Cybersecurity Business Habits
Let’s talk about Making Cybersecurity a Habit For your Business. This is where it starts to get fun!
You can find the first two articles in this series here and here. We review if affordable cybersecurity is a myth and making cybersecurity a habit in your personal life.
The best way for hackers to extort your business is to exploit your gullible users. That seems unfair, but it’s true. Remember, the wolves attack the slowest Buffalo, not the fastest.
The most successful way to do this is via email.
Phishing scams are a very common type of email threat.
In fact, 91% of all cybersecurity breaches come through email. Additionally, 94% of all malware attacks happen via email. This means that most of the ransomware attacks that cripple people and businesses, and then charge ransom in cryptocurrencies, start with one malicious email.
94% of security incidents with malware occur through the use of malicious e-mails.
In other words, of every 10 malware attacks, 9 of them happen via email.gatefy.com
Email is the frontline of cybersecurity. We need our business email systems to be heavily monitored and protected. But that’s not enough. We need to train our employees on how to identify suspicious emails.
Why Are Phishing Scams So Common?
They’re easy to perform. Seriously. I’m about to walk you through how an email phishing scam is executed, a really bad one anyways.
Please note that most attacks are much more complex than this, but I want to highlight the bare minimum needed to perpetrate an attack.
Here’s how a basic email phishing scam works:
To start the extortion process, threat actors gather public information on your company. This is done using social media and your public website.
Your website domain is most likely your email domain. For example, one of my company email addresses is [email protected]itninjas.tech and my domain is itninjas.tech.
Your website might also have your company’s owner or executives featured somewhere on the website. For this example, let’s say you have a CFO named Mike Brown and your website URL is successconsulting.com.
Based on your website’s address and your CFO’s name I can start guessing Mr. Brown’s email address. It is more than likely 1 of 3 common email naming conventions used by businesses:
I then send test emails to each of these 3 addresses from an anonymous Hotmail or Yahoo! email account and wait to see which are rejected. Once I know which email address works, I’ll use it to “spoof”, or pretend, that I am your CFO. I’ll make my emails look like they’re from Mike Brown by manipulating the sender information.
You’ve Been Spoofed
This is a surprisingly easy thing to do. It can be done with a short bash script on any Mac or Linux computer. A single, 210 character line of code:
echo "Brick, I need you to make a payment immediately, use the link below for the vendor’s billing portal. [ADD LINK HERE]" | mail -s "Urgent Payment" -r [email protected] [email protected]
Next, I jump on LinkedIn and look for people employed by your company. Since I’m going to be spoofing Mike Brown, a CFO, I’ll look for someone in a Finance role. Specifically, in Accounts Payable, since I know they have access to payment information. I find none other than Brick Tamland. He looks like a trusting guy.
Now, I already know your company’s email naming conventions, so guessing Brick’s email address should be easy.
Putting It All Together
Lastly, I’ll put together an email that sounds very official asking that payment be made urgently to a vendor with a link to a dummy payment portal. I may even ask for a credit card or bank information directly. If this all works out, I can extort your company. All done with a single email.
You may think a person is unlikely to fall for this scam, but remember a lot of people are working remotely these days. Pretend for a moment that you’re Brick and you’ve been watching YouTube in your PJs all day. Suddenly, you get an email from the CFO. You’re probably going to panic and give the CFO whatever they want in a hurry.
I’ve also seen scenarios where a very busy AP employee gets sent a resumẻ. The files attached to these emails are not truly resumẻs, they are malware parading around as word documents. People go into auto-pilot at work. Meaning they download, then open, these files without even thinking about it.
Within seconds, all of the files shares the employee has permission to access are encrypted and held for ransom. In some cases, the threat actors will steal and keep data even after the ransom has been paid.
Enhanced Email Security With Phishing Simulation
Both scenarios I outlined can be easily avoided with a little awareness and training. Enhanced email security with phishing simulations can be used to identify and combat spoofing of VIP staff members, like a CFO.
Furthermore, these platforms allow you to simulate an actual phishing attack in a safe manner. If an employee falls for the scam, they are flagged. The systems we use at IT Ninjas actually include a short video and quiz for the exact type of scam they fell for so that the education they receive after is relevant.
