorized to make transactions. This level of specificity renders mails invisible to standard security tools.
As Whaling numbers hit an all-time high, 2018 must introduce robust procedures, dedicated security solutions, and a new generation of professionals, always on the alert.
5. Scan frequently for Keyloggers
Applications that track keystrokes can effectively record everything the user types– from login ids or personal mails, to passwords, credit card numbers, and contact information. The possibilities are virtually limitless.
Conventionally, keyloggers are sent via links or attachments. However, cybercriminals are adapting to a breed of savvy, more cautious tech-users, ever-ready with new, strategic tactics.
A US bank fell victim to an attack where the keylogger was embedded in a word document. Word documents containing macros can execute commands from the doc itself, but are detectable via spam filters. That’s why here, the file carried a Visual Basic Script file masquerading as an image – once the user clicks on it, the keylogger comes into play.
.doc files are a common attachment format, and unlike .exe or .nfo files, rouse little suspicion. Banks continue to be popular targets, given their fiscal stature as well as their vast, sensitive databases.
It’s only stringent, regular monitoring which can prevent these applications from flying under the radar.
Not ‘if’ but ‘when’: Are organizations sufficiently equipped?
As ‘Digital Transformation’ gathers further momentum (and complexity), with more functions, industries, and involvement hierarchies coming into the loop, risks once prevalent amongst only the upper echelon, now span larger and diverse target groups.
Simultaneously, prevention and a change in protocol are in the works; In May of this year the EU rolls out a piece of legislation that’ll alter how data is handled across the globe: the GDPR brings every piece of information users share, under regulation.
Email solutions, messaging structures, and data governance will obviously need a complete rethink.
Having said that, the threat of cybersecurity attacks via emails could take all new avatars in 2018. Hackers continue to mutate and evolve in tandem with rising awareness and tightening regulations.
For a truly impenetrable ‘firewall’, it’s important to get down to brass tacks, and ensure that email is protected at multiple layers to mitigate risks and improve resilience
A strategy to ensure clean input by using a robust, up-to-date email security at the gateway, which scans every mail and checks it deeply for any kind of infection, before passing it to the user or quarantining it, combined with a strategy to ensure that a copy of every mail is copied, in transit, to an alternate infrastructure, will provide cyber resilience to the email platform.
Besides deploying a cyber resilience strategy, a culture of prevention, regular sweeps for early detection, and a rapid response mechanism, could be the way forward for organizations.Related: Achieving cyber resilience with a sandwich model