GDPR

Featured Article – Proposed New UK Law To Cover IoT Security

The UK government’s Department for Digital, Culture, Media and Sport (DCMS), has announced that it will soon be preparing new legislation to enforce new standards that will protect users of IoT devices from known hacking and spying risks.

IoT Household Gadgets

This commitment to legislate leads on from last year’s proposal by then Digital Minister Margot James and follows a seven-month consultation with GCHQ’s National Cyber Security Centre, and with stakeholders including manufacturers, retailers, and academics.

The proposed new legislation will improve digital protection for users of a growing number of smart household devices (devices with an Internet connection) that are broadly grouped together as the ‘Internet of Things’ (IoT).  These gadgets, of which there is an estimated 14 billion+ worldwide (Gartner), include kitchen appliances and gadgets, connected TVs, smart speakers, home security cameras, baby monitors and more.

In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

What Are The Risks?

The risks are that the Internet connection in IoT devices can, if adequate security measures are not in place, provide a way in for hackers to steal personal data, spy on users in their own homes, or remotely take control of devices in order to misuse them.

Default Passwords and Link To Major Utilities

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cyber-criminals, the IoT devices are wide open to being tampered with and misused.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

Examples

Real-life examples of the kind of IoT hacking that the new legislation will seek to prevent include:

– Hackers talking to a young girl in her bedroom via a ‘Ring’ home security camera (Mississippi, December 2019).  In the same month, a Florida family were subjected to vocal, racial abuse in their own home and subjected to a loud alarm blast after a hacker took over their ‘Ring’ security system without permission.

– In May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee.

– Back in 2017, researchers discovered that a sex toy with an in-built camera could also be hacked.

– In October 2016, the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.

New Legislation

The proposed new legislation will be intended to put pressure on manufacturers to ensure that:

– All internet-enabled devices have a unique password and not a default one.

– There is a public point of contact for the reporting of any vulnerabilities in IoT products.

– The minimum length of time that a device will receive security updates is clearly stated.

Challenges

Even though legislation could make manufacturers try harder to make IoT devices more secure, technical experts and commentators have pointed out that there are many challenges to making internet-enabled/smart devices secure because:

  • Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down-sell now and worry about security later.
  • Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.
  • With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such, these devices are likely to remain available to be used by cyber-criminals for a long time.

Looking Ahead

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having to display a label, by law, that indicates how safe the item is, could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater if faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as was originally planned for the proposed legislation.

The hope from cyber-security experts and commentators is that the proposed new legislation won’t be watered down before it becomes law.

Police Images of Serious Offenders Reportedly Shared With Private Landlord For Facial Recognition Trial

There have been calls for government intervention after it was alleged that South Yorkshire Police shared its images of serious offenders with a private landlord (Meadowhall shopping centre in Sheffield) as part of a live facial recognition trial.

The Facial Trial

The alleged details of the image-sharing for the trial were brought to the attention of the public by the BBC radio programme File on 4, and by privacy group Big Brother Watch.

It has been reported that the Meadowhall shopping centre’s facial recognition trial ran for four weeks between January and March 2018 and that no signs warning visitors that facial recognition was in use were displayed. The owner of Meadowhall shopping centre is reported as saying (last August) that the data from the facial recognition trial was “deleted immediately” after the trial ended. It has also been reported that the police have confirmed that they supported the trial.

Questions

The disclosure has prompted some commentators to question not only the ethical and legal perspective of not just holding public facial recognition trials without displaying signs but also of the police allegedly sharing photos of criminals (presumably from their own records) with a private landlord.

The UK Home Office’s Surveillance Camera Code of Practice, however, does appear to support the use of facial recognition or other biometric characteristic recognition systems if their use is “clearly justified and proportionate.”

Other Shopping Centres

Other facial recognition trials in shopping centres and public shopping areas have been met with a negative response too.  For example, the halting of a trial at the Trafford Centre shopping mall in Manchester in 2018, and with the Kings Cross facial recognition trial (between May 2016 and March 2018) which is still the subject of an ICO investigation.