We’re not trying to trick people so that we can point the finger and reprimand them. We’re trying to identify vulnerabilities and help educate people to protect themselves, and your business.
We suggest that our customers use IronScales for enhanced email security, but there are many other platforms like Mimecast and Proofpoint, that are viable, well-thought-out, battle-tested systems.
There are a couple of basic mechanisms used to prevent threat actors from spoofing emails in your domain. They’re also easy to set up, and they’ve been around for a long time. These include:
Without going too far into the weeds, basically, these DNS records validate that the sender is approved to send emails as your domain. In the event that emails do not authenticate properly against your SPF and DKIM records, your DMARC records will tell those receiving your emails what to do when they encounter a spoofed email.
MTA-STS and TLS are also common ways of further securing your emails at the domain level. These are all short projects and shouldn’t have a big impact on your IT budget. You can even outsource to a freelancer or ask your current MSP to validate that all of this security is in place.
Additionally, you can always contact the IT Ninjas for a free assessment of your domain-level email security. These are basic protections that everyone should have in place.
Backup Your Data
Data backups and recovery fall into the category called BCDR. BCDR stands for Business Continuity and Disaster Recovery.
Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.techopedia.com
Another great way to mitigate a successful breach is to back up your data frequently. This means that local file and folder backups should be taken routinely. You should also regularly be backing up your cloud-based system backups. Remember, your data in cloud-based systems is still your data and needs to be backed up somehow.
Roll It Back
This will allow you to roll your data back to a date and time before the breach and then move forward as if it never happened. Seriously, it’s that simple. Ransomware attacks, even if they are successful, can be completely side-stepped if you have good backups and a well-tested recovery process.
Depending on your scenario, you will need different systems. Most small businesses can survive an attack with a combination of file and folder backups, and a daily backup of cloud-based storage tools, like OneDrive or Google Drive.
There are a large number of products and services for backups of these kinds. IT Ninjas uses a combination of Backblaze for local backups and Dropsuite for cloud-based systems.
Cloud-based backup systems like the two I mentioned do have their drawbacks, namely that downloading data from the cloud can be time-consuming and make recovery take longer. However, they also protect you in a way that a local backup just can’t.
Many ransomware and extortion schemes look for local backup systems and corrupt those as well. Cloud-based storage companies follow stringent security protocols as they are constantly under attack. Since these companies are forced to improve their cybersecurity with each event, you can rely on them to keep your cloud backups free from corruption, or at the very least some older version of your backup.
There are a ton of tools with more features than the products I described, however, we find that the Backblaze/Dropsuite combination is a simple, cost-effective way to achieve the same results as much more sophisticated systems at a fraction of the cost.
Local Vs. Cloud
Not only do local backup servers and devices have a hefty price tag, but they are also subject to the same breaches as the networks they reside on.
Yes, it takes longer to restore from the cloud than from a local backup. And yes, there are scenarios and businesses where these types of backups make sense. However most small to mid-sized businesses don’t need local backups.
I know that the last sentence has a lot of my peers flipping tables and cursing in disagreement. That’s OK. They’re upset because they want to lease or sell you a local backup solution at a high margin that comes with a monthly maintenance fee.
Have A Written BCDR Plan
One of the best ways to effectively use cloud-only backups is to have a BCDR plan in place. I mentioned the drawbacks of cloud-based backups. One of the best ways to approach those is to have the expected wait time documented and communicated to stakeholders. This is critical because you set an expectation and demonstrate that you are following guidelines to remediate the issue.
Having a plan puts people at ease. A good BCDR plan is a lot like an Incident Response Plan.
Do you remember all that talk earlier about generated passwords and MFA? These same systems can be used within your business to protect it. LastPass is a favorite tool of ours for business password management. And when you buy business licenses, each user is given 5 home licenses to share with their family.
Regarding MFA and TOTP tools, Google authenticator is the most common tool, but its recovery options are limited. Meaning that if you get locked out of the authentication tool, you’re locked out, period.
This can cripple your access to other systems, a nightmare I have experienced first-hand. We recommend using Authy because it is far more flexible regarding its recovery options, and it’s just as secure as Google Authenticator.
That’s it for this installment. Stay safe out there and stay tuned for the next entry!