Met Rolling Out Facial Recognition Anyway

Meanwhile, and despite a warning from Elizabeth Denham, the UK’s Information Commissioner, back in November, the Metropolitan Police has announced it will be going ahead with its plans to use live facial recognition cameras on an operational basis for the first time on London’s streets to find suspects wanted for serious or violent crime. Also, it has been reported that South Wales Police will be going ahead in the Spring with a trial of body-worn facial recognition cameras.

EU – No Ban

Even though many privacy campaigners were hoping that the EC would push for a ban on the use of facial recognition in public spaces for up to five years while new regulations for its use are put in place, Reuters has reported that The European Union has now scrapped any possibility of a ban on facial recognition technology in public spaces.

Facebook Pays

Meanwhile, Facebook has just announced that it will pay £421m to a group of Facebook users in Illinois, who argued that its facial recognition tool violated the state’s privacy laws.

What Does This Mean For Your Business?

Most people would accept that facial recognition could be a helpful tool in fighting crime, saving costs, and catching known criminals more quickly and that this would be of benefit to businesses and individuals. The challenge, however, is that despite ICO investigations and calls for caution, and despite problems that the technology is known to have e.g. being inaccurate and showing a bias (being better at identifying white and male faces), not to mention its impact on privacy, the police appear to be pushing ahead with its use anyway.  For privacy campaigners and others, this may give the impression that their real concerns (many of which are shared by the ICO) are being pushed aside in an apparent rush to get the technology rolled out. It appears to many that the use of the technology is happening before any of the major problems with it have been resolved and before there has been a proper debate or the introduction of an up-to-date statutory law and code of practice for the technology.

Avast Anti-Virus Is To Close Subsidiary Jumpshot After Browsing Data Selling Privacy Concerns

Avast, the Anti-virus company, has announced that it will not be providing any more data to, and will be commencing “a wind down” of its subsidiary Jumpshot Inc after a report that it was selling supposedly anonymised data to advertiser third parties that could be linked to individuals.

Jumpshot Inc.

Jumpshot Inc, founded in 2010, purchased by Avast in 2013, and operated as a data company since 2015 essentially organises and sells packaged data, that has been gathered from Avast, to enterprise clients and marketers as marketing intelligence.

Avast anti-virus incorporates a plugin that has, until now, enabled subsidiary Junpshot to scrape/gain access to that data which Jumpshot could sell to (mainly bigger) third party buyers so that they can learn what consumers are buying and where thereby helping with targeting their advertising.

Avast is reported to have access to data from 100 million devices, including PCs and phones.

Investigation Findings

The reason why Avast has, very quickly, decided to ‘wind down’ i.e. close Jumpshot is that the report of an investigation by Motherboard and PCMag revealed that Avast appeared to be harvesting users’ browser histories with the promise (to those who opted-in to data sharing) that the data would be ‘de-identified,’ ( to protect user privacy), whereas what actually appeared to be happening was that the data, which was being sold to third parties, could be linked back to people’s real identities, thereby potentially exposing every click and search they made.

When De-Identification Fails

As reported by PCMag, the inclusion of timestamp information and persistent device IDs with the collected URLs of user clicks, in this case, could, in fact, be analysed to expose someone’s identity.  This could, in theory, mean that the data taken from Avast and supplied via subsidiary Jumpshot to third parties may not be de-identified, and could, therefore, pose a privacy risk to those Avast users.

What Does This Mean For Your Business?

As an anti-virus company, security and privacy are essential elements of Avast’s products and customer trust is vital to its brand and its image. Some users may be surprised that their supposedly ‘de-identified’ data was being sold to third parties anyway, but with a now widely-reported privacy risk of this kind and the potential damage that it could do to Avast’s brand and reputation, it is perhaps no surprise that is has acted quickly in closing Jumphot and distancing itself from what was happening. As Avast says in its announcement about the impending closure of Jumpshot (with the loss of many jobs) “The bottom line is that any practices that jeopardize user trust are unacceptable to Avast”.  PCMag has reported that it has been informed by Avast that the company will no longer be using any data from the browser extensions for any other purpose than the core security engine.

Featured Article – ‘Snake’ Ransomware, A Threat To Your Whole Network

Over the last couple of weeks, there have been reports of a new type of ransomware known as ‘Snake’ which can encrypt all the files stored on your computer network and on all the connected devices.

Discovered

Snake ransomware is so-called because it is the reverse order spelling of the ‘ekans’ file marker that it attaches to each file that it encrypts.  It was discovered by the MalwareHunterTeam and studied in detail by Vitali Kremez who is the Head of SentinelLabs and who describes himself as an “Ethical Hacker”, “Reverse Engineer” and “Threat Seeker”.

How Does It Infect Your Network?

Snake can be introduced to a computer network in infected email attachments (macros) e.g. phishing emails with attached Office or PDF documents, RAR or ZIP files, .exe files, JavaScript files, Trojans, torrent websites, unpatched public-facing software and malicious ads.

How Does Snake Operate?

As ransomware, the ultimate goal of the cybercriminals who are targeting (mainly) businesses with Snake is to lock away (through encryption) important files in order to force the victim to pay a ransom in order to release those files, with the hope of restoring systems to normal as the motivator to pay.

In the case of Snake, which is written in Go (also known as Golang), an open-source programming language that’s syntactically similar to C and provides cross-platform support, once it is introduced to an operating system e.g. after arriving in an email, it operates the following way:

– Firstly, Snake removes Shadow Volume Copies (backup copies or snapshots of files) and stops processes related to SCADA Systems (the supervisory control and data acquisition system that’s used for gathering and analysing real-time data). Snake also stops any Virtual Machines, Industrial Control Systems, Remote Management Tools, and Network Management Software.

– Next, Snake (relatively slowly) uses powerful AES-256 and RSA-2048 cryptographic algorithms to encrypt files and folders across the whole network and on all connected devices, while skipping files in the Windows system folders and system files.

– As part of the encryption process, and unlike other ransomware, Snake adds a random five-character string as a suffix to file extension names e.g. myfile.jpg becomes myfile.jpgBGyWl. Also, an “EKANS” file marker is added to each encrypted file.

Ransom Note

Lastly, Snake generates a ransom note named Fix-Your-Files.txt which is posted on the desktop of the victim.  This ransom note advises the victim that the only way to restore their files is to purchase a decryption tool which contains a private key that has been created specifically for their network and that, once run on an affected computer, it will decrypt all encrypted files.

The note informs the victim that in order to purchase the decryption software they must send an email to bapcocrypt@ctemplar.com which has up to 3 of the encrypted files from their computers attached, not databases or spreadsheets (up to 3MB size) so that the cybercriminals can send back decrypted versions as proof that the decryption software (and key) works on their files (and to encourage payment and restoration of business).

Timing

Snake allows cybercriminals to not only target chosen businesses network but also to choose the time of the attack and the time that encryption takes place could, therefore, be after hours, thereby making it more difficult for admins to control the damage caused by the attack. Also, cybercriminals can choose to install additional password-stealing trojans and malware infections together with the Snake ransomware infection.

What To Do If Infected

If your network is infected with Snake ransomware there is, of course, no guarantee that paying the ransom will mean that you are sent any decryption software by the cybercriminals and it appears unlikely that those who targeted your company to take your money would do anything other to help than just take that money and disappear.

Some companies on the web are offering Snake removal (for hundreds of dollars), and there are some recommendations that running Spyhunter anti-malware software on your systems may be one way to remove this particularly damaging ransomware.

Ransomware Protection

News of the severity of Snake is a reminder to businesses that protection from malware is vital.  Ways in which companies can protect themselves from falling victim to malware, including ransomware include:

– Staff education and training e.g. about the risks of and how to deal with phishing and other suspicious and malicious emails, and other threats where social engineering is involved.

– Ensuring that all anti-virus software, updates and patching are up to date.

– Staying up to date with malware and ransomware resources e.g. the ‘No More Ransom’ portal (https://www.nomoreransom.org/ ), which was originally released in English, is now available in 35 other languages, and thanks to the cooperation between more than 150 partners, provides a one-stop-shop of tools that can help to decrypt ransomware infections – see https://www.nomoreransom.org/en/decryption-tools.html.

– Making sure that there is a regular and secure backup of company data, important business file and folders.

– Developing (and communicating to relevant staff) and updating a Business Continuity and Disaster Recovery Plan.

EU Considers Ban on Facial Recognition

It has been reported that the European Commission is considering a ban on the use of facial recognition in public spaces for up to five years while new regulations for its use are put in place.

Document

The reports of a possible three to five-year ban come from an 18-page EC report, which has been seen by some major news distributors.

Why?

Facial recognition trials in the UK first raised the issues of how the technology can be intrusive, can infringe upon a person’s privacy and data rights, and how facial recognition technology is not always accurate.  These issues have also been identified and raised in the UK, For example:

– In December 2018, Elizabeth Denham, the UK’s Information Commissioner launched a formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy. This stemmed from the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces, which was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

– Trials of FRT at the 2016 and 2017 Notting Hill Carnivals led to the Police facing criticism that FRT was ineffective, racially discriminatory, and confused men with women.

– In September 2018 a letter, written by Big Brother Watch (a privacy campaign group) and signed by more than 18 politicians, 25 campaign groups, and numerous academics and barristers highlighted concerns that facial recognition is being adopted in the UK before it has been properly scrutinised.

– In September 2019 it was revealed that the owners of King’s Cross Estate had been using FRT without telling the public, and with London’s Metropolitan Police Service supplying the images for a database.

– In December 2019, a US report showed that, after tests by The National Institute of Standards and Technology (Nist) of 189 algorithms from 99 developers, their facial recognition technology was found to be less accurate at identifying African-American and Asian faces, and was particularly prone to misidentifying African-American females.

Impact Assessment

The 18-page EC report is said to contain the recommendation that a three to five-year ban on the public use of facial recognition technology would allow time to develop a methodology for assessing the impacts of (and developing risk management measures for) the use of facial recognition technology.

Google Calls For AI To Be Regulated

The way in which artificial intelligence (AI) is being widely and quickly deployed before the regulation of the technology has had a chance a to catch up is the subject of recent comments by Sundar Pichai, the head of Google’s parent company, Alphabet’.  Mr Pichai (in the Financial Times) called for regulation with a sensible approach and for a set of rules for areas of AI development such as self-driving cars and AI usage in health.

What Does This Mean For Your Business?

It seems that there is some discomfort in the UK, Europe and beyond that relatively new technologies which have known flaws, and are of concern to government representatives, interest groups and the public are being rolled out before the necessary regulations and risk management measures have had time to be properly considered and developed.  It is true that facial recognition could have real benefits (e.g. fighting crime) which could have benefits for many businesses and that AI has a vast range of opportunities for businesses to save money and time plus innovating products, services and processes.  However, the flaws in these technologies, and their potential to be used improperly, covertly, and in a way that could infringe the rights of the public cannot be ignored, and it is likely to be a good thing in the long term, that time is taken and efforts are made now to address the issues of stakeholders and develop regulations and measures that could prevent bigger problems involving these technologies further down the line.

£100m Fines Across Europe In The First 18 Months of GDPR

It has been reported that since the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, £100m of data protection fines have been imposed on companies and organisations across Europe.

The Picture In The UK

The research, conducted by law firm DLA Piper, shows that the total fines imposed in the UK by the ICO stands at £274,000, but this figure is likely to be much higher following the finalising of penalties to be imposed on BA and Marriott.  For example, Marriott could be facing a £99 million fine for data breach between 2014 and 2018 that, reportedly involved up to 383 million guests, and BA (owned by IAG) could be facing a record-breaking £183 million for a breach of its data systems last year that could have affected 500,000 customers.

Also, the DLA Piper research shows that although the UK did not rankly highly in terms of fines, the UK ranked third in the number of breach notifications, with 22,181 reports since May 2018.  This equates to a relative ranking of 13th for data breach notifications per 100,000 people in the UK.

Increased Rate of Reporting

On the subject of breach notifications, the research shows a big increase in the rate of reporting, with 247 reports per day over the six months of GDPR between May 2018 and January 2019, which rose to 278 per day throughout last year. This rise in reporting is thought to be due to a much greater (and increasing) awareness about GDPR and the issue of data breaches.

France and Germany Hit Hardest With Fines

The fines imposed in the UK under GDPR are very small compared to Germany where fines totalled 51.1 million euros (top of the table for fines in Europe) and France where 24.6 million euros in fines were handed out.  In the case of France, much of the figure of fines collected relates to one penalty handed out to Google last January.

Already Strict Laws & Different Interpretations

It is thought that businesses in the UK having to meet the requirements of the already relatively strict Data Protection Act 1998 (the bones of which proved not to differ greatly from GDPR) is the reason why the UK finds itself (currently) further down the table in terms of fines and data breach notifications per 100,000 people.

Also, the EU’s Data Protection Directive wasn’t adopted until 1995, and GDPR appears to have been interpreted differently across Europe because it is principle-based, and therefore, apparently open to some level of interpretation.

What Does This Mean For Your Business?

These figures show that a greater awareness of data breach issues, greater reporting of breaches, and increased activity and enforcement action by regulators across Europe are likely to contribute to more big fines being imposed over the coming year.  This means that businesses and organisations need to ensure that they stay on top of the issue of data security and GDPR compliance.  Small businesses and SMEs shouldn’t assume that work done to ensure basic compliance on the introduction of GDPR back in 2018 is enough or that the ICO would only be interested in big companies as regulators appear to be increasing the number of staff who are able to review reports and cases.  It should also be remembered, however, the ICO is most likely to want to advise, help and guide businesses to comply where possible.

Featured Article – Email Security (Part 2)

Following on from last month’s featured article about email security (part 1), in part 2 we focus on many of the email security and threat predictions for this year and for the near, foreseeable future.

Looking Forward

In part 1 of this ‘Email Security’ snapshot, we looked at how most breaches involve email, the different types of email attacks, and how businesses can defend themselves against a variety of known email-based threats. Unfortunately, businesses and organisations now operate in an environment where cyber-attackers are using more sophisticated methods across multi-vectors and where threats are constantly evolving.

With this in mind, and with businesses seeking to be as secure as possible against the latest threats, here are some of the prevailing predictions based around email security for the coming year.

Ransomware Still a Danger

As highlighted by a recent Malwarebytes report, and a report by Forbes, the ransomware threat is by no means over and since showing an increase in the first quarter of 2019 of 195 per cent on the previous year’s figures it is still predicted to be a major threat in 2020. Tech and security commentators have noted that although ransomware attacks on consumers have declined by 33 per cent since last year, attacks against organisations have worsened.  In December, for example, a ransomware attack was reported to have taken a US Coast Guard (USCG) maritime base offline for more than 30 hours.

At the time of writing this article, it has been reported that following an attack discovered on New Year’s Day, hackers using ransomware are holding Travelex’s computers for ransom to such a degree that company staff have been forced to use pen and paper to record transactions!

Information Age, for example, predicts that softer targets (outdated software, inadequate cybersecurity resources, and a motivation to pay the ransom) such as the healthcare services will be targeted more in the coming year with ransomware that is carried by email.

Phishing

The already prevalent email phishing threat looks likely to continue and evolve this year with cybercriminals set to try new methods in addition to sending phishing emails e.g. using SMS and even spear phishing (highly targeted phishing) using deepfake videos to pose as company authority figures.

As mentioned in part 1 of the email security articles, big tech companies are responding to help combat phishing with new services e.g. the “campaign views” tool in Office 365 and Google’s advanced security settings for G Suite administrators.

BEC & VEC

Whereas Business Email Compromise (BEC) attacks have been successful at using email fraud combined with social engineering to bait one staff member at-a-time to extract money from a targeted organisation, security experts say that this kind of attack is morphing into a much wider threat of ‘VEC’ (Vendor Email Compromise). This is a larger and more sophisticated version which, using email as a key component, seeks to leverage organisations against their own suppliers.

Remote Access Trojans

Remote Access Trojans (RATs) are malicious programs that can arrive as email attachments.  RATs provide cybercriminals with a back door for administrative control over the target computer, and they can be adapted to help them to avoid detection and to carry out a number of different malicious activities including disabling anti-malware solutions and enabling man-in-the-middle attacks.  Security experts predict that more sophisticated versions of these malware programs will be coming our way via email this year.

The AI Threat

Many technology and security experts agree that AI is likely to be used in cyberattacks in the near future and its ability to learn and to keep trying to reach its target e.g. in the form of malware, make it a formidable threat. Email is the most likely means by which malware can reach and attack networks and systems, so there has never been a better time to step up email security, train and educate staff about malicious email threats, how to spot them and how to deal with them. The addition of AI to the mix may make it more difficult for malicious emails to be spotted.

The good news for businesses, however, is that AI and machine learning is already used in some anti-virus software e.g. Avast, and this trend of using AI in security solutions to counter AI security threats is a trend that is likely to continue.

One Vision of the Email Security Future

The evolving nature of email threats means that businesses and organisations may need to look at their email security differently in the future.

One example of an envisaged approach to email security comes from Mimecast’s CEO Peter Bauer.  He suggests that in order to truly eliminate the threats that can abuse the trust in their brands “out in the wild” companies need to “move from perimeter to pervasive email security.  This will mean focusing on the threats:

– To the Perimeter (which he calls Zone1).  This involves protecting users’ email and data from spam and viruses, malware and impersonation attempts, data leaks – in fact, protecting the whole customer, partner and vendor ecosystem.

– From inside the perimeter (Zone 2).  This involves being prepared to be able to effectively tackle internal threats like compromised user accounts, lateral movement from credential harvesting links, social engineering, and employee error threats.

– From beyond the perimeter (Zone 3).  These could be threats to brands and domains from spoofed or hijacked sites that could be used to defraud customers and partners.

As well as recognising and looking to deal with threats in these 3 zones, Bauer also suggests an API-led approach to help deliver pervasive security throughout all zones.  This could involve businesses monitoring and observing email attacks with e.g. SOARs, SIEMs, endpoints, firewalls and broader threat intelligence platforms, feeding this information and intelligence to security teams to help keep email security as up to date and as tight as possible.

Into 2020 and Beyond

Looking ahead to email security in 2020 and beyond, companies will be facing plenty more of the same threats (phishing, ransomware, RATs) which rely on email combined with human error and social engineering to find their way into company systems and networks. Tech companies are responding with updated anti-phishing and other solutions.

SME’s (rather than just bigger companies) are also likely to find themselves being targeted with more attacks involving email, and companies will need to, at the very least, make sure they have the basic automated, tech and human elements in place (training, education, policies and procedures) to help provide adequate protection (see the end of part 1 for a list of email security suggestions).

The threat of AI-powered attacks, however, is causing some concern and the race is on to make sure that AI-powered protection is up to the level of any AI-powered attacks.

Taking a leaf out of companies like Mimecast’s book, and looking at email security in much wider scope and context (outside the perimeter, inside the perimeter, and beyond) may bring a more comprehensive kind of email security that can keep up with the many threats that are now arriving across a much wider attack surface.

Featured Article – Email Security (Part 1)

In this week’s article, which is the first of two parts on what is a huge subject for businesses to tackle, we take a look at some of the important issues of email security and how businesses can try to strengthen this crucial area of their cyber defences.

Most Breaches Involve Email

Over 90 per cent of breaches now involve email, and Proofpoint’s Annual Human Factor Report figures, for example, show that social engineering is strongly favoured as a way in by cybercriminals as 99 per cent of email attacks rely on victims clicking links.

Statistics like these reveal some of the key challenges that businesses and organisations face on a daily basis, such as how to defend effectively against the whole range of email attacks, how to spot and eliminate threats as they arrive, and how to ensure that staff are aware of email threats and know what to do when faced with suspicious emails and links.

Types of Email-Based Attacks

There is a vast array of attacks launched through email systems (often relying on social engineering) including targeted phishing schemes, business email compromises, and ransomware attacks.

– Ransomware is still a popular attack and extortion method, and Trend Micro reported a 77 per cent surge in malware attacks during the first half of 2019.

– Phishing is a cheap, easy and highly effective method for criminals to gain access to company systems, steal important data and money, and create a cornerstone of all kinds of other hacking campaigns. Just some of the high profile examples from the news this year include fake voicemail messages being used to lure victims into entering their Office 365 email credentials into a phishing page, Thomas cook customers being targeted by phishing attacks in the wake of the travel company going into receivership, and news of Lancaster University being hit by a large, sophisticated phishing attack aimed at grabbing the details of new student applicants.

Verizon’s 2019 Data Breach Investigations Report showed that 32 per cent of data breaches involve phishing. Phishing threats to businesses are also evolving and becoming more sophisticated all the time. For example, PhishLabs recently discovered a tactic whereby by attackers used a malicious Microsoft Office 365 app to gain access to a victim’s account without the need for the account holder to give up their credentials to the attackers!

The National Cyber Security Centre offers advice on how to protect your business/organisation from phishing attacks here: https://www.ncsc.gov.uk/guidance/phishing.

There is also a number of phishing test sites available online so that you (or staff members) can see if you’re able to spot a phishing email.

– Malware attachments to emails. There is a now staggering amount of malware types that businesses and organisations have to protect themselves against. For example, over 800 million different types were encountered in 2018, and some commentators are predicting that variants will reach over 1 billion by 2020!

A Number of Sources

Email-based attacks aren’t simply targeted just at your email system in a straightforward way but could come from e.g. supplier email systems that have been compromised or could use details stolen from breaches elsewhere as part of the campaign.

PROTECTING YOUR BUSINESS AGAINST E-MAIL THREATS

There are many ways that you can try to protect your email system from email attacks and try to minimise the risk of human error that is so important in social engineering attacks. These include:

HELP FROM THE BIG TECH COMPANIES

Microsoft

Microsoft offers a number of ways that businesses and organisations can help keep their email secure, such as:

– Outlook’s Junk Email Filter, and the Report Message add-in for Outlook.

– Office 365’s Advanced Threat Protection (ATP) plans which offer a variety of leading-edge tools to investigate, understand, simulate, and prevent threats.

– Secure Score for Office 365 – a way to measure and get suggestions about how to protect your business from threats, all through a centralised dashboard.

– The “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

More information: The Microsoft blog here gives 6 email security best practices to protect against phishing attacks and business email compromise: https://www.microsoft.com/security/blog/2019/10/16/top-6-email-security-best-practices-to-protect-against-phishing-attacks-and-business-email-compromise/

Google

Google also offers a number of tools and suggestions, including:

– Advanced security settings for G Suite administrators to protect against phishing and malware (find out more here: https://support.google.com/a/answer/9157861?hl=en).

– Offering steps to identify compromised accounts (see https://support.google.com/a/answer/2984349?hl=en&ref_topic=2683865).

– Advice on Firewall settings.

You may, of course, already be using another email protection system.

Other Advice

Advice about ways in which you can protect your company now from email-based attack such as phishing and malware attacks is widely available, and in addition to the measures already covered (e.g. using Microsoft security tools), some basic measures that companies take include:

– Always keeping anti-virus and patching up to date.

– Staff education and training e.g. how to spot suspicious emails and what to do/what not to do e.g. not to click on links from unknown sources.

– Disabling HTML emails if possible (text-only emails can’t launch malware directly).

– Encrypting sensitive data and communications as an added layer of protection.

– Getting into the routine of checking your bank account’s activity for suspicious charges.

– Making sure important and sensitive company data is backed up and including business email compromise (BEC) in business continuity planning and disaster recovery planning.

– Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.

– Monitoring for any exposed credentials (particularly those of finance department emails).

– Using two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

– Not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Looking Forward and Getting Prepared

In today’s environment, attackers can adapt their campaigns and methods so quickly, and use methods that can evade the more common protection solutions (polymorphic attacks) that businesses and organisations find themselves in a position whereby known signature and reputation-based checks aren’t enough and that they need to be able to get a fuller picture and find solutions that can focus effectively on zero-day and targeted attacks in addition to known vectors. Looking forward, there is also the future threat of AI machine-learning software being able to possibly generate phishing URLs that can beat popular security tools, and of the threats posed (further in the future) buy the possible use of quantum computers in cyberattacks, and these are subjects that we will look briefly in part 2 of our look at email security. For now, stay safe.

New Phishing Tracker For Office 365

Microsoft is launching a new “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

Context and Visibility

Microsoft is in a good position to leverage the large amount of anti-phishing, anti-spam, and anti-malware data and experience that it has across the entire Office 365 service world-wide to identify campaigns. It is this information that feeds into the campaign views tool.
The idea is that the extra context and visibility that campaign views provides gives the full story of how an organisation has been targeted. This additional dimension of defence means that an organisation and its users can see if/how defences have held up against popular attacks, and adjust its own defences accordingly, based on these insights.

What It Shows

The kind of information that the ‘campaign views’ tool can reveal to security teams includes:

  • A summary of a phishing campaign i.e. when it started, it’s pattern and timeline, the size and spread of the campaign, and how many known victims there has been (and see if users have clicked on the phishing link).
  • A list of IP addresses and senders associated with the attack, plus a list of all the URLs that were used in the attack.
  • A look at which messages were blocked, delivered to junk or quarantine, or allowed to get through to the inbox.

Today’s Attacks ‘Morph’ To Get Around Defences

Today’s email attacks are often the sophisticated output of factory-like cybercrime operations where new templates and variances can be rapidly created, generated, and scaled-up in a way that is designed to offer the best chance of maximising financial gain while evading detection and capture.

For example, in a single campaign, the attackers can make multiple changes and variants (morphs) e.g. changes in the sending infrastructure, the sending IPs and sending domains, sender names and addresses, URLs, and the hosting infrastructure for their attack sites. These morphs can, therefore, enable attackers to get around popular defence tactics such as blocking known bad URLs, sending IP address, or sending domains.

Value

Microsoft says that the extra context and visibility that ‘campaign views’ gives security teams means that they can be more effective and efficient. For example, once armed with the information that ‘campaign views’ provides, security teams can be better at remediating compromised/vulnerable users, improving the general security posture (by removing configuration flaws), investigating related/similar campaigns, and hunting and tracking any threats that have the same indicators of compromise.

What Does This Mean For Your Business?

Email is one of the main ways that cybercriminals can gain access to company systems and phishing campaigns are an all-too-common way to dupe businesses into clicking on links in often convincing-looking pages, thereby releasing the malware that causes so much damage, or imparting password and financial information. ‘Campaign views’ appears to be another potentially valuable tool in the cyber defences of businesses with its main strong point being that it gives a much fuller picture of real-world attacks. This additional context and data can help businesses to become much better prepared and more proactive in finding and closing the door on rapidly evolving email security threats.

Real-time Phishing Protection Now Available in Chrome

Google has announced real-time phishing protection with the help of improvements to ‘Safe Browsing’ which allow Chrome to check each new site you visit against a safe list stored on your computer and with Google so that Chrome can issue an instant warning if the site is thought to be suspicious or malicious.

Phishing Problem

As well as being sent to phishing pages via links in phishing emails, phishing links are also inserted into malicious advertisements and even direct messages on chat apps.

Also, even though Google’s existing ‘Safe Browsing’ feature adds thousands of new unsafe sites and to the blocklists of the web industry and Chrome already checks the URL of each site you visit/file you download against a local list which is updated every 30 minutes, Google has noted that some phishing sites are even able to slip through the 30-minute refresh window by switching domains quickly or by hiding from Google’s crawlers.

The multiple phishing threats coupled with the ability of some sites to side-step even a 30-minute time window are what have prompted Google to move into real-time phishing checks through Chrome.

Real-Time

Google’s new, improved protections via Chrome allow the inspection of the URLs of pages visited with Safe Browsing’s servers in real-time (local safe site list check + checks with Google) in order to be able to give users an instant warning that they may be on a malicious page as well as a prompt to change their password.

Google says that this real-time warning system on sites that are brand new can deliver a 30% increase in protections.

Password Issues

The issues of using weak passwords, password sharing, and the stealing of passwords through phishing are all-too-familiar threats. With this in mind, Google launched predictive phishing protections which can warn users who are syncing history in Chrome when they enter their Google Account password into suspected phishing sites. Google has now also expanded this protection to cover everyone signed in to Chrome (whether or not Sync is enabled) and the feature will also work for all the passwords stored in Chrome’s password manager.

This updated security feature now means that if you type one of your protected passwords (from Chrome’s password manager, or the Google Account password you used to sign in to Chrome) into an unusual site, Chrome will classify this as a potentially dangerous event.

What Does This Mean For Your Business?

Offering real-time phishing protection checks is one way to help Chrome users stay a step ahead of cybercriminals who have shown that they could even adapt their campaigns quickly enough to get past a sophisticated system that updates its security information every 30 minutes. This has to be good news for business and domestic users alike, and the flashing up of instant warnings on visiting new sites looks as though it could reduce the numbers of those who fall victim to phishing attacks as well as constantly reminding Chrome users of the risks that are ever-present on the Internet today and of how easy it would be to fall victim to ever-more convincing and sophisticated phishing attempts